CVE-2025-41085
Unknown Unknown - Not Provided
Stored XSS in Apidog 2.7.15 via Unsanitized SVG Uploads

Publication date: 2026-02-04

Last updated on: 2026-02-04

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Stored Cross-Site Scripting (XSS) vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and executed in the context of any user accessing the compromised resource.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-04
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-41085
EUVD
EUVD-2025-206810
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apidog apidog 2.7.15
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-41085 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability in Apidog web platform version 2.7.15. It occurs because SVG image uploads are not properly sanitized. Attackers can exploit this by sending a POST request to the endpoint '/api/v1/user-avatar' with a malicious SVG file containing embedded scripts. These scripts are then stored on the server and executed in the context of any user who accesses the compromised resource."}] [1]

Impact Analysis

This vulnerability allows attackers to execute malicious scripts in the context of users accessing the compromised resource. This can lead to unauthorized actions such as stealing user credentials, session hijacking, or performing actions on behalf of the user without their consent. Since the malicious scripts are stored on the server, every user accessing the affected resource is at risk.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for POST requests to the endpoint '/api/v1/user-avatar' that contain SVG image uploads. Specifically, you should look for SVG files that include embedded scripts, which indicate malicious payloads exploiting the stored XSS vulnerability."}, {'type': 'paragraph', 'content': "Commands to detect such activity might include using network traffic inspection tools or web server logs to filter POST requests to '/api/v1/user-avatar' and analyzing the contents of uploaded SVG files for embedded script tags or JavaScript code."}, {'type': 'list_item', 'content': "Use tools like tcpdump or Wireshark to capture HTTP POST requests to '/api/v1/user-avatar'."}, {'type': 'list_item', 'content': "Search web server logs for POST requests to '/api/v1/user-avatar' with SVG file uploads."}, {'type': 'list_item', 'content': 'Use grep or similar tools to scan uploaded SVG files for <script> tags or suspicious JavaScript code.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': "As no official patch or solution has been reported at the time of the advisory, immediate mitigation steps should focus on restricting or monitoring SVG image uploads to the '/api/v1/user-avatar' endpoint."}, {'type': 'paragraph', 'content': 'You can temporarily disable SVG uploads or implement strict validation and sanitization of SVG files before accepting them to prevent malicious scripts from being stored.'}, {'type': 'paragraph', 'content': 'Additionally, monitor user activity and server logs for suspicious behavior related to this endpoint and consider applying web application firewall (WAF) rules to block or alert on suspicious SVG uploads.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41085. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart