QloApps 1.7.0 Stored XSS via SVG File Upload in Admin...

4.8 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of any user who subsequently views the file.

Basic Information

ID CVE-2026-25558

Source VulnCheck

Published Jun 8, 2026 at 14:01

Affected Product

Vendor QloApps

Product QloApps

Affected Versions QloApps QloApps 0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of any user who subsequently views the file.",
    "published": "2026-06-08T14:01:25.022Z",
    "modified": "2026-06-08T14:01:25.022Z",
    "type": "cve",
    "title": "QloApps 1.7.0 Stored XSS via SVG File Upload in Admin File Manager",
    "source": "VulnCheck",
    "references": "https://github.com/Qloapps/QloApps/issues/1728\nhttps://www.vulncheck.com/advisories/qloapps-stored-xss-via-svg-file-upload-in-admin-file-manager",
    "id": "CVE-2026-25558",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "QloApps QloApps 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "QloApps",
    "version": "0",
    "vendor": "QloApps",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

QloApps 1.7.0 Stored XSS via SVG File Upload in Admin File Manager_CVE-2026-25558