From f832ec42ffe193ca41f43e4930b7e0fa1d2ae870 Mon Sep 17 00:00:00 2001
From: nullPointerExcepTed <decsecre583@gmail.com>
Date: Fri, 6 Feb 2026 12:36:35 +0800
Subject: [PATCH] Update GHSA-cm59-8rmv-f2cj.json

---
 .../2024/10/GHSA-cm59-8rmv-f2cj/GHSA-cm59-8rmv-f2cj.json      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/advisories/github-reviewed/2024/10/GHSA-cm59-8rmv-f2cj/GHSA-cm59-8rmv-f2cj.json b/advisories/github-reviewed/2024/10/GHSA-cm59-8rmv-f2cj/GHSA-cm59-8rmv-f2cj.json
index 14b81f303778c..b43d34463ef01 100644
--- a/advisories/github-reviewed/2024/10/GHSA-cm59-8rmv-f2cj/GHSA-cm59-8rmv-f2cj.json
+++ b/advisories/github-reviewed/2024/10/GHSA-cm59-8rmv-f2cj/GHSA-cm59-8rmv-f2cj.json
@@ -7,7 +7,7 @@
     "CVE-2024-6581"
   ],
   "summary": "Lollms vulnerable to Cross-site Scripting",
-  "details": "A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file.",
+  "details": "A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2024-5125. This vulnerability exists due to incomplete filtering in `sanitize_svg()`, which was partially patched in CVE-2024-5125(https://github.com/advisories/GHSA-8p2m-96j6-h5p5). The earlier fix only addressed `<script>` elements and `on*` attributes.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -70,4 +70,4 @@
     "github_reviewed_at": "2024-11-01T22:03:33Z",
     "nvd_published_at": "2024-10-29T13:15:07Z"
   }
-}
\ No newline at end of file
+}