CVE-2026-49246 Jellyfin: Potential MKV attachment filename path traversal to RCE

Jellyfin is an open source self hosted media server. Prior to 10.11.10, a specifically crafted MKV file containing forged filename tags can be leveraged to exploit missing path sanitization during playback. Jellyfin treats the MKV file name tag on MKV attachments as trusted and passes it...

CVE-2026-49103

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi...

CVE-2026-49103

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi...

CVE-2026-34975

The CVE describes a CRLF header injection vulnerability in Plunk’s SESService.ts prior to version 0.8.0. An authenticated API user could inject arbitrary email headers (e.g., Bcc, Reply-To) by embedding CRLF characters in from.name, subject, custom header keys/values, or attachment filenames, bec...

GHSA-389R-RCCM-H3H5 eml_parser: Path Traversal in Official Example Script Leads to Arbitrary File Write

Summary The official example script examples/recursivelyextractattachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without...

CVE-2025-62796 PrivateBin persistent HTML injection in attachment filename enables redirect and defacement

PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Versions 1.7.7 through 2.0.1 allow persistent HTML injection via the unsanitized attachment filename attachmentname when attachments are enabled. An attacker can modify attachmentname before encryption so that,...

CVE-2025-62255

Self Cross-site scripting XSS vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions allows remote attackers to inject...

Liferay Portal Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page

Self Cross-site scripting XSS vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions allows remote attackers to inject...

EUVD-2025-35729

Liferay Portal Self Cross-site scripting XSS vulnerability on the edit Knowledge Base article page...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the "edit Knowledge Base" article page. An attacker can execute arbitrary web scripts or HTML by injecting a crafted payload into an attachment's filename. Details Cross-site scripting or XSS is a code...

GHSA-GCCF-R9XP-X8JX Liferay Portal Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page

Self Cross-site scripting XSS vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions allows remote attackers to inject...

CVE-2025-62255

Self Cross-site scripting XSS vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions allows remote attackers to inject...

CVE-2025-62255

Self Cross-site scripting XSS vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions allows remote attackers to inject...

CVE-2025-62255

The CVE-2025-62255 entry describes a Self Cross-site Scripting (XSS) vulnerability in Liferay Portal 7.4.0–7.4.3.101 and Liferay DXP 2023.Q3.1–2023.Q3.5, plus 7.4 GA through update 92 and older unsupported versions. The root cause is improper handling of crafted payloads in an attachment filename...

CVE-2025-62255

Self Cross-site scripting XSS vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions allows remote attackers to inject...

CVE-2025-62255

Self Cross-site scripting XSS vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions allows remote attackers to inject...

EUVD-2013-3306

Malware in sbrugna...

EUVD-2025-28698

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2023-29401

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header...

CVE-2025-5966

CVE-2025-5966 affects Zohocorp ManageEngine Exchange Reporter Plus versions 5722 and earlier. The vulnerability is a Stored XSS in the Attachments by filename keyword report, enabling script execution when a crafted filename is processed by the report feature. The issue is confirmed across multip...