Stored XSS via SVG Upload in chat.line.biz

Bug reported by Natthakul Raingoen was disclosed at January 5, 2026, 4:49 am   |  

An SVG file containing malicious JavaScript was uploaded to the web application without proper filtering or disabling of embedded scripts. When another user opened the malicious SVG file in the management interface, the embedded script was executed in the browser, resulting in a stored cross-site scripting (Stored XSS) vulnerability.

Predictable proposal participant tokens enable unauthorized access and vote submission

Bug reported by Lorem Ipsumi was disclosed at January 4, 2026, 8:09 am   |   Use of Insufficiently Random Values

A vulnerability was discovered in predictable proposal participant tokens, which enabled unauthorized access and vote submission.

Users can modify tags on files that do not belong to them

Bug reported by Roland Scheidel was disclosed at January 4, 2026, 8:00 am   |   Improper Access Control - Generic

A vulnerability was discovered in which users could modify tags on files that did not belong to them. This issue has been addressed.

Deck app allows to spoof file extensions by using RTLO characters

Bug reported by Jayateertha G was disclosed at January 4, 2026, 8:00 am   |  

The Deck app was found to allow spoofing of file extensions by using RTLO characters.

Stored XSS in contacts app via organisation and title field

Bug reported by Jafar Abu Nada was disclosed at January 4, 2026, 7:54 am   |   Cross-site Scripting (XSS) - Stored

A stored XSS vulnerability was discovered in the contacts app of the software. The vulnerability could be triggered by inputting malicious code in the organization or title field.