CVE-2026-25558

QloApps 1.7.0 Stored XSS via SVG File Upload in Admin File Manager

CVSS 4.8 MEDIUMEPSS 0.2%CWE-79

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.8EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

08 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of any user who subsequently views the file.

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected products

QloApps · QloApps

public PoCs found — 1

cve_referencegithub.com/Qloapps/QloApps/issues/1728unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Qloapps/QloApps/issues/1728 https://www.vulncheck.com/advisories/qloapps-stored-xss-via-svg-file-upload-in-admin-file-manager