CVE-2026-45318

CVE-2026-45318 is an Open WebUI stored XSS vulnerability. The root cause is rendering unsanitized HTML produced from Excel/DOCX previews (XLSX.utils.sheet_to_html) via {@html excelHtml} or fileOfficeHtml without DOMPurify. This affects Open WebUI versions prior to 0.9.3, where an attacker-uploade...

Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)

Related advisory This advisory tracks a regression of the original Excel-preview XSS that was publicly disclosed and patched under GHSA-jwf8-pv5p-vhmc patched in v0.8.0. The same root cause — XLSX.utils.sheettohtml output rendered via @html excelHtml without DOMPurify — was reintroduced sometime...

CVE-2026-35608

QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScrip...

CVE-2026-35608 QuickDrop has stored XSS in SVG file preview endpoint allowing JavaScript execution

QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScrip...

EUVD-2026-19784

QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScrip...

CVE-2026-35608

QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScrip...

PT-2026-30909

Name of the Vulnerable Software and Affected Versions QuickDrop versions prior to 1.5.3 Description QuickDrop, a file sharing application, contains a stored cross-site scripting XSS issue in the file preview functionality. The application allows the upload of SVG files via the...

QuickDrop 跨站脚本漏洞

QuickDrop is a self-hosted anonymous file sharing application developed by Rostislav. It supports multipart uploads and encrypted storage. Versions of QuickDrop prior to 1.5.3 had a cross-site scripting vulnerability. This vulnerability stemmed from a storage-related cross-site scripting flaw in...

CVE-2026-29082

Kestra, an event-driven orchestration platform, has a Stored XSS risk in versions 1.1.10 and earlier due to the execution-file preview rendering user-supplied Markdown with markdown-it (html: true) and injecting the HTML via Vue’s v-html without sanitisation. This can allow an attacker to inject ...

CVE-2026-26993 Flare has XSS vulnerability in Raw File Preview

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG or other active content formats such as HTML...

CVE-2026-26993 Flare has XSS vulnerability in Raw File Preview

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG or other active content formats such as HTML...

CVE-2026-26993 Flare has XSS vulnerability in Raw File Preview

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG or other active content formats such as HTML...

CVE-2026-2560

A vulnerability has been found in kalcaddle kodbox up to 1.64.05. The impacted element is the function run of the file plugins/fileThumb/lib/VideoResize.class.php of the component Media File Preview Plugin. Such manipulation of the argument localFile leads to os command injection. The attack can ...

CVE-2026-2560 kalcaddle kodbox Media File Preview Plugin VideoResize.class.php run os command injection

A vulnerability has been found in kalcaddle kodbox up to 1.64.05. The impacted element is the function run of the file plugins/fileThumb/lib/VideoResize.class.php of the component Media File Preview Plugin. Such manipulation of the argument localFile leads to os command injection. The attack can ...

CVE-2026-2560 kalcaddle kodbox Media File Preview Plugin VideoResize.class.php run os command injection

A vulnerability has been found in kalcaddle kodbox up to 1.64.05. The impacted element is the function run of the file plugins/fileThumb/lib/VideoResize.class.php of the component Media File Preview Plugin. Such manipulation of the argument localFile leads to os command injection. The attack can ...

kodbox 操作系统命令注入漏洞

Kodbox is a network file manager developed by Warlee’s individual developer. Versions of Kodbox 1.64.05 and earlier had a vulnerability related to operating system command injection. This vulnerability stemmed from an improper handling of the localFile parameter in the run function of the Media...

SUSE CVE-2016-11063

An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview...

GO-2025-4045 Mattermost Server vulnerable to Cross-site Scripting through file preview feature in github.com/mattermost/mattermost-server

Mattermost Server vulnerable to Cross-site Scripting through file preview feature in github.com/mattermost/mattermost-server...

EUVD-2020-5599

Malware in sbrugna...

EUVD-2016-2052

Malware in sbrugna...