CVE-2025-62793 MEDIUM

CVE-2025-62793: eLabFTW HTML / CSS Injection via Malicious SVG Upload Leads to Credential Theft / Clickjacking

Vendor Elabftw
Product elabftw
Weakness CWE-79 · XSS
Published October 27, 2025
Last update October 28, 2025
View on NVD All CVEs

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

eLabFTW is an open source electronic lab notebook for research labs. The application served uploaded SVG files inline. Because SVG supports active content, an attacker could upload a crafted SVG that executes script when viewed, resulting in stored XSS under the application origin. A victim who opens the SVG URL or any page embedding it could have their session hijacked, data exfiltrated, or actions performed on their behalf. This vulnerability is fixed n 5.3.0.

Key dates

02Disclosure timeline

October 27, 2025 CVE published
October 28, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-62798 Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax CVE-2023-5565 Shortcode Menu <= 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2024-13018 PHPGurukul Maid Hiring Management System profile.php cross site scripting CVE-2024-0658 Insert PHP Code Snippet <= 1.3.4 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2023-22933 Persistent Cross-Site Scripting through the ‘module’ Tag in a View in Splunk Enterprise