CVE-2025-61417

Name of the Vulnerable Software and Affected Versions TastyIgniter version 3.7.7

Description A Cross-Site Scripting (XSS) issue exists in the /admin/media manager component. An attacker can upload a malicious SVG file containing JavaScript code. When an administrator previews the file, the code executes in their browser, potentially allowing the attacker to perform unauthorized actions, such as modifying admin account credentials. The vulnerable component is the /admin/media manager endpoint, and the attack involves uploading a malicious SVG file. The SVG file contains JavaScript code that executes when previewed. The administrator account is at risk of compromise.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, avoid previewing SVG files uploaded through the /admin/media manager component.