16 matches found
CVE-2026-55466
Snipe-IT prior to 8.6.2 is affected. The vulnerability arises because UploadFileRequest sanitizes SVGs only when PHP finfo reports image/svg+xml and UploadedFilesController serves attachments inline without StorageHelper::allowSafeInline(), allowing a low-privilege user to upload active XHTML or ...
CVE-2026-53929 NocoDB: Stored Cross-Site Scripting via Secure Attachment
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NCSECUREATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. The signed attachment handler stor...
EUVD-2010-2806
Malware in sbrugna...
EUVD-2022-2935
Malicious code in bioql PyPI...
GHSA-774Q-WFCP-VC2Q Moodle Email media URL tokens were not checking for user status
A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token...
Moodle Email media URL tokens were not checking for user status
A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token...
CVE-2019-14883
A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token...
CVE-2019-14883
A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token...
Description of the security update for Outlook 2016: January 8, 2019
Description of the security update for Outlook 2016: January 8, 2019 Summary This security update resolves an information disclosure vulnerability that exists when Microsoft Outlook improperly handles certain types of messages. To learn more about the information disclosure vulnerability, see...
CVE-2014-9271
Cross-site scripting XSS vulnerability in filedownload.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename...
Cross site scripting
Cross-site scripting XSS vulnerability in filedownload.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename...
CVE-2014-9271
Cross-site scripting XSS vulnerability in filedownload.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename...
CVE-2014-9271
Cross-site scripting XSS vulnerability in filedownload.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename...
Cross site scripting
Cross-site scripting XSS vulnerability in MantisBT before 1.2.2 allows remote authenticated users to inject arbitrary web script or HTML via an HTML document with a .gif filename extension, related to inline attachments...
CVE-2010-2802
Cross-site scripting XSS vulnerability in MantisBT before 1.2.2 allows remote authenticated users to inject arbitrary web script or HTML via an HTML document with a .gif filename extension, related to inline attachments...
DEBIAN-CVE-2006-1045
The HTML rendering engine in Mozilla Thunderbird 1.5, when "Block loading of remote images in mail messages" is enabled, does not properly block external images from inline HTML attachments, which could allow remote attackers to obtain sensitive information, such as application version or IP...