[Update 29/01/2026] Stored Cross-Site Scripting (XSS) in Sesame web application
Sesametime.
INCIBE has coordinated the publication of a medium-severity vulnerability affecting the Sesame web application, an employee management application. The vulnerability was discovered by Miguel Jiménez Cámara.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2025-41084: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
[Update 29/01/2026] Sesame has implemented corrective measures at both the backend and frontend levels. In addition, previously uploaded files have been reviewed.
Currently, the system completely blocks the upload of SVG files, and existing content has been cleaned up, rendering the vulnerability fixed.
CVE-2025-41084: stored Cross-Site Scripting (XSS) vulnerability in Sesame web application, due to the fact that uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request using the 'logo' parameter in '/api/v3/companies/<ID>/logo', which are then stored on the server and executed in the context of any user who accesses the compromised resource.
