{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14202", "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "state": "PUBLISHED", "assignerShortName": "Gridware", "dateReserved": "2025-12-07T00:38:32.831Z", "datePublished": "2025-12-17T23:35:17.515Z", "dateUpdated": "2025-12-17T23:35:17.515Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/sissbruecker/linkding", "defaultStatus": "unaffected", "platforms": ["Windows", "Linux"], "product": "LinkDing", "repo": "https://github.com/sissbruecker/linkding", "vendor": "Linkding", "versions": [{"status": "affected", "version": "1.44.1"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Deema Alfehaid"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability in the file upload at bookmark + asset rendering pipeline allows an attacker to upload a malicious SVG file with JavaScript content. When an authenticated admin user views the SVG file with embedded JavaScript code of shared bookmark, JavaScript executes in the admin\u2019s browser, retrieves the CSRF token, and sends a request to change the admin's password resulting in a full account takeover."}], "value": "A vulnerability in the file upload at bookmark + asset rendering pipeline allows an attacker to upload a malicious SVG file with JavaScript content. When an authenticated admin user views the SVG file with embedded JavaScript code of shared bookmark, JavaScript executes in the admin\u2019s browser, retrieves the CSRF token, and sends a request to change the admin's password resulting in a full account takeover."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.2, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "shortName": "Gridware", "dateUpdated": "2025-12-17T23:35:17.515Z"}, "references": [{"url": "https://www.cve.org/cverecord?id=CVE-2025-14202"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-Site Request Forgery (CSRF) Leading to Account Takeover via SVG File Upload", "x_generator": {"engine": "Vulnogram 0.5.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the file upload at bookmark + asset rendering pipeline allows an attacker to upload a malicious SVG file with JavaScript content. When an authenticated admin user views the SVG file with embedded JavaScript code of shared bookmark, JavaScript executes in the admin\u2019s browser, retrieves the CSRF token, and sends a request to change the admin's password resulting in a full account takeover."}], "id": "CVE-2025-14202", "lastModified": "2025-12-18T00:16:21.493", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "type": "Secondary"}]}, "published": "2025-12-18T00:16:21.493", "references": [{"source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "url": "https://www.cve.org/cverecord?id=CVE-2025-14202"}], "sourceIdentifier": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "type": "Secondary"}]}

{}

{"created": "2025-12-18T09:55:24.077625+00:00", "updated": "2025-12-18T09:55:24.077651+00:00", "vendors": ["linkding", "linkding$PRODUCT$linkding"]}