← volver
CVE-2026-25558

QloApps 1.7.0 Stored XSS via SVG File Upload in Admin File Manager

CVSS 4.8 MEDIUMEPSS 0.2%CWE-79
QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of any user who subsequently views the file.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Productos afectados
QloApps · QloApps
PoCs públicas encontradas1
cve_referencegithub.com/Qloapps/QloApps/issues/1728no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/Qloapps/QloApps/issues/1728https://www.vulncheck.com/advisories/qloapps-stored-xss-via-svg-file-upload-in-admin-file-manager