8/20/2025/3 minutes to read/Tags: CVEs, XSS, Scada-LTS, SVG Bypass
Introduction
What if simply uploading an SVG file could compromise a user’s browser? In this post, I’ll walk you through a stored XSS vulnerability I discovered in Scada-LTS that leverages a file upload bypass to inject and execute JavaScript.
Below you’ll find the technical details, a step-by-step PoC, payloads, impact, and official references.
What is CVE-2025-9145?
The CVE-2025-9145 is a Stored Cross-Site Scripting (XSS) vulnerability triggered through SVG file upload bypass. Unlike traditional input-based XSS, this flaw allows an attacker to upload a malicious SVG containing embedded JavaScript. When rendered by the browser, this script executes automatically, compromising any user who accesses the file.
This type of issue is especially dangerous because it persists on the server and doesn’t require user interaction beyond simply visiting the file’s URL.