Shimmie 2 2.6.0 allows an attacker to upload a crafted SVG file that enables stored XSS.