{"id":"CVE-2025-55944","details":"Slink v1.4.9 allows stored cross-site scripting (XSS) via crafted SVG uploads. When a user views the shared image in a new browser tab, the embedded JavaScript executes. The issue affects both authenticated and unauthenticated users.","modified":"2026-04-10T05:26:56.655475Z","published":"2025-09-03T16:15:39.897Z","references":[{"type":"WEB","url":"https://github.com/G3XAR/Vulnerability-Research/tree/main/Slink%20%28up%20to%201.6.3%29/PoC"},{"type":"EVIDENCE","url":"https://github.com/G3XAR/Vulnerability-Research/tree/main/CVE-2025-55944"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/andrii-kryvoviaz/slink","events":[{"introduced":"0"},{"last_affected":"a2f924360e515001aaf140898c19d5b45951a8ac"},{"introduced":"0"},{"last_affected":"7d1f338e616394e7e510ef2719cf20176edeb896"},{"introduced":"0"},{"last_affected":"a53d6855c13cf454be16401295ef5ef50ba46579"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.4.9"},{"introduced":"0"},{"last_affected":"1.5.1"},{"introduced":"0"},{"last_affected":"1.6.3"}]}}],"versions":["v1.0.0","v1.0.0-rc.10","v1.0.0-rc.11","v1.0.0-rc.5","v1.0.0-rc.6","v1.0.0-rc.7","v1.0.0-rc.8","v1.0.0-rc.9","v1.0.0-rc1","v1.0.0-rc2","v1.0.0-rc3","v1.0.0-rc4","v1.0.1","v1.1.0","v1.2.0","v1.2.1","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.4.7","v1.4.8","v1.4.9","v1.5.0","v1.5.1","v1.6.0","v1.6.1","v1.6.2","v1.6.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55944.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}