CVE-2025-56515

File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers (onmouseover) to be uploaded and stored. When rendered, these SVG files execute arbitrary JavaScript, enabling attackers to steal user sessions, cookies, and perform unauthorized actions in the context of users viewing affected profiles.

Published: Oct 1, 2025
Updated: Oct 2, 2025
CVE: CVE-2025-56515
GHSA: GHSA-2c6j-vw6r-mfch
Severity: Low
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
fiora	1.0.0	1.0.0.x

https://fiora.suisuijiang.com
https://github.com/Kov404/CVE-2025-56515/tree/main

Vulnerability Database

CVE-2025-56515

Deep Security Visibility Without the Complexity