Loading market data...
← Back to CVE feed

CVE-2026-25558

MEDIUM CVSS 4.8 View on NVD ↗

Description

QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of any user who subsequently views the file.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Published: Jun 08, 2026 15:16 UTC Modified: Jun 08, 2026 15:16 UTC