PT-2026-35069

pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account displ...

CVE-2026-34611

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

CVE-2026-34611 AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

CVE-2026-34611

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

DEBIAN-CVE-2023-5631

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcubewashtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code...

TYPO3 跨站脚本漏洞

TYPO3 is a free and open source content management system framework CMS/CMF from the Swiss TYPO3 Association. A cross-site scripting vulnerability exists in TYPO3 that arises from the use of user-submitted content that is not properly encoded in the HTML email sent to the user, and affects the...

CVE-2020-26554

REDDOXX MailDepot 2033 aka 2.3.3022 allows XSS via an incoming HTML e-mail message...

PT-2020-3630 · Roundcube +4 · Roundcube Webmail +4

Name of the Vulnerable Software and Affected Versions: Roundcube Webmail versions 1.2.10 and earlier, 1.3.x before 1.3.14, and 1.4.x before 1.4.7 Description: The issue allows for cross-site scripting XSS via a crafted HTML e-mail message. This can be demonstrated by a JavaScript payload in the...

CVE-2016-6845

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting correctly sanitized when using base64 encoded "data" resources. This allows an attacker to provide hyperlinks that may execute script code instead of directing to a...

SeaMonkey scriptable plugin execution in mail (mfsa2010-06)

The mail component in Mozilla SeaMonkey before 1.1.19 does not properly restrict execution of scriptable plugin content, which allows user-assisted remote attackers to obtain sensitive information via crafted content in an IFRAME element in an HTML e-mail message, as demonstrated by a Flash objec...