CVE-2025-62793

Name of the Vulnerable Software and Affected Versions eLabFTW versions prior to 5.3.0

Description eLabFTW, an electronic lab notebook, allowed the serving of uploaded SVG files inline. Due to SVG’s support for active content, a malicious SVG file could be uploaded and executed when viewed, leading to stored cross-site scripting (XSS) under the application’s origin. A successful exploit could allow an attacker to hijack a victim’s session, steal data, or perform actions on their behalf. The application serves uploaded SVG files inline.

Recommendations Update to version 5.3.0 or later.