CVE-2025-41085

Name of the Vulnerable Software and Affected Versions Apidog version 2.7.15

Description A stored Cross-Site Scripting (XSS) issue exists in Apidog version 2.7.15 due to improper sanitization of SVG image uploads. An attacker can embed malicious scripts within SVG files by sending a POST request to the /api/v1/user-avatar endpoint. These malicious scripts are then stored on the server and executed when a user accesses the compromised resource. The vulnerable parameter is the SVG image file itself.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict or disable SVG image uploads until a patch is available.