GSSA-2026-04-XJKMV42026-04-256.1 Medium
Permissive file upload filter accepts SVG enabling stored XSS in cobc-events
The multer fileFilter in cobc-events <1.0.1 used the regex `^(image|video|application/pdf)`, which matches `image/svg+xml` and any `video/*` MIME type. SVG uploads enable stored XSS when later served from the application origin.
The multer fileFilter in cobc-events <1.0.1 used the regex ^(image|video|application/pdf), which matches image/svg+xml and any video/* MIME type. SVG uploads enable stored XSS when later served from the application origin.