Langflow – Stored XSS via Malicious SVG Upload

27/03/2026

The ‘/api/v1/files/images/{flow_id}/{file_name}’ endpoint serves SVG files with the ‘image/svg+xml’ content type without sanitizing their content.

Since SVG files can contain embedded JavaScript, an attacker can upload a malicious SVG that executes arbitrary JavaScript when viewed by other users, leading to stored cross-site scripting (XSS). This allows stealing authentication tokens stored in cookies, including JWT access and refresh tokens.

Joshua Martinelle Fri, 03/27/2026 – 10:43
– Read more

Monday	08:00 - 17:00
Tuesday	08:00 - 17:00
Wednesday	08:00 - 17:00
Thursday	08:00 - 17:00
Friday	08:00 - 17:00

Langflow – Stored XSS via Malicious SVG Upload

Latest article

CVE-2026-4645 Github.com/antchfx/xpath: xpath: denial of service via crafted boolean xpath expressions

Chromium: CVE-2026-4673 Heap buffer overflow in WebAudio

European Commission data stolen in a cyberattack on the infrastructure hosting its web sites

Metasploit Wrap-Up 03/27/2026

EDITOR PICKS

CVE-2026-4645 Github.com/antchfx/xpath: xpath: denial of service via crafted boolean xpath expressions

Chromium: CVE-2026-4673 Heap buffer overflow in WebAudio

European Commission data stolen in a cyberattack on the infrastructure hosting...

POPULAR POSTS

Threats to users of adult websites in 2018

The World’s Most Popular Coding Language Happens to be Most Hackers’...

IT threat evolution Q2 2019

POPULAR CATEGORY

CVE-2026-4645 Github.com/antchfx/xpath: xpath: denial of service via crafted boolean xpath expressions

Chromium: CVE-2026-4673 Heap buffer overflow in WebAudio

European Commission data stolen in a cyberattack on the infrastructure hosting...