CVE-2025-70297

{"id": "CVE-2025-70297", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2026-02-11T19:15:50.690", "references": [{"url": "https://github.com/chrisWalker11/Cves/blob/main/CVE-2025-70297/CVE-2025-70297.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/mealie-recipes/mealie/issues/6319", "tags": ["Issue Tracking"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) almacenada en el componente de carga de activos de recetas y servicio de medios en Mealie 3.3.1 permite a usuarios remotos autenticados inyectar script web o HTML arbitrario a trav\u00e9s de un archivo SVG cargado que se sirve como image/svg+xml y es renderizado por el navegador de una v\u00edctima."}], "lastModified": "2026-02-23T15:33:59.703", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mealie:mealie:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F490DF35-C6D7-4182-9B80-E68717E22525", "versionEndExcluding": "3.6.0", "versionStartIncluding": "3.3.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}