Cross-Site Scripting Vulnerability in eLabFTW Open Source Lab Notebook
CVE-2025-62793

6.8MEDIUM

Key Information:

Vendor: Elabftw
Status: Elabftw
Vendor: CVE Published:; 27 October 2025

What is CVE-2025-62793?

eLabFTW, an open-source electronic lab notebook, is vulnerable to a Cross-Site Scripting (XSS) attack due to the inline serving of uploaded SVG files. These SVG files can contain active content, which allows attackers to upload maliciously crafted SVGs. When users view these files, the embedded scripts can be executed, leading to unauthorized actions such as session hijacking, data exfiltration, or manipulation of user actions. This vulnerability has been addressed in version 5.3.0, underscoring the importance of keeping software up-to-date to safeguard against such exploits.

Affected Version(s)

elabftw < 5.3.0

References

https://github.com/elabftw/elabftw/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/elabftw/elabftw/commit/09b95e38f82f041...

x_refsource_MISC

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 27, 2025
Vulnerability Reserved
Oct 22, 2025

CVE-2025-62793 Data

JSON

Elabftw

What is CVE-2025-62793?

Affected Version(s)

References

CVSS V3.1

Timeline