{"id":"CVE-2022-29351","details":"An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows attackers to execute arbitrary code via a crafted SVG file. Note: The vendor argues that this is not a legitimate issue and there is no vulnerability here.","modified":"2026-03-15T14:10:26.318277Z","published":"2022-05-16T14:15:07.900Z","references":[{"type":"WEB","url":"http://tiddlywiki5.com"},{"type":"ADVISORY","url":"https://github.com/Jermolene/TiddlyWiki5"},{"type":"ADVISORY","url":"https://github.com/jimcola99/corruptsvgfile"},{"type":"EVIDENCE","url":"https://www.youtube.com/watch?v=F_DBx4psWns"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jermolene/tiddlywiki5","events":[{"introduced":"0"},{"last_affected":"76236f5ebe8f646cfdea59a58340892a8d777a3f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.2.2"}]}}],"versions":["v5.0.0-alpha.11","v5.0.0-alpha.12","v5.0.0-alpha.13","v5.0.0-alpha.14","v5.0.0-alpha.15","v5.0.0-alpha.16","v5.0.0-alpha.17","v5.0.1","v5.0.1-alpha","v5.0.10-beta","v5.0.11-beta","v5.0.12-beta","v5.0.13-beta","v5.0.14-beta","v5.0.15-beta","v5.0.16-beta","v5.0.17-beta","v5.0.18-beta","v5.0.2-beta","v5.0.3-beta","v5.0.4-beta","v5.0.5-beta","v5.0.6-beta","v5.0.7-beta","v5.0.8-beta","v5.0.9-beta","v5.1.0","v5.1.1","v5.1.11","v5.1.12","v5.1.13","v5.1.14","v5.1.15","v5.1.17","v5.1.18","v5.1.19","v5.1.2","v5.1.20","v5.1.21","v5.1.23","v5.1.3","v5.1.4","v5.1.5","v5.1.6","v5.1.7","v5.1.8","v5.1.9","v5.2.0","v5.2.1","v5.2.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29351.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}