CVE-2026-34212

Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious javascript: URL inside an attachment node in page content. When another user vie...

CVE-2026-34212 Docmost page content has stored XSS via unsanitized attachment URLs

Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious javascript: URL inside an attachment node in page content. When another user vie...

CVE-2026-34212 Docmost page content has stored XSS via unsanitized attachment URLs

Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious javascript: URL inside an attachment node in page content. When another user vie...

CVE-2026-34212

CVE-2026-34212 affects Docmost before 0.71.0. The issue is improper neutralization of attachment URLs in page content, allowing a low-privileged authenticated user to store a malicious javascript: URL inside an attachment node. When another user views the page and activates the attachment link/ic...

Docmost 跨站脚本漏洞

Docmost is an open-source collaborative wiki and documentation software developed by Docmost. Versions of Docmost prior to 0.71.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from improper handling of attachment URLs, which could allow low-privilege authenticated use...

EUVD-2026-11751

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary...

CVE-2026-30844

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...

Directory Traversal

Overview xml2rfc is a Xml2rfc generates RFCs and IETF drafts from document source in XML according to the IETF xml2rfc v2 and v3 vocabularies. Affected versions of this package are vulnerable to Directory Traversal via the processing of link elements with rel="attachment" in prepped RFCXML files...

Nextcloud 安全漏洞

Nextcloud is a set of open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A security vulnerability exists in Nextcloud Calendar, which can be exploited by an authenticated attacker to create attachments that link to other websites v...

Apache Allura Security Vulnerability

Apache Allura is a set of open source project hosting platform of the U.S. Apache Apache Foundation. The platform supports the management of source code repositories, bug reports, wiki pages and blogs. A security vulnerability exists in Apache Allura versions 1.0.1 through 1.15.0, which stems fro...

CVE-2020-1493

An information disclosure vulnerability exists when attaching files to Outlook messages. This vulnerability could potentially allow users to share attached files such that they are accessible by anonymous users where they should be restricted to specific users. To exploit this vulnerability, an...

Zimbra Collaboration Suite 8.7.11_GA_1854 Cross Site Scripting

------------------------------------------------------------------------ Cross-Site Scripting vulnerability in Zimbra Collaboration Suite due to the way it handles attachment links ------------------------------------------------------------------------ Stephan Kaag, January 2018...