CVE-2025-41087
MEDIUMTaclia's web application - Stored Cross-Site Scripting via SVG Image Upload
Title source: llmDescription
Cross-Site Scripting (XSS) vulnerability stored in tha Taclia web application, where the uploaded SVG images are not properly sanitized. This allows to the attackers to embed malicious scripts in SVG files such as image profiles, which are then stored on the server and executed in the context of any user who accesses the compromised resource.
References (1)
Core 1
Core References
Scores
CVSS v4
5.1
EPSS
0.0025
EPSS Percentile
16.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
Taclia/Taclia's web application
All versions
Published
Nov 24, 2025
Tracked Since
Feb 18, 2026