CVE-2025-14202

Published: Dec 17, 2025

Modified: Dec 18, 2025

PUBLISHED

Description

A vulnerability in the file upload at bookmark + asset rendering pipeline allows an attacker to upload a malicious SVG file with JavaScript content. When an authenticated admin user views the SVG file with embedded JavaScript code of shared bookmark, JavaScript executes in the admin’s browser, retrieves the CSRF token, and sends a request to change the admin's password resulting in a full account takeover.

Vendor	Product	Versions
Linkding	LinkDing	affected `1.44.1`

Weaknesses (CWE)

CWE-79

References

https://www.cve.org/cverecord?id=CVE-2025-14202

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-14202

Description

Affected Products

Weaknesses (CWE)

References