VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 8, 2022· Updated Aug 3, 2024

CVE-2022-32115

CVE-2022-32115

Description

Known v1.2.2+2020061101's isSVG() function lacks proper input validation, enabling arbitrary code execution via a crafted SVG file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Known v1.2.2+2020061101's isSVG() function lacks proper input validation, enabling arbitrary code execution via a crafted SVG file.

Vulnerability

Overview An issue in the isSVG() function of Known v1.2.2+2020061101 allows attackers to execute arbitrary code by uploading a specially crafted SVG file [1][2]. The root cause lies in insufficient validation of SVG file content during the upload process, which fails to sanitize or restrict embedded executable code within the SVG format.

Exploitation

Conditions To exploit this vulnerability, an attacker needs the ability to upload an SVG file to a Known instance. No prior authentication is explicitly required if the application allows unauthenticated file uploads, though in typical configurations the attacker may need a user account with upload permissions. The crafted SVG can contain JavaScript or other embedded payloads that are interpreted or executed by the server or client [2].

Impact

Successful exploitation can lead to arbitrary code execution, potentially allowing the attacker to compromise the server, steal sensitive data, or perform actions on behalf of other users. Known is a social publishing platform used by groups and individuals, making this a significant risk for sites accepting user-uploaded media [2][4].

Mitigation

Status As of the publication date, Known v1.2.2+2020061101 is affected. The vendor has not released a public patch at the time of this CVE's publication. Users should restrict file upload capabilities and apply strict input validation or disable SVG uploads until an update is available. The vulnerability is not known to be on the CISA KEV list as of the latest update.

References
  1. GitHub - idno/idno: A social publishing platform.
  2. NVD - CVE-2022-32115
  3. Known: social publishing for groups and individuals

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
idno/knownPackagist
<= 1.3.1

Affected products

2

Patches

1
80b716a8392f

Checking for script tags in GIFs etc (#3017)

https://github.com/idno/knownBen WerdmullerNov 18, 2021via ghsa
commit
1 file changed · +14 0
  • Idno/Entities/File.php+14 0 modified
    @@ -285,6 +285,20 @@ public static function isImage($file_path)
             return false;
         }
 
+        /**
+         * Detects whether the file contains PHP or script tags, eg to check for embedded code in GIFs
+         * @param $file_path
+         * @return bool
+         */
+        public static function isFileFreeFromScriptTags($file_path)
+        {
+            if ($contents = file_get_contents($file_path)) {
+                if (stripos($contents, '<script') || strpos($contents, '<?')) return false;
+                return true;
+            }
+            return false;
+        }
+
         /**
          * Retrieve a file by ID
          *

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.