{"id":81939,"date":"2026-07-13T22:47:10","date_gmt":"2026-07-13T19:17:10","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-49971-laravel-mediable-7-0-0-stored-xss-via-svg-file-upload\/"},"modified":"2026-07-13T22:47:10","modified_gmt":"2026-07-13T19:17:10","slug":"cve-2026-49971-laravel-mediable-7-0-0-stored-xss-via-svg-file-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-49971-laravel-mediable-7-0-0-stored-xss-via-svg-file-upload\/","title":{"rendered":"CVE-2026-49971 &#8211; Laravel-Mediable &lt; 7.0.0 Stored XSS via SVG File Upload"},"content":{"rendered":"<p>CVE ID :CVE-2026-49971<\/p>\n<p>  Published : July 13, 2026, 7:17 p.m. | 13\u00a0minutes ago<\/p>\n<p>  Description :Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event handlers, script tags, or foreignObject elements. Attackers can store persistent XSS payloads in uploaded SVG files that execute with full DOM access when victims open or preview the file, enabling session cookie theft, CSRF token capture, and account takeover.<\/p>\n<p>  Severity: 6.1 | MEDIUM<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-49971 Published : July 13, 2026, 7:17 p.m. | 13\u00a0minutes ago Description :Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event handlers, script tags, or foreignObject elements. Attackers can store persistent XSS &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-81939","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81939","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=81939"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81939\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=81939"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=81939"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=81939"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}