PT-2026-37349

The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without...

SUSE CVE-2025-59031

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via disclosure of the link share hash combined with an insecure direct object reference in attachment handling. An attacker can access sensitive data across the entire instance by chainin...

CVE-2026-0777

Xmind Attachment Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xmind. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open ...

CVE-2026-0777 Xmind Attachment Insufficient UI Warning Remote Code Execution Vulnerability

Xmind Attachment Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xmind. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open ...

CVE-2026-0777 Xmind Attachment Insufficient UI Warning Remote Code Execution Vulnerability

Xmind Attachment Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xmind. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open ...

CVE-2026-0777

The CVE-2026-0777 entry is linked to a concrete vulnerability in Xmind related to attachment handling. The ZDI advisory describes a remote code execution vulnerability in affected Xmind installations that can be exploited when a user opens a malicious attachment or visits a page delivering a craf...

(0Day) Xmind Attachment Insufficient UI Warning Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xmind. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of attachments...

NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload

Summary A stored Cross-site Scripting XSS vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because...

GHSA-Q5C6-H22R-QPWR NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload

Summary A stored Cross-site Scripting XSS vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because...

CVE-2026-24769 NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting XSS vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline...

CVE-2026-24769

NocoDB (the spreadsheet-like database tool) has a stored XSS vulnerability in its attachment handling. Prior to version 0.301.0, authenticated users can upload SVGs containing JavaScript which are stored server-side and later rendered inline, executing in other users’ browsers. Root cause identif...

CVE-2026-24769 NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting XSS vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline...

EUVD-2026-4868

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting XSS vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline...

NocoDB code-related vulnerabilities

NocoDB is an open-source alternative to Airtable. It converts any MySQL, PostgreSQL, SQL Server, SQLite, and MariaDB databases into intelligent spreadsheets. Versions of NocoDB prior to 0.301.0 have code vulnerabilities; these vulnerabilities stem from an attachment handling mechanism that contai...

CVE-2025-65319

When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software...

CVE-2025-65318

When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software...

CVE-2025-65319

CVE-2025-65319 affects Blue Mail

EUVD-2018-10860

Malware in sbrugna...

MindManager Attachment Insufficient UI Warning Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of MindManager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of...