CVE-2025-14202
HIGHLinkding 1.44.1 SVG Asset Rendering - Admin Account Takeover
Title source: manualDescription
A vulnerability in the file upload at bookmark + asset rendering pipeline allows an attacker to upload a malicious SVG file with JavaScript content. When an authenticated admin user views the SVG file with embedded JavaScript code of shared bookmark, JavaScript executes in the admin’s browser, retrieves the CSRF token, and sends a request to change the admin's password resulting in a full account takeover.
References (1)
Core 1
Core References
Various Sources
https://www.cve.org/cverecord?id=CVE-2025-14202
Scores
CVSS v4
8.2
EPSS
0.0026
EPSS Percentile
16.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
Linkding/LinkDing
1.44.1
Published
Dec 18, 2025
Tracked Since
Feb 18, 2026