CVE-2026-25558 MEDIUM

CVE-2026-25558: QloApps 1.7.0 Stored XSS via SVG File Upload in Admin File Manager

Vendor Qloapps

Product QloApps

Weakness CWE-79 · XSS

Published June 8, 2026

Last update June 9, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of any user who subsequently views the file.

Key dates

02Disclosure timeline

June 8, 2026 CVE published

June 9, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-25558 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-25558: QloApps 1.7.0 Stored XSS via SVG File Upload in Admin File Manager

01Description

02Disclosure timeline

03References

04Related CVE