CVE-2026-25558
MediumCVSS 4.8Exploitation Probability (EPSS)
Low risk10th percentile - higher than 10% of all known CVEs
Summary
QloApps through version 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files.
Risk Assessment
Attackers can embed JavaScript event handlers in uploaded SVG files, leading to the execution of arbitrary scripts in the browsers of users who subsequently view the files.
Recommendation
It is recommended to update QloApps to the latest version and to restrict the ability of administrators to upload SVG files to minimize the risk of attack.
Original NVD description (English source)
QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of any user who subsequently views the file.

