Skip to main content

QloApps CVE-2026-25558

| EUVD-2026-35071 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-08 VulnCheck GHSA-xcx6-j7v3-9h57
XSS Qloapps
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 14:51 vuln.today

DescriptionCVE.org

QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of any user who subsequently views the file.

AnalysisAI

Stored cross-site scripting in QloApps through 1.7.0 enables authenticated administrators to inject persistent JavaScript into the application by uploading SVG files containing malicious event handlers (e.g., onload) via the admin file manager. Any user who subsequently views the uploaded file triggers the embedded script in their browser, crossing a security boundary (S:C) from the admin upload context into arbitrary victim sessions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise admin credentials
Delivery
Authenticate to QloApps admin panel
Exploit
Upload SVG file with embedded JavaScript event handler via file manager
Execution
Victim user browses or previews the uploaded file
Persist
Malicious script executes in victim's browser context
Impact
Session token or sensitive data exfiltrated to attacker
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated QloApps administrator account with access to the admin file manager - the CVSS PR:H rating confirms high privileges are mandatory, meaning unauthenticated or low-privileged users cannot trigger the upload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.8 Medium score is shaped by two key mitigating factors: PR:H (high privileges - admin account required to upload) and UI:R (a victim must view the file). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a compromised or rogue QloApps administrator account logs into the admin panel and uploads a crafted SVG file - for example, one containing an img element with an onload handler that exfiltrates document.cookie to an attacker-controlled server. The file is stored by the application without sanitization. …
Remediation No vendor-released patch with a confirmed fix version has been identified at time of analysis - patch status should be actively monitored via the upstream GitHub issue at https://github.com/Qloapps/QloApps/issues/1728 and the VulnCheck advisory. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-25558 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy