CVE-2025-55166
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-55166
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55166.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-55166
- Aliases
- Published
- 2025-08-12T17:15:39Z
- Modified
- 2025-08-13T19:07:41.988893Z
- Summary
- [none]
- Details
-
savg-sanitizer is a PHP SVG/XML sanitizer. Prior to version 0.22.0, the sanitization logic in the cleanXlinkHrefs method only searches for lower-case attribute name, which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains. This issue has been patched in version 0.22.0.
- References
Affected packages
Git / github.com/darylldoyle/svg-sanitizer
Affected ranges
- Type
- GIT
- Repo
- https://github.com/darylldoyle/svg-sanitizer
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.10.0
0.11.0
0.12.0
0.13.0
0.13.1
0.13.2
0.13.3
0.14.0
0.14.1
0.15.0
0.15.1
0.15.2
0.15.3
0.15.4
0.16.0
0.17.0
0.18.0
0.19.0
0.2.0
0.2.1
0.20.0
0.21.0
0.3.0
0.4.0
0.4.1
0.5.0
0.5.1
0.5.2
0.5.3
0.5.3.1
0.6.0
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2