{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/svg/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-40321"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dnn","dotnetnuke","svg","xss","cve-2026-40321","upload"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDNN (formerly DotNetNuke) is an open-source web content management system (CMS) built on the .NET framework. Prior to version 10.2.2, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of SVG files. Attackers can exploit CVE-2026-40321 by uploading a crafted SVG file containing malicious JavaScript. This script can then be executed in the context of other users, including administrators, upon accessing the uploaded SVG. Successful exploitation could lead to session hijacking, account takeover, and potentially arbitrary code execution on the server. Version 10.2.2 addresses this vulnerability by implementing proper sanitization of SVG uploads. The vulnerability affects both authenticated and unauthenticated users, increasing the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a DNN instance running a version prior to 10.2.2.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SVG file containing embedded JavaScript code designed to perform actions such as stealing cookies or redirecting users.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious SVG file to the DNN instance, potentially through a media library or profile picture upload feature.\u003c/li\u003e\n\u003cli\u003eA user (either authenticated or unauthenticated) views the page or element where the malicious SVG is displayed.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the embedded JavaScript code within the SVG file.\u003c/li\u003e\n\u003cli\u003eThe malicious script steals the user\u0026rsquo;s session cookie or redirects them to a phishing page.\u003c/li\u003e\n\u003cli\u003eIf the compromised user has administrative privileges, the attacker uses the stolen cookie to access the DNN administration panel.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their administrative access to inject malicious code into the DNN website or install a backdoor for persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-40321) can lead to a range of negative consequences. Attackers can hijack user sessions, potentially gaining unauthorized access to sensitive data and administrative functions. An attacker can deface the website, inject malware, or steal sensitive information. Because DNN is often used in enterprise environments, this could lead to significant data breaches and reputational damage. The number of affected installations is potentially high, given the widespread use of DNN.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade DNN installations to version 10.2.2 or later to patch CVE-2026-40321, as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect Suspicious SVG Uploads\u0026rdquo; Sigma rule to identify attempts to upload SVG files containing potentially malicious script content.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests with the \u0026ldquo;.svg\u0026rdquo; extension and inspect the request body for suspicious JavaScript patterns to proactively detect malicious SVG uploads using the \u0026ldquo;Web Server Suspicious SVG Upload\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization measures for all file uploads, especially SVG files, to prevent the injection of malicious code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-dnn-svg-upload/","summary":"DNN (formerly DotNetNuke) before 10.2.2 is vulnerable to stored cross-site scripting (XSS) via malicious SVG file uploads, potentially leading to account takeover and arbitrary code execution.","title":"DNN (DotNetNuke) SVG Upload Vulnerability (CVE-2026-40321)","url":"https://feed.craftedsignal.io/briefs/2026-04-dnn-svg-upload/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dotnetnuke","xss","svg","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDotNetNuke.Core versions prior to 10.2.2 are vulnerable to stored cross-site scripting (XSS). An attacker can exploit this vulnerability by uploading a malicious SVG file to the DotNetNuke server. This file contains embedded JavaScript that executes when the SVG is processed and displayed by the application. Successful exploitation requires a user to interact with the uploaded SVG file, which then triggers the malicious script execution. This poses a significant risk as the injected scripts can target both authenticated and unauthenticated users, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the victim. This vulnerability was published on April 10, 2026, and patched in version 10.2.2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious SVG file containing embedded JavaScript code designed for XSS exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker, with low privileges, uploads the malicious SVG file to the DotNetNuke server through a file upload functionality.\u003c/li\u003e\n\u003cli\u003eThe server stores the SVG file, making it accessible to other users.\u003c/li\u003e\n\u003cli\u003eA user (either authenticated or unauthenticated) navigates to the location where the SVG file is stored or displayed.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser processes the SVG file, triggering the execution of the embedded JavaScript.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes within the user\u0026rsquo;s browser session, gaining access to cookies, session tokens, and other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker steals user\u0026rsquo;s cookies and session tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker uses stolen session tokens to hijack the user\u0026rsquo;s session, perform unauthorized actions, and potentially escalate privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user\u0026rsquo;s session. This can lead to sensitive information disclosure, such as stealing user credentials or session cookies. An attacker can then hijack user sessions, perform unauthorized actions on their behalf, and potentially gain elevated privileges within the DotNetNuke application. Due to the nature of stored XSS, the impact can be widespread, affecting any user who interacts with the malicious SVG file until the vulnerability is patched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade DotNetNuke.Core to version 10.2.2 or later to patch the XSS vulnerability (reference: Affected versions).\u003c/li\u003e\n\u003cli\u003eImplement server-side validation to sanitize uploaded SVG files and prevent the injection of malicious scripts (reference: Description).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect attempts to upload SVG files containing JavaScript code (reference: Sigma rule \u0026ldquo;Detect SVG Upload with Embedded JavaScript\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eConfigure web application firewalls (WAFs) to inspect and block suspicious SVG uploads based on content analysis (reference: Description).\u003c/li\u003e\n\u003cli\u003eEnable logging for file uploads to track potential malicious activity (reference: logsource category \u0026ldquo;file_event\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-dotnetnuke-xss/","summary":"DotNetNuke.Core is vulnerable to stored cross-site scripting (XSS) where a user can upload a specially crafted SVG file containing malicious scripts, potentially targeting both authenticated and unauthenticated DNN users, with successful exploitation requiring user interaction and leading to high impact on confidentiality, integrity, and availability.","title":"DotNetNuke.Core Stored XSS via SVG Upload","url":"https://feed.craftedsignal.io/briefs/2026-04-dotnetnuke-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","siyuan","svg","reflected-xss"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSiYuan Note, a note-taking application, is susceptible to a reflected XSS vulnerability in its dynamic icon generation functionality. This flaw, present in versions prior to commit f09953afc57a, arises from an insufficient sanitization of SVG content, specifically failing to account for namespace prefixes in SVG elements. The vulnerability resides in the \u003ccode\u003e/api/icon/getDynamicIcon\u003c/code\u003e endpoint, which is accessible without authentication.  An attacker can exploit this by crafting a malicious SVG payload containing namespaced \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tags (e.g., \u003ccode\u003e\u0026lt;x:script xmlns:x=\u0026quot;http://www.w3.org/2000/svg\u0026quot;\u0026gt;\u003c/code\u003e), which bypasses the application\u0026rsquo;s XSS mitigation measures. Successful exploitation allows arbitrary JavaScript execution within the context of the victim\u0026rsquo;s SiYuan Note instance, potentially leading to data theft or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious URL targeting the \u003ccode\u003e/api/icon/getDynamicIcon\u003c/code\u003e endpoint with the \u003ccode\u003etype=8\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted URL includes a \u003ccode\u003econtent\u003c/code\u003e parameter containing a specially crafted SVG payload. This SVG payload leverages a namespace prefix to bypass the \u003ccode\u003eSanitizeSVG\u003c/code\u003e function\u0026rsquo;s intended filtering, e.g., \u003ccode\u003e%3C%2Fx%3Ascript%20xmlns%3Ax%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3Ealert%28document.domain%29%3C%2Fx%3Ascript%3E\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim, either unknowingly or through social engineering, opens the malicious URL in their browser.\u003c/li\u003e\n\u003cli\u003eThe SiYuan server processes the request without proper sanitization, inserting the attacker-controlled content into the SVG, and serves the response with \u003ccode\u003eContent-Type: image/svg+xml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe browser\u0026rsquo;s XML parser interprets the namespace prefix, resolving it to the SVG namespace, and executes the embedded JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code executes within the security context of the SiYuan application (\u003ccode\u003ehttp://\u0026lt;siyuan-host\u0026gt;:6806\u003c/code\u003e), due to \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s script can now interact with the SiYuan API using the victim\u0026rsquo;s session cookies.\u003c/li\u003e\n\u003cli\u003eThe attacker can perform actions such as reading notes, exporting data, or modifying settings without authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability poses a significant risk to SiYuan Note users, particularly those whose instances are reachable on a local network. An attacker could potentially compromise sensitive information, manipulate user data, or gain unauthorized access to the application. The ease of exploitation and the absence of authentication requirements make this vulnerability particularly dangerous. Because SiYuan sets \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e and the script runs same-origin, it can call any API endpoint using the victim\u0026rsquo;s existing session cookies, including endpoints to read all notes, export data, or modify settings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SiYuan Note to a version that includes the fix for commit f09953afc57a to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SiYuan SVG XSS Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/api/icon/getDynamicIcon\u003c/code\u003e containing SVG payloads with namespace-prefixed script tags, as demonstrated in the PoC.\u003c/li\u003e\n\u003cli\u003eConsider implementing a Content Security Policy (CSP) on the SiYuan server to restrict the execution of inline JavaScript.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T00:30:01Z","date_published":"2026-04-01T00:30:01Z","id":"/briefs/2026-04-siyuan-xss/","summary":"SiYuan Note versions prior to the fix for commit f09953afc57a are vulnerable to reflected cross-site scripting (XSS) via a namespace prefix bypass in the SanitizeSVG function when handling dynamic icons, allowing unauthenticated attackers to execute arbitrary JavaScript in a victim's browser.","title":"SiYuan Note Reflected XSS Vulnerability in SVG Processing","url":"https://feed.craftedsignal.io/briefs/2026-04-siyuan-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Svg","version":"https://jsonfeed.org/version/1.1"}