Vikunja 安全漏洞

Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.2.1 contained security vulnerabilities. These vulnerabilities stemmed from the TaskAttachment.ReadOne function, which only queried attachments based on ID, potentially allowing arbitrary...

CVE-2026-1298

The CVE-2026-1298 entry refers to the WordPress plugin Easy Replace Image (

CVE-2026-0548

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the deleteexistinguserphoto function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, wi...

EUVD-2016-2689

Malware in sbrugna...

EUVD-2018-19384

Malware in sbrugna...

EUVD-2014-5936

Malware in sbrugna...

CVE-2024-9067

The CVE-2024-9067 entry concerns Youzify for WordPress. A missing capability check in the delete_attachment function across versions up to 1.3.0 allows authenticated users with Subscriber+ privileges to modify data by deleting arbitrary attachments. This is a Broken Access Control issue in Youzif...

CVE-2024-3608

The Product Designer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the productdesignerajaxdeleteattachid function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to delete arbitrary...

CVE-2024-3608

CVE-2024-3608 affects the Product Designer plugin for WordPress. It enables unauthenticated attackers to delete arbitrary attachments due to a missing capability check in product_designer_ajax_delete_attach_id() in versions up to 1.0.33. The vulnerability status and exact impacted versions are do...

CVE-2024-4274 Essential Real Estate <= 4.4.2 - Insecure Direct Object Reference to Arbitrary Attachment Deletion

The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the removepropertyattachmentajax function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and...

JetElements For Elementor < 2.6.13.1 - Missing Authorization to Unauthenticated Arbitrary Attachment Download

Description The JetElements plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on an unknown function in all versions up to, and including, 2.6.13. This makes it possible for unauthenticated attackers to download arbitrary attachments...

Cross site request forgery (csrf)

The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments...

CVE-2023-0551 REST API TO MiniProgram <= 4.6.1 - Subscriber+ Attachment Deletion

The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments...

PT-2023-8827 · Nginx +1 · Nginx +1

Name of the Vulnerable Software and Affected Versions: Kiwi TCMS versions prior to 12.4 Description: The issue is related to the lack of protection of the web page structure in Kiwi TCMS, allowing a remote attacker to upload arbitrary attachments to test plans and test cases. Earlier versions of...

Redmine 安全漏洞

Redmine is a set of open source Web-based project management and defect tracking tools . The product provides features such as project management, issue tracking and role-based access control. A security vulnerability exists in Redmine version 5.x up to and including version 5.0.4, which stems fr...

Design/Logic Flaw

phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to read arbitrary attachments by leveraging incorrect "download an attachment" permission checks...

Server side request forgery (ssrf)

phpMyFAQ before 2.8.13 allows remote attackers to read arbitrary attachments via a direct request...

CVE-2014-6048

The CVE-2014-6048 flaw affects phpMyFAQ before version 2.8.13, where an attacker can read arbitrary attachments via a direct request due to a missing check on whether an attachment is being requested. Public references describe unauthenticated read access and verify the core issue as improper acc...

CVE-2014-6048

phpMyFAQ before 2.8.13 allows remote attackers to read arbitrary attachments via a direct request...

Code injection

TestLink through 1.9.16 allows remote attackers to read arbitrary attachments via a modified ID field to /lib/attachments/attachmentdownload.php...