CVE-2025-41084

Name of the Vulnerable Software and Affected Versions Sesame web application (affected versions not specified)

Description A stored Cross-Site Scripting (XSS) issue exists in the Sesame web application because uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts in SVG files. Exploitation occurs by sending a POST request with a malicious payload using the logo parameter to the ''/api/v3/companies//logo'' API endpoint. The malicious script is then stored on the server and executed when a user accesses the compromised resource.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.