MEDIUM
QloApps
CVE published 2026-06-08
CVE-2026-25558
CVE-2026-25558 is a stored cross-site scripting vulnerability in QloApps through 1.7.0. The vulnerability is located in the admin file manager and allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers, such as onload, within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of a [truncated]