Manh Nguyen Van

**Name of the Vulnerable Software and Affected Versions** convert-svg-core versions prior to 0.6.2 **Description** The issue allows for Remote Code Injection via sending an SVG file containing the payload. This can be achieved by including malicious code within an `onload` attribute in the SVG file. When processed by convert-svg-core, which utilizes Puppeteer/Chromium, the malicious code can be executed. **Recommendations** For versions prior to 0.6.2, update to version 0.6.2 or later to resolve the issue. As a temporary workaround, consider disabling the execution of code within `onload` attributes in SVG files until a patch is applied. Restrict access to the `convert-svg-core` package to minimize the risk of exploitation. Avoid using the `onload` attribute in SVG files until the issue is resolved.