CVE-2025-56515

HIGH

Suisuijiang Fiora - XSS

Title source: rule

Description

File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers (onmouseover) to be uploaded and stored. When rendered, these SVG files execute arbitrary JavaScript, enabling attackers to steal user sessions, cookies, and perform unauthorized actions in the context of users viewing affected profiles.

Exploits (1)

nomisec WRITEUP
by Kov404 · poc
https://github.com/Kov404/CVE-2025-56515

References (3)

Scores

CVSS v3 8.8
EPSS 0.0003
EPSS Percentile 9.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-434 CWE-79
Status published
Products (2)
npm/fiora npm
suisuijiang/fiora 1.0.0
Published Oct 01, 2025
Tracked Since Feb 18, 2026