Volerion logoVolerion
Volerion logoVolerion

Authentik Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

A stored cross-site scripting vulnerability has been identified in the Authentik project, affecting all versions prior to 2024.10.4. This issue allows authenticated admin users to upload manipulated SVG files that are then used as application icons. When other users click on these icons, the embedded scripts in the SVG files are executed in their browsers.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user who clicks on the affected icon.

Reproduction

To reproduce this vulnerability, an authenticated admin user can upload a crafted SVG file containing JavaScript into the application icons. After the file is uploaded, the script will execute in the browser of any user who clicks on the icon.

Remediation

Users can update to Authentik version 2024.10.4 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
2.2
impact
1.7
exploitability
5.7
remediation
7.7
relevance
0.0
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.