CVE-2026-27892

FacturaScripts Library module stores and serves uploaded images without stripping EXIF/IPTC/XMP metadata, allowing any authenticated user who downloads an image to extract GPS coordinates, device information, timestamps, and other PII embedded in metadata. This is a design-level omission affectin...

PT-2026-40971

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.0 Description A flaw in the software installer pipeline allows a crafted software package to execute arbitrary commands as root on macOS and Linux, or as SYSTEM on Windows, when an uninstall is triggered. When...

GHSA-Q7F2-RV22-2XGR FacturaScripts Vulnerable to Unstripped Image Metadata (EXIF) Leakage via Library Module File Upload/Download

Summary Fectura Scripts is an open-source ERP application, a sensitive information disclosure vulnerability was identified in the Library module's image upload and download pipeline. The application fails to strip EXIF and other embedded metadata from user-uploaded image files before storing them...

CVE-2026-40281

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate...

Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix)

Vulnerability Details CWE: CWE-20 - Improper Input Validation The metadata value sanitization introduced in v8.30.1 commit 405f106 only validates metadata KEYS via safeKeyPattern regex. Metadata VALUES are passed unsanitized to go-exiftool SetString, which writes them as fmt.Fprintlne.stdin,...

CVE-2026-2457

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost Advisory ID:...

EUVD-2025-31356

Malicious code in bioql PyPI...

EUVD-2023-2262

Malicious code in bioql PyPI...

CVE-2025-57292

CVE-2025-57292 affects Todoist v8484, with a stored cross-site scripting (XSS) flaw in the avatar upload feature. The root cause is improper MIME-type validation and insufficient sanitization of image metadata, enabling script execution through uploaded avatars. Public references from multiple so...

CVE-2025-57292

Todoist v8484 contains a stored cross-site scripting XSS vulnerability in the avatar upload functionality. The application fails to properly validate the MIME type and sanitize image metadata...

CVE-2021-24126

Unvalidated input and lack of output encoding in the Envira Gallery Lite WordPress plugin, versions before 1.8.3.3, did not properly sanitise the images metadata namely title before outputting them in the generated gallery, which could lead to privilege escalation...

PT-2021-20707 · Glpi +1 · Glpi +1

Name of the Vulnerable Software and Affected Versions: GLPi version 9.5.4 Description: The issue allows for the insertion of XSS into plugins, enabling the execution of JavaScript code due to the lack of metadata sanitization. Recommendations: For GLPi version 9.5.4, update to a version that...