Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
Sync-in Server: Malicious SVG files can steal user data
CVE-2025-67438
GHSA-9jmq-xgjm-p8c2
Summary
An attacker can upload a malicious SVG file to Sync-in Server, allowing them to steal sensitive user data, including login cookies. This can happen when a victim opens a manipulated SVG file from the server. Users should update to Sync-in Server version 1.9.3 or later to prevent this attack.
What to do
- Update sync-in server to version 1.9.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| sync-in | server | <= 1.9.3 | 1.9.3 |
Original title
Sync-in Server has a stored cross-site scripting (XSS) vulnerability
Original description
A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user's session cookies.
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 20 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026