SB2026042403 - Spoofing attack in eLabFTW
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Spoofing attack (CVE-ID: CVE-2025-62793)
CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper neutralization of active content in uploaded SVG files in the SVG file handling functionality when rendering uploaded SVG content inline in the browser. A remote user can upload a crafted SVG file to disclose sensitive information.
User interaction is required to open the SVG URL or a page embedding the uploaded file.
Remediation
Install update from vendor's website.