CVE-2021-43842

Name of the Vulnerable Software and Affected Versions: Wiki.js versions 2.5.257 and earlier

Description: The issue allows a malicious user to stage a stored cross-site scripting attack by uploading a crafted SVG file. This enables the attacker to execute malicious JavaScript when the SVG is viewed directly by other users. However, scripts do not execute when loaded inside a page via normal <img> tags.

Recommendations: For Wiki.js versions 2.5.257 and earlier, update to version 2.5.260 or later to resolve the issue. As a temporary workaround, consider disabling file upload for all non-trusted users until a patch is applied.