← back
CVE-2026-25558

QloApps 1.7.0 Stored XSS via SVG File Upload in Admin File Manager

CVSS 4.8 MEDIUMEPSS 0.2%CWE-79
QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of any user who subsequently views the file.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
QloApps · QloApps
public PoCs found1
cve_referencegithub.com/Qloapps/QloApps/issues/1728unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/Qloapps/QloApps/issues/1728https://www.vulncheck.com/advisories/qloapps-stored-xss-via-svg-file-upload-in-admin-file-manager