LinkDing SVG File Upload Vulnerability Leading to Cross-Site Request Forgery and Account Takeover

Vulnerability

A vulnerability exists in LinkDing version 1.44.1 within the file upload and asset rendering pipeline. This issue allows an attacker to upload a malicious SVG file containing JavaScript. When an authenticated admin user views this SVG file, the embedded JavaScript executes in the admin's browser. The script retrieves the CSRF token and sends a request to change the admin's password, resulting in a complete account takeover.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery (CSRF) attacks, leading to unauthorized password changes and full account takeovers for admin users.

Added: Dec 18, 2025, 12:19 AM

Updated: Dec 18, 2025, 12:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.5

exploitability

5.0

remediation

0.0

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.5

exploitability

5.0

remediation

0.0

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

LinkDing SVG File Upload Vulnerability Leading to Cross-Site Request Forgery and Account Takeover

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating