CVE-2026-40873

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...

CVE-2026-49103

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi...

Faction 跨站脚本漏洞

Faction is an open-source collaborative framework for generating and evaluating penetration reports developed by Faction Security. Versions of Faction prior to 1.8.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from the lack of output encoding for attachment file nam...

Faction 安全漏洞

Faction is an open-source report generation and evaluation framework developed by Faction Security. Versions of Faction prior to 1.8.3 contained security vulnerabilities. These vulnerabilities stemmed from the lack of output encoding for attachment file names during the evaluation file preview...

SUSE CVE-2026-39377

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The...

CVE-2026-40873

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...

EUVD-2026-24255

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...

PT-2026-34054

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...

mailcow: dockerized 跨站脚本漏洞

mailcow: dockerized is a dockerized version of the mailcow open-source application. Versions of mailcow before 2026-03b contained a cross-site scripting vulnerability. This vulnerability stemmed from the fact that the isolated details modal boxes did not escape the attachment file names, allowing...

EUVD-2026-9378

The GINA web interface in SEPPmail Secure Email Gateway before version 15.0.1 does not properly check attachment filenames in GINA-encrypted emails, allowing an attacker to access files on the gateway...

EUVD-2025-205411

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...

CVE-2025-62796 PrivateBin persistent HTML injection in attachment filename enables redirect and defacement

PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Versions 1.7.7 through 2.0.1 allow persistent HTML injection via the unsanitized attachment filename attachmentname when attachments are enabled. An attacker can modify attachmentname before encryption so that,...

CVE-2025-62796

CVE-2025-62796 concerns PrivateBin where Versions 1.7.7–2.0.1 allow persistent HTML injection via the unsanitized attachment_name when attachments are enabled. An attacker can modify the filename before encryption, causing unescaped HTML to be inserted near the file size hint after decryption, en...

PT-2025-44214

Name of the Vulnerable Software and Affected Versions PrivateBin versions 1.7.7 through 2.0.1 Description PrivateBin is an online pastebin designed to ensure the server has no knowledge of pasted data. Versions 1.7.7 through 2.0.1 are susceptible to persistent HTML injection. This occurs through ...

EUVD-2023-26643

Malicious code in bioql PyPI...

aerc 安全漏洞

aerc is a library by Robin Jarry Personal Developer. A security vulnerability exists in versions prior to aerc 93bec0d, which stems from a direct path concatenation of attachment part names that could lead to a directory traversal attack...

CVE-2002-2351

Eudora 5.1 allows remote attackers to bypass security warnings and possibly execute arbitrary code via attachments with names containing a trailing "." dot...

Mattermost Mobile Apps Denial of Service Vulnerability (CNVD-2025-11094)

Mattermost Mobile Apps is a messaging mobile application from Mattermost USA. A denial of service vulnerability exists in Mattermost Mobile Apps that stems from the application failing to properly handle specially crafted attachment names. An attacker could use this vulnerability to cause the...

CVE-2025-0476

Mattermost Mobile Apps versions =2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment...

CVE-2025-0476 Mobile crash via file with specially crafted filename

Mattermost Mobile Apps versions =2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment...