Security Advisory

CVE-2026-28558

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-02-28 21:47:38

Last updated 2026-05-11 23:11:38

Assigner VulnCheck

State PUBLISHED

Description

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the browsers of any user who views the attackers profile page.

← Browse all CVEs View on cve.org ↗