Stored Cross-Site Scripting Vulnerability in Laravel-Mediable Product by Plank
CVE-2026-49971
5.3MEDIUM
What is CVE-2026-49971?
Laravel-Mediable prior to version 7.0.0 is susceptible to a stored cross-site scripting vulnerability. This flaw permits both authenticated and unauthenticated users to upload unsanitized SVG files containing malicious JavaScript. When such SVG files are stored, attackers can embed scripts within onload event handlers, script tags, or foreignObject elements. The malicious scripts execute automatically when the file is opened or previewed, granting the attacker full access to the DOM, which can lead to session cookie theft, CSRF token capture, and potential account takeovers.
Affected Version(s)
laravel-mediable 0
