CVE-2026-58052

Technical details are not publicly available in the provided documents; monitor for updates.

EUVD-2026-39972

7-Zip for Windows through 26.02 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an archive-supplied Zone.Identifier stream matches the exact name 'Zone.Identifier' while a RAR5 STM record named ':Zone.Identifier:$DATA' is not matched...

PT-2026-34011

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization a...

curl: lib/http2.c: SSL connections accept non-HTTP push schemes (incomplete fix for 2e8c922a)

Summary: settransferurl in lib/http2.c validates the :scheme pseudo-header of PUSHPROMISE frames only when !viasslconn — a guard added by commit 2e8c922a to block non-TLS connections from accepting TLS-scheme pushes. The symmetric case was not addressed: over TLS, viasslconn is TRUE, the guard at...

CVE-2026-30821

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELISTURLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on th...

CVE-2026-2634 Spoofed web content presented under trusted domains using scripted navigation on Firefox iOS

Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability was fixed in Firefox for iOS 147.4...

PT-2026-21830

Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability affects Focus for iOS...

CVE-2020-36891

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated MIME types, allowing malicious scripts to execute i...

CVE-2020-36891

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated MIME types, allowing malicious scripts to execute i...

CVE-2020-36891

CVE-2020-36891 describes a stored XSS in Kentico Xperience caused by uploading files with spoofed Content-Type that does not match file extensions. The vulnerability targets the file-upload handling and can allow malicious scripts to execute in users’ browsers. Connected sources provide generic r...

CVE-2020-36891 Kentico Xperience <= 12.0.49 File Upload Stored XSS

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated MIME types, allowing malicious scripts to execute i...

CVE-2020-36891 Kentico Xperience <= 12.0.49 File Upload Stored XSS

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated MIME types, allowing malicious scripts to execute i...

EUVD-2009-3956

Malware in sbrugna...

EUVD-2022-41055

Malicious code in bioql PyPI...

EUVD-2024-24348

Malicious code in bioql PyPI...

CVE-2024-52278

...

CVE-2024-27092 Content spoofing - real Hoppscotch emails

Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label Edit Team - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload external link is presented in clickable form - easier to achieve own goals by malicious actors. This iss...

F-secure Safe 安全漏洞

F-secure F-Secure SAFE is a suite of antivirus software from the Finnish company F-Secure F-secure. A security vulnerability exists in F-secure Safe Browser that stems from a flaw in the product implementation. When a user clicks on a malicious link, the browser address bar displays a legitimate...

Mail.ru: HTML injection in an email [delivery.city-mobil.ru]

It was possible to inject spoofed HTML content into delivery.city-mobil.ru registration e-mail message via forged user name...

Spoofed Content Association

Mozilla Firefox allows spoofed content association. A flaw was found in the way Firefox displayed blank pages after a user navigates to an invalid address. If a user visits an attacker-controlled web page that results in a blank page, the attacker could inject content into that blank page, possib...