CVE-2025-70297

MEDIUM

Mealie 3.3.1-3.5.9 - Authenticated Stored Cross-Site Scripting via SVG File Upload

Title source: llm

Description

A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser.

References (2)

Core 2

Core References

Various Sources

https://github.com/chrisWalker11/Cves/blob/main/CVE-2025-70297/CVE-2025-70297.md

View Writeup ZIP pw:eip

Issue Tracking

https://github.com/mealie-recipes/mealie/issues/6319

Scores

CVSS v3 6.1

EPSS 0.0018

EPSS Percentile 7.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

mealie/mealie 3.3.1 - 3.6.0

Published Feb 11, 2026

Tracked Since Feb 18, 2026