Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Cross-Site Scripting (XSS) stored in Taclia's web application

Posted date 24/11/2025
Identificador
INCIBE-2025-0660
Importance
3 - Medium
Affected Resources

Taclia's web application.

Description

INCIBE has coordinated the publication of 1 medium-severity vulnerability that affects the web application of Taclia, a Website for the management of PYMES and freelancers. This vulnerability was discovered by Miguel Jiménez Cámara.

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:

  • CVE-2025-41087: CVSS v4.0: 5.1| CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

The vulnerability has been fixed by the Taclia team in the last version.

Detail

CVE-2025-41087: Cross-Site Scripting (XSS) vulnerability stored in tha Taclia web application, where the uploaded SVG images are not properly sanitized. This allows to the attackers to embed malicious scripts in SVG files such as image profiles, which are then stored on the server and executed in the context of any user who accesses the compromised resource.

CVE
Explotación
No
Nuevo Fabricante
Taclia
Identificador CVE
CVE-2025-41087 
Severidad
Media
References list
Taclia
Etiquetas