2026-03-27 14:50:36
tenable
PUBLISHED
The /api/v1/files/images/{flow_id}/{file_name} endpoint serves SVG files with the image/svg+xml content type without sanitizing their content. Since SVG files can contain embedded JavaScript, an attacker can upload a malicious SVG that executes arbitrary JavaScript when viewed by other users, leading to stored cross-site scripting (XSS). This allows stealing authentication tokens stored in cookies, including JWT access and refresh tokens.