CVE-2025-70297

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-70297

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-70297.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-70297

Published

2026-02-11T19:15:50.690Z

Modified

2026-02-26T01:23:44.789625Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser.

References

Affected packages

Git / github.com/hay-kot/mealie

Affected ranges

Type: GIT
Repo: https://github.com/hay-kot/mealie
Events: Introduced

c63932e8b3aea975332713551de2cadd9bafaba9

Fixed

54b8760d156882b84a1601caf9fb4b9ae53047b0

Affected versions

v3.*

v3.3.1

v3.3.2

v3.4.0

v3.5.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-70297.json"