SB2026042403 - Spoofing attack in eLabFTW



SB2026042403 - Spoofing attack in eLabFTW

Published: April 24, 2026

Security Bulletin ID SB2026042403
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Spoofing attack (CVE-ID: CVE-2025-62793)

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper neutralization of active content in uploaded SVG files in the SVG file handling functionality when rendering uploaded SVG content inline in the browser. A remote user can upload a crafted SVG file to disclose sensitive information.

User interaction is required to open the SVG URL or a page embedding the uploaded file.


Remediation

Install update from vendor's website.