CVE-2026-40867

Horilla CVE-2026-40867 affects Horilla HRMS (version 1.5.0). A broken access control flaw in the helpdesk attachment viewer lets any authenticated user view attachments from other tickets by altering the attachment ID, exposing sensitive support files and internal documents across unrelated users...

CVE-2026-2899

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the deleteFile method in the Uploader class lacking nonce verification and capability checks. The AJAX action is registered via...

PT-2026-23130

Name of the Vulnerable Software and Affected Versions Fluent Forms Pro Add On Pack versions up to and including 6.1.17 Description The Fluent Forms Pro Add On Pack plugin for WordPress has a missing authorization issue. The deleteFile method within the Uploader class does not properly verify nonc...

EUVD-2020-18803

Malware in sbrugna...

EUVD-2025-7108

Malicious code in bioql PyPI...

CVE-2023-6737

The Enable Media Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the SHORTPIXELDEBUG parameter in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2024-13695

CVE-2024-13695 : The Enfold WordPress theme (versions up to and including 6.0.9) is vulnerable to Server-Side Request Forgery via the attachment_id parameter. Exploitation requires authenticated access at Subscriber level or higher, enabling web requests originating from the vulnerable instance t...

CVE-2024-13695 Enfold <= 6.0.9 - Authenticated (Subscriber+) Server-Side Request Forgery via attachment_id

The Enfold theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.9 via the 'attachmentid' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...

WordPress plugin Enfold 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue...

WordPress Enfold theme <= 6.0.9 - Authenticated (Subscriber+) Server-Side Request Forgery via attachment_id vulnerability

Authenticated Subscriber+ Server-Side Request Forgery via attachmentid vulnerability discovered by mikemyers in WordPress Theme Enfold versions = 6.0.9...

CVE-2023-6737

The Enable Media Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the SHORTPIXELDEBUG parameter in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

PT-2024-15068 · WordPress · Enable Media Replace

Name of the Vulnerable Software and Affected Versions: Enable Media Replace plugin for WordPress versions up to, and including, 4.1.4 Description: The issue allows for Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping via the SHORTPIXEL DEBUG parameter. Thi...

Enable Media Replace < 4.1.5 - Reflected Cross-Site Scripting

Description The Enable Media Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the SHORTPIXELDEBUG parameter in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers ...

CVE-2023-38872

An Insecure Direct Object Reference IDOR vulnerability in gugoan Economizzer commit 3730880 April 2023 and v.0.9-beta1 allows any unauthenticated attacker to access cash book entry attachments of any other user, if they know the Id of the attachment...

CVE-2022-37462

A stored Cross-Site Scripting XSS vulnerability in the Chat gadget in Upstream Works Agent Desktop for Cisco Finesse through 4.2.12 and 5.0 allows remote attackers to inject arbitrary web script or HTML via AttachmentId in the file-upload details...

PT-2022-6641 · Cisco · Upstream Works Agent Desktop For Cisco Finesse

Name of the Vulnerable Software and Affected Versions: Upstream Works Agent Desktop for Cisco Finesse versions 4.2.12 and earlier, 5.0 Description: A stored Cross-Site Scripting XSS issue in the Chat gadget allows remote attackers to inject arbitrary web script or HTML via the AttachmentId in the...

Tangro Business Workflow 授权问题漏洞

Tangro Business Workflow is a German Tangro company's internal control of the contents of SAP documents and the approval process for the visual drawing of the software. A vulnerability exists in Tangro Business Workflow prior to version 1.18.1 due to an authorization issue, which stems from the...

CVE-2019-14793

The Meta Box plugin before 4.16.3 for WordPress allows file deletion via ajax, with the wp-admin/admin-ajax.php?action=rwmbdeletefile attachmentid parameter...

Facebook - Private Message (Attachment ID) Vulnerability

Document Title: =============== Facebook - Private Message Attachment ID Vulnerability References: =========== http://www.vulnerability-lab.com/getcontent.php?id=1087 View: http://www.youtube.com/watch?v=azzZ7KDMMKw Release Date: ============= 2013-09-23 Vulnerability Laboratory ID VL-ID:...

Facebook - Private Message (Attachment ID) Vulnerability

Document Title: =============== Facebook - Private Message Attachment ID Vulnerability References: =========== http://www.vulnerability-lab.com/getcontent.php?id=1087 View: http://www.youtube.com/watch?v=azzZ7KDMMKw Release Date: ============= 2013-09-23 Vulnerability Laboratory ID VL-ID:...