{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-02T12:01:19.446","vulnerabilities":[{"cve":{"id":"CVE-2024-51492","sourceIdentifier":"security-advisories@github.com","published":"2024-11-01T17:15:18.930","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on (raw) image load. With certain payloads, theft of the target user’s long-lived session token is possible. Note that Zusam, at the time of writing, uses a user’s static API key as a long-lived session token, and these terms can be used interchangeably on the platform. This session token/API key remains valid indefinitely, so long as the user doesn’t expressly request a new one via their Settings page. Version 0.5.6 fixes the cross-site scripting vulnerability."},{"lang":"es","value":"Zusam es una forma gratuita y de código abierto de alojar foros privados. Antes de la versión 0.5.6, los archivos SVG especialmente manipulados que se subían al servicio como imágenes permitían la ejecución sin restricciones de scripts al cargar imágenes (sin procesar). Con ciertos payloads, es posible el robo del token de sesión de larga duración del usuario objetivo. Tenga en cuenta que, al momento de escribir este artículo, Zusam usa la clave API estática de un usuario como token de sesión de larga duración, y estos términos se pueden usar indistintamente en la plataforma. Este token de sesión/clave API sigue siendo válido indefinidamente, siempre y cuando el usuario no solicite expresamente uno nuevo a través de su página de Configuración. La versión 0.5.6 corrige la vulnerabilidad de cross site scripting."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":5.3}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://github.com/zusam/zusam/commit/5930fdf86fa4abed01f0b345c8ec3c443656db9a","source":"security-advisories@github.com"},{"url":"https://github.com/zusam/zusam/releases/tag/0.5.6","source":"security-advisories@github.com"},{"url":"https://github.com/zusam/zusam/security/advisories/GHSA-96fx-5rqv-jfxh","source":"security-advisories@github.com"},{"url":"https://pfeister.dev/CVE-2024-51492","source":"security-advisories@github.com"}]}}]}