resolved
Stored XSS via SVG Upload in chat.line.biz
Bug reported by Natthakul Raingoen was disclosed at January 5, 2026, 4:49 am |
An SVG file containing malicious JavaScript was uploaded to the web application without proper filtering or disabling of embedded scripts. When another user opened the malicious SVG file in the management interface, the embedded script was executed in the browser, resulting in a stored cross-site scripting (Stored XSS) vulnerability.
resolved
Predictable proposal participant tokens enable unauthorized access and vote submission
Bug reported by Lorem Ipsumi was disclosed at January 4, 2026, 8:09 am | Use of Insufficiently Random Values
A vulnerability was discovered in predictable proposal participant tokens, which enabled unauthorized access and vote submission.
resolved
Users can modify tags on files that do not belong to them
Bug reported by Roland Scheidel was disclosed at January 4, 2026, 8:00 am | Improper Access Control - Generic
A vulnerability was discovered in which users could modify tags on files that did not belong to them. This issue has been addressed.
resolved
Deck app allows to spoof file extensions by using RTLO characters
Bug reported by Jayateertha G was disclosed at January 4, 2026, 8:00 am |
The Deck app was found to allow spoofing of file extensions by using RTLO characters.
resolved
Stored XSS in contacts app via organisation and title field
Bug reported by Jafar Abu Nada was disclosed at January 4, 2026, 7:54 am | Cross-site Scripting (XSS) - Stored
A stored XSS vulnerability was discovered in the contacts app of the software. The vulnerability could be triggered by inputting malicious code in the organization or title field.