(besides, I don't want to reopen a debate if it has already been discussed during days/weeks/months/years, but shouldn't SVG be allowed by default in the Media Manager?)

SVGs are safe if used trough a URL. They became suspicious (not necessarily bad) if they re about to be used inline. The thing that SVGs by default are a security threat is a myth. Also for Joomla that is using only PHP on the server side any js/css security flaws are not valid, these will only occur in the client and XSS is quite common in almost all Joomla extensions (even in the core).

these will only occur in the client and XSS is quite common in almost all Joomla extensions

… and if those XSS issues occur in the context of an admin user, they become a real threat to the site itself as the scripts performs actions with the permissions of that admin user. So, XSS is not only an annoying client-side thing, but a real issue.

Apparently it is the comment in the svg which triggers the upload failure:
<!--! Font Awesome Pro 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2022 Fonticons, Inc. -->

So, XSS is not only an annoying client-side thing, but a real issue.

Then you have quite a few real issues. Let me know if you want me to make a list of all the XSS I've already spotted...

Apparently it is the comment in the svg which triggers the upload failure: <!--! Font Awesome Pro 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2022 Fonticons, Inc. -->

I can confirm.
Should the security system be corrected? Or can it be really dangerous to use comments like that in an SVG?
Our designer, when she creates original SVG, puts a comment with her copyright, similar to this...

Maybe the svg sanitize script is not as good as it thinks or it has been implemented wrongly

I tested three svg

1. fontawesome - failed to upload
2. test svg containing xss exploited - uploaded without problem
3. test svg with ssrf explot - uploaded without problem

Maybe the svg sanitize script is not as good as it thinks or it has been implemented wrongly

I tested three svg

1. fontawesome - failed to upload
2. test svg containing xss exploited - uploaded without problem
3. test svg with ssrf explot - uploaded without problem

Hmm, sounds like a true and false was mixed up somewhere … upload if bad SVG, block if good SVG.

Maybe the svg sanitize script is not as good as it thinks or it has been implemented wrongly

I tested three svg

1. fontawesome - failed to upload

2. test svg containing xss exploited - uploaded without problem

3. test svg with ssrf explot - uploaded without problem

Would you mind attaching the svgs here?

I've zipped the 4 samples to avoid any mangling by github.
1, 3 & 4 were found online as test images
2 was downloaded from fontawesome

After adding svg to the supported mime types etc and trying to upload all 4 images the results were

bad1 - uploaded
bad2 - rejected
bad3 - uploaded
bad4 - rejected

svg.zip

Please test #37703