Main Vulnerability Database Vulnerabilities #VU127372

Spoofing attack in eLabFTW - CVE-2025-62793

Published: April 24, 2026

Vulnerability identifier: #VU127372

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-62793

CWE-ID: CWE-451

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: elabftw

Affected software:
eLabFTW

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper neutralization of active content in uploaded SVG files in the SVG file handling functionality when rendering uploaded SVG content inline in the browser. A remote user can upload a crafted SVG file to disclose sensitive information.

User interaction is required to open the SVG URL or a page embedding the uploaded file.

How to mitigate CVE-2025-62793

Install security update from vendor's website.

Sources

https://github.com/elabftw/elabftw/security/advisories/GHSA-rq98-8jh9-684f

Spoofing attack in eLabFTW - CVE-2025-62793

Detailed vulnerability description

How to mitigate CVE-2025-62793

Sources

Please verify you're human