PatchSiren cyber security CVE debrief
CVE-2026-25558 QloApps CVE debrief
CVE-2026-25558 is a stored cross-site scripting vulnerability in QloApps through 1.7.0. The vulnerability is located in the admin file manager and allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers, such as onload, within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of any user who subsequently views the file.
- Vendor
- QloApps
- Product
- Unknown
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Administrators and users of QloApps through version 1.7.0 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 4.8 and a severity of MEDIUM. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
MEDIUM
Recommended defensive actions
- Update QloApps to a version that fixes this vulnerability.
- Restrict file uploads to only allow trusted file types.
- Implement additional security measures, such as input validation and output encoding.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found at [ref-4] and [ref-5].
Official resources
CVE-2026-25558 was published on [cvePublishedAt] and modified on [cveModifiedAt].