Security Advisory

CVE-2026-5026

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-27 14:50:36

Last updated 2026-03-27 15:35:23

Assigner tenable

State PUBLISHED

Description

The /api/v1/files/images/{flow_id}/{file_name} endpoint serves SVG files with the image/svg+xml content type without sanitizing their content. Since SVG files can contain embedded JavaScript, an attacker can upload a malicious SVG that executes arbitrary JavaScript when viewed by other users, leading to stored cross-site scripting (XSS). This allows stealing authentication tokens stored in cookies, including JWT access and refresh tokens.

← Browse all CVEs View on cve.org ↗