Lucene search
K

6422 matches found

EUVD
EUVD
added yesterday4 views

EUVD-2026-43313

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload tha...

6.5CVSS6.1AI score0.00235EPSS
Exploits0References2
NVD
NVD
added yesterday4 views

CVE-2026-6850

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload tha...

6.5CVSS0.00235EPSS
Exploits0References1
CVE
CVE
added yesterday11 views

CVE-2026-6850

Mattermost is affected (versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x

6.5CVSS6.1AI score0.00235EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added yesterday20 views

CVE-2026-6850 Crafted message attachment causes client-side denial of service via markdown parser regex backtracking in Mattermost

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload tha...

6.5CVSS0.00235EPSS
Exploits0References1
NVD
NVD
added yesterday5 views

CVE-2026-15530

A flaw has been found in WuzhiCMS up to 4.1.0. Affected by this vulnerability is the function config/listimage of the file /index.php?m=attachment&f=index&v=upload of the component Attachment API. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. Th...

6.9CVSS0.00311EPSS
Exploits0References6
Nuclei
Nuclei
added yesterday73 views

WP Attachment Export < 0.2.4 - Unrestricted File Download

The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress powered site. This includes details of even privately published posts and password protected posts with their passwords revealed ...

7.5CVSS7AI score0.08185EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday14 views

Group-Office < 26.0.5 - Remote Code Execution

Group-Office before versions 6.8.150, 25.0.82, and 26.0.5 is vulnerable to remote code execution via OS command injection. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmpfile into an exec call. By injecting shell metacharacters into...

9.4CVSS6.7AI score0.18536EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday54 views

EspoCRM <= 9.3.3 - Server-Side Request Forgery

EspoCRM = 9.3.3 contains an authenticated server-side request forgery caused by improper internal-host validation using alternative IPv4 formats in HostCheck::isNotInternalHost, letting authenticated users access internal resources via /api/v1/Attachment/fromImageUrl endpoint. id: CVE-2026-33534...

4.3CVSS6.1AI score0.01978EPSS
Exploits5References2
Nuclei
Nuclei
added yesterday21 views

Zimbra Collaboration Suite - Cross-site Scripting

Cross-site scripting XSS vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite ZCS before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment. id:...

6.1CVSS6.9AI score0.23717EPSS
Exploits2References2
EUVD
EUVD
added yesterday6 views

EUVD-2026-43276

A flaw has been found in WuzhiCMS up to 4.1.0. Affected by this vulnerability is the function config/listimage of the file /index.php?m=attachment&f=index&v=upload of the component Attachment API. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. Th...

6.9CVSS5.8AI score0.00311EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added yesterday8 views

CVE-2026-15530

A flaw has been found in WuzhiCMS up to 4.1.0. Affected by this vulnerability is the function config/listimage of the file /index.php?m=attachment&f=index&v=upload of the component Attachment API. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. Th...

6.9CVSS5.8AI score0.00311EPSS
Exploits0References6
CVE
CVE
added yesterday7 views

CVE-2026-15530

WuzhiCMS

6.9CVSS5.8AI score0.00311EPSS
Exploits0References6
Cvelist
Cvelist
added yesterday19 views

CVE-2026-15530 WuzhiCMS Attachment API index.php listimage information disclosure

A flaw has been found in WuzhiCMS up to 4.1.0. Affected by this vulnerability is the function config/listimage of the file /index.php?m=attachment&f=index&v=upload of the component Attachment API. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. Th...

6.9CVSS0.00311EPSS
Exploits0References6
NVD
NVD
added 3 days ago5 views

CVE-2026-56240

Capgo before 12.128.12 contains a billing authorization bypass vulnerability in the planvalid calculation that allows organizations with exhausted or expired usage credit grants to bypass billing gates. Attackers can exploit the divergence between the plugin hot-path planvalid expression and the...

5.3CVSS0.00182EPSS
Exploits0References2
NVD
NVD
added 3 days ago7 views

CVE-2026-12126

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'posttitle' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.0021EPSS
Exploits0References8
Cvelist
Cvelist
added 3 days ago38 views

CVE-2026-12126 WCFM Marketplace <= 3.7.3 - Authenticated (Vendor+) Stored Cross-Site Scripting via Attachment 'post_title'

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'posttitle' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.0021EPSS
Exploits0References8
EUVD
EUVD
added 3 days ago8 views

EUVD-2026-43158

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'posttitle' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS6.2AI score0.0021EPSS
Exploits0References8
CVE
CVE
added 3 days ago15 views

CVE-2026-12126

CVE-2026-12126 affects the WCFM Marketplace plugin for WordPress (versions

6.4CVSS6.2AI score0.0021EPSS
Exploits0References8
CVE
CVE
added 4 days ago9 views

CVE-2026-48127

Frappe CVE-2026-48127 concerns an attacker could exploit attachment handling to inject arbitrary attachments in Doctypes. Specifically, prior to version 16.20.0 and 15.110.0, users without write access could attach files to any doctype via file-handling endpoints such as add_attachments. The issu...

5.3CVSS6.1AI score0.00369EPSS
Exploits0References9
NVD
NVD
added 4 days ago5 views

CVE-2026-59180

Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. Prior to 1.11.0, Apprise HTTP-based notification plugins and HTTP attachment and config loaders in apprise/attachment/http.py and apprise/config/http.py...

3.1CVSS0.00195EPSS
Exploits0References4
Rows per page
Query Builder