CVE: CVE-2023-0810 Vulnerability Type: CWE-79: Cross-site Scripting (XSS) - Stored Severity: High (8.8) Affected Version: latest Visibility: Public Status: Fixed Impact: Execute JavaScript code in browser victim Description An attacker can upload an arbitrary file with a content type starting with . Proof of Concept Discussion Highlights The vulnerability was reported and validated by the maintainer. The issuer was awarded a disclosure bounty. The fix was implemented in version 1.7.6 with Content Security Policy (CSP). Strict CSP will be applied for files uploaded in LocalStorage. The maintainer agreed to assign a CVE to the bug.