Description
eLabFTW is an open source electronic lab notebook for research labs. The application served uploaded SVG files inline. Because SVG supports active content, an attacker could upload a crafted SVG that executes script when viewed, resulting in stored XSS under the application origin. A victim who opens the SVG URL or any page embedding it could have their session hijacked, data exfiltrated, or actions performed on their behalf. This vulnerability is fixed n 5.3.0.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/elabftw/elabftw/security/advisories/GHSA-rq98-8jh9-684f
Scores
CVSS v3
6.8
EPSS
0.0003
EPSS Percentile
7.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
elabftw/elabftw
< 5.3.0
Published
Oct 27, 2025
Tracked Since
Feb 18, 2026