AIKIDO-2026-10221
payload is vulnerable to Cross-Site Scripting
45
Medium Risk
This Affects:
payloadTL;DR
Affected versions of this package are vulnerable to cross-site scripting (XSS) via malicious SVG uploads because uploaded SVG files could be served without restrictive content security headers, allowing embedded scripts to execute in contexts such as the admin panel. The issue is mitigated by adding Content-Security-Policy (CSP) headers to all SVG uploads in core and storage adapters, which prevents execution of inline scripts in SVG content by default and reduces the risk of “SVG smuggling”-style attacks. This defensive layer complements existing SVG validation and gives developers additional assurance that untrusted SVGs won’t execute script in browsers.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
payload is vulnerable to Cross-Site Scripting in versions 0.0.1 - 3.76.0.
How to fix this
Upgrade the payload library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant