关键漏洞信息 漏洞标题 Stored Cross-Site Scripting (XSS) possible with svg files rendered inline 严重性 Severity: Moderate (6.1/10) 影响版本和修复版本 Affected versions: <9.13.9 Patched versions: 9.13.9 描述 Description: Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks. CVSS v4 基本指标 Exploitability Metrics - Attack Vector: Network - Attack Complexity: Low - Attack Requirements: None - Privileges Required: Low - User Interaction: Passive Vulnerable System Impact Metrics - Confidentiality: None - Integrity: None - Availability: None Subsequent System Impact Metrics - Confidentiality: High - Integrity: None - Availability: None CVE ID 和弱点 CVE ID: CVE-2025-48378 Weaknesses: CWE-79 贡献者 Credits - bdukes: Remediation developer - david-pointdexter: Remediation reviewer - valadas: Remediation reviewer