CVE-2025-46655 – CodiMD AWS S3 SVG XSS Bypass

April 26, 2025

CVE ID : CVE-2025-46655

Published : April 26, 2025, 9:15 p.m. | 1 hour, 48 minutes ago

Description : CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user error if AWS is employed for hosting untrusted JavaScript content, but the selected architecture within AWS does not have components that are able to insert Content-Security-Policy headers.

Severity: 4.9 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-3954 – ChurchCRM Referer Handler Server-Side Request Forgery Vulnerability

Next Article CVE-2025-46654 – CodiMD through 2.2.0 has a CSP-based protection me

How To Prevent WordPress SQL Injection Attacks

Java never goes out of style: Celebrating 30 years of the language

OpenAI o3-pro available in the API, BrowserStack adds Playwright support for real iOS devices, and more – Daily News Digest

Creating The “Moving Highlight” Navigation Bar With JavaScript And CSS

Microsoft Copilot’s own default configuration exposed users to the first-ever “zero-click” AI attack, but there was no data breach

Sam Altman says “OpenAI was forced to do a lot of unnatural things” to meet the Ghibli memes demand surge

5 things we didn’t get from the Xbox Games Showcase, because Xbox obviously hates me personally

Minecraft Vibrant Visuals finally has a release date and it’s dropping with the Happy Ghasts

QAQ-QQ-AI-QUEST

QAQ-QQ-AI-QUEST

JS Dark Arts: Abusing prototypes and the Result type

Helpful Git Aliases To Maximize Developer Productivity

Microsoft Copilot’s own default configuration exposed users to the first-ever “zero-click” AI attack, but there was no data breach

Microsoft Copilot’s own default configuration exposed users to the first-ever “zero-click” AI attack, but there was no data breach

Sam Altman says “OpenAI was forced to do a lot of unnatural things” to meet the Ghibli memes demand surge

5 things we didn’t get from the Xbox Games Showcase, because Xbox obviously hates me personally

CVE-2025-46655 – CodiMD AWS S3 SVG XSS Bypass

Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion

Paragon Spyware used to Spy on European Journalists

Google’s email spoofed by cunning phisherfolk who re-used DKIM creds

CVE-2025-4014 – PHPGurukul Art Gallery Management System SQL Injection Vulnerability

CVE-2025-5806 – Jenkins Gatling Plugin Cross-Site Scripting Vulnerability

GNOME 49 richiederà una maggiore integrazione con systemd

CVE-2025-37089 – HPE StoreOnce Command Injection Remote Code Execution Vulnerability

Representative Line: Identifying the Representative

ASUS Urges Windows 11 Upgrade: The Dawn of AI-Powered PCs and the End of Windows 10

Ecosystem Partnerships: Driving Mainframe Innovation and Future-Ready Solutions

CVE-2025-46655 – CodiMD AWS S3 SVG XSS Bypass

Related Posts