CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/06/05 7:13 p.m.•6 views

CVE-2026-40873

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...

8.9CVSS5.6AI score0.00325EPSS

Vulnrichment•added 2026/05/27 2:37 p.m.•8 views

CVE-2026-49103

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi...

9.4CVSS5.8AI score0.00303EPSS

CNNVD•added 2026/05/26 12:0 a.m.•6 views

Faction 跨站脚本漏洞

Faction is an open-source collaborative framework for generating and evaluating penetration reports developed by Faction Security. Versions of Faction prior to 1.8.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from the lack of output encoding for attachment file nam...

8.7CVSS5.7AI score0.00211EPSS

CNNVD•added 2026/05/26 12:0 a.m.•9 views

Faction 安全漏洞

Faction is an open-source report generation and evaluation framework developed by Faction Security. Versions of Faction prior to 1.8.3 contained security vulnerabilities. These vulnerabilities stemmed from the lack of output encoding for attachment file names during the evaluation file preview...

8.7CVSS5.7AI score0.00211EPSS

SUSE CVE•added 2026/04/22 1:37 a.m.•5 views

SUSE CVE-2026-39377

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The...

6.5CVSS5.9AI score0.00266EPSS

NVD•added 2026/04/21 8:17 p.m.•4 views

CVE-2026-40873

8.9CVSS0.00325EPSS

EUVD•added 2026/04/21 7:15 p.m.•5 views

EUVD-2026-24255

8.9CVSS5.9AI score0.00325EPSS

Positive Technologies•added 2026/04/21 12:0 a.m.•10 views

PT-2026-34054

8.9CVSS5.9AI score0.00325EPSS

CNNVD•added 2026/04/21 12:0 a.m.•7 views

mailcow: dockerized 跨站脚本漏洞

mailcow: dockerized is a dockerized version of the mailcow open-source application. Versions of mailcow before 2026-03b contained a cross-site scripting vulnerability. This vulnerability stemmed from the fact that the isolated details modal boxes did not escape the attachment file names, allowing...

8.9CVSS5.9AI score0.00325EPSS

EUVD•added 2026/03/04 9:31 a.m.•4 views

EUVD-2026-9378

The GINA web interface in SEPPmail Secure Email Gateway before version 15.0.1 does not properly check attachment filenames in GINA-encrypted emails, allowing an attacker to access files on the gateway...

9.3CVSS6AI score0.0042EPSS

EUVD•added 2025/12/26 2:3 a.m.•4 views

EUVD-2025-205411

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...

8.2CVSS6.3AI score0.00295EPSS

Exploits0References4

Vulnrichment•added 2025/10/28 8:47 p.m.•2 views

CVE-2025-62796 PrivateBin persistent HTML injection in attachment filename enables redirect and defacement

PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Versions 1.7.7 through 2.0.1 allow persistent HTML injection via the unsanitized attachment filename attachmentname when attachments are enabled. An attacker can modify attachmentname before encryption so that,...

5.8CVSS6.9AI score0.00266EPSS

CVE•added 2025/10/28 8:47 p.m.•14 views

CVE-2025-62796

CVE-2025-62796 concerns PrivateBin where Versions 1.7.7–2.0.1 allow persistent HTML injection via the unsanitized attachment_name when attachments are enabled. An attacker can modify the filename before encryption, causing unescaped HTML to be inserted near the file size hint after decryption, en...

5.8CVSS6.9AI score0.00266EPSS

Positive Technologies•added 2025/10/28 12:0 a.m.•4 views

PT-2025-44214

Name of the Vulnerable Software and Affected Versions PrivateBin versions 1.7.7 through 2.0.1 Description PrivateBin is an online pastebin designed to ensure the server has no knowledge of pasted data. Versions 1.7.7 through 2.0.1 are susceptible to persistent HTML injection. This occurs through ...

5.8CVSS6.6AI score0.00266EPSS

Exploits0References7

EUVD•added 2025/10/03 8:7 p.m.•4 views

EUVD-2023-26643

Malicious code in bioql PyPI...

5.3CVSS5.5AI score0.00792EPSS

CNNVD•added 2025/06/05 12:0 a.m.•1 views

aerc 安全漏洞

aerc is a library by Robin Jarry Personal Developer. A security vulnerability exists in versions prior to aerc 93bec0d, which stems from a direct path concatenation of attachment part names that could lead to a directory traversal attack...

5.8CVSS6.3AI score0.00592EPSS

RedhatCVE•added 2025/05/21 10:14 p.m.•4 views

CVE-2002-2351

Eudora 5.1 allows remote attackers to bypass security warnings and possibly execute arbitrary code via attachments with names containing a trailing "." dot...

6.4CVSS8.2AI score0.02645EPSS

Exploits1References1

CNVD•added 2025/01/24 12:0 a.m.•2 views

Mattermost Mobile Apps Denial of Service Vulnerability (CNVD-2025-11094)

Mattermost Mobile Apps is a messaging mobile application from Mattermost USA. A denial of service vulnerability exists in Mattermost Mobile Apps that stems from the application failing to properly handle specially crafted attachment names. An attacker could use this vulnerability to cause the...

4.3CVSS6.9AI score0.00352EPSS

NVD•added 2025/01/16 12:15 a.m.•7 views

CVE-2025-0476

Mattermost Mobile Apps versions =2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment...

4.3CVSS0.00352EPSS