PT-2026-34039

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.215 Description The reply and draft flows trust encrypted attachment IDs supplied by the client. Any IDs included in the attachments all variable but omitted from retained lists are decrypted and passed to the...

CVE-2023-4105

Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message...

EUVD-2017-7574

Malware in sbrugna...

EUVD-1999-0998

Malware in sbrugna...

EUVD-2009-5113

Malware in sbrugna...

EUVD-2012-3677

Malware in sbrugna...

EUVD-2002-1689

Malware in sbrugna...

EUVD-2017-8994

Malware in sbrugna...

EUVD-2022-28205

Malicious code in bioql PyPI...

EUVD-2024-21245

Malicious code in bioql PyPI...

EUVD-2022-25510

Malicious code in bioql PyPI...

EUVD-2022-30442

Malicious code in bioql PyPI...

EUVD-2023-57648

Malicious code in bioql PyPI...

CVE-2025-6233

Mattermost versions 10.8.x = 10.8.1, 10.7.x = 10.7.3, 10.5.x = 10.5.7, 9.11.x = 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal...

CVE-2023-24069

Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. Cached attachments are not effectively cleared. In some cases, even after a self-initiated file deletion, an attacker ca...

CVE-2022-25802

Best Practical Request Tracker RT before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment...

CVE-2020-1905

Media ContentProvider URIs used for opening attachments in other apps were generated sequentially prior to WhatsApp for Android v2.20.185, which could have allowed a malicious third party app chosen to open the file to guess the URIs for previously opened attachments until the opener app is...

CVE-2025-3932

It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web...

Security Vulnerabilities fixed in Thunderbird 138.0.1 — Mozilla

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an invalid value "Spoofed Name [email protected] [email protected]", Thunderbird treats [email protected] as the...

Security Vulnerabilities fixed in Thunderbird 137.0.2 — Mozilla

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validate...