CVE-2023-51803

LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the "" substring.

CVE-2022-47968

Heimdall Application Dashboard through 2.5.4 allows reflected and stored XSS via "Application name" to the "Add application" page. The stored XSS will be triggered in the "Application list" page.