Security
Fixes a stored XSS vulnerability (CWE-79, CVSS 5.4 Moderate): SVG files uploaded through the
Curator panel were served inline without sanitization, allowing embedded JavaScript to
execute in the application's origin when a user opened the file via the View action. SVG
uploads are now sanitized (scripts, event handlers, and remote references stripped) before
being written to storage.
After upgrading, run php artisan curator:sanitize-svgs to clean any SVGs uploaded before
this release (use --dry-run to preview first).
See the security advisory for full details:
GHSA-8vm9-f75m-5h2m
Dependencies
- Added
enshrined/svg-sanitize.