CVE-2026-25558: QloApps Stored XSS in Admin File Manager via SVG Upload
QloApps versions up to 1.7.0 contain a stored cross-site scripting (XSS) vulnerability in the admin file manager. An authenticated administrator can upload a specially crafted SVG file containing malicious JavaScript code. When any user subsequently views or accesses that file, the embedded script executes in their browser, potentially compromising their session or stealing sensitive information. The vulnerability requires administrator-level access to exploit but poses a persistent risk once injected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.8 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-14
NVD description (verbatim)
QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of any user who subsequently views the file.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is a stored XSS flaw (CWE-79) located in QloApps' administrative file manager component. The application fails to properly sanitize SVG file uploads, allowing attackers to embed JavaScript event handlers (such as onload, onerror) within SVG XML structures. Because SVGs are XML-based vector graphics, browsers interpret embedded scripts as legitimate content. The flaw is stored, meaning the malicious payload persists in the file system and executes every time an authenticated user accesses the compromised file through the admin interface. The attack requires prior admin credentials but does not require user interaction beyond normal file viewing.
Business impact
This vulnerability creates an insider threat vector where a malicious or compromised administrator account can persistently inject malicious code affecting other administrative users. In environments where admin accounts are shared or where admins manage sensitive operations (content updates, user management, reporting), this could lead to credential theft, session hijacking, or unauthorized administrative actions performed on behalf of legitimate users. The persistent nature means the attack surface extends to all subsequent interactions with the uploaded file, multiplying exposure over time.
Affected systems
QloApps through version 1.7.0 is affected. Organizations running this version or earlier should assess their exposure. Later versions may contain fixes; verification against vendor advisories is essential to confirm remediation in newer releases.
Exploitability
Exploitation requires authenticated administrator-level privileges, which significantly restricts the attack surface. The attacker must have legitimate (or compromised) admin credentials to upload files to the file manager. However, once the malicious file is uploaded, it executes automatically when viewed by any other admin user—no additional social engineering or victim interaction beyond normal system use is required. The CVSS score of 4.8 (MEDIUM) reflects the privileged access requirement balanced against the stored nature of the payload and its cross-site impact.
Remediation
Upgrade QloApps to a patched version beyond 1.7.0 that properly sanitizes SVG uploads and implements content security policy (CSP) headers to mitigate XSS execution. Additionally, audit the file manager for any SVG files uploaded after the vulnerability window opened, and remove or quarantine suspicious uploads. Review admin account activity logs for unauthorized file uploads.
Patch guidance
Consult the QloApps vendor advisories and release notes to identify the first patched version addressing this stored XSS flaw. Apply the patch in a staging environment first to validate compatibility with your deployment. Ensure all admin users are running the patched version before resuming routine file uploads. If a patch is not yet available, implement compensating controls such as disabling SVG uploads in the admin file manager or restricting file manager access to a minimal set of trusted administrators.
Detection guidance
Monitor admin file manager logs for SVG file uploads, particularly those with unusual characteristics (large file size, embedded event handlers visible in static analysis). Review stored SVG files in the application directory for JavaScript event handler attributes. Implement web application firewalls (WAF) rules to detect and block SVG uploads containing script tags or event handler attributes. Log and alert on XSS-like payloads in file upload requests. Review browser console logs and network traffic for unexpected script execution originating from the file manager.
Why prioritize this
Although the CVSS score is MEDIUM (4.8), this vulnerability warrants prompt attention because it is stored (persistent), affects the admin interface (high-value target), and exploits a common file type (SVG) that administrators may not associate with script injection risk. Organizations with shared admin accounts or high-volume file manager usage face elevated risk. The attack leaves minimal forensic traces if executed through normal browsing, making detection difficult post-exploitation.
Risk score, explained
The CVSS 3.1 score of 4.8 reflects: network-accessible attack vector (AV:N), low attack complexity (AC:L), and high privilege requirement (PR:H) to upload the malicious file. The impact is limited to confidentiality and integrity (C:L, I:L) with no availability impact (A:N). The scope change (S:C) indicates the vulnerability can affect resources beyond the admin interface. The moderate score balances the significant barrier to exploitation (admin access) against the persistent and cross-user nature of the attack once deployed.
Frequently asked questions
Can this vulnerability be exploited by non-admin users?
No. The vulnerability requires authenticated administrator-level access to upload files through the admin file manager. Non-privileged users cannot exploit it directly, making it an insider threat rather than a public-facing vulnerability.
What happens if I remove the malicious SVG file?
Removing the file will prevent future script execution, but you should verify that no copies or backups of the file remain in the file system or backups. If the file has been accessed by multiple admins, review their sessions for signs of compromise (unauthorized actions, session tokens, etc.).
Does this vulnerability affect non-admin users who visit the public site?
Only if the malicious SVG is rendered in a publicly accessible location. If the uploaded file is confined to the admin file manager and not served to the public, the exposure is limited to administrative users. However, verify your deployment—if admin-uploaded content is syndicated to the front-end, the risk extends to all visitors.
Are there workarounds if I cannot patch immediately?
Yes. Disable SVG uploads in the admin file manager, restrict file manager access to a minimal trusted group, implement strict Content Security Policy (CSP) headers to block inline scripts, and monitor file uploads closely. These controls reduce but do not eliminate risk; patching is the definitive remediation.
This analysis is provided for informational purposes and represents a point-in-time assessment based on publicly available information. SEC.co does not provide warranties regarding the accuracy, completeness, or applicability of this guidance to your specific environment. Security decisions should incorporate your organization's risk tolerance, asset criticality, and operational constraints. Consult official QloApps vendor advisories and your security team before implementing any remediation. All patch version numbers and vendor statements should be verified against authoritative sources before deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2021-47982MEDIUMWP-Paginate 2.1.3 Stored XSS in Plugin Settings