CVE-2026-48939

A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution...

PT-2026-51137

Name of the Vulnerable Software and Affected Versions iCagenda versions prior to 4.0.8 Description The iCagenda extension for Joomla contains a flaw in the file attachment feature of its public event submission form. Due to improper restriction of file types, unauthenticated attackers can upload...

CVE-2026-50873

An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or SVG file...

GHSA-P8P9-5953-H9JW Concrete CMS is vulnerable to IDOR in AddMessage/UpdateMessage

Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments parameter which can lead to file permission bypass. The AddMessage and UpdateMessage conversation controllers accept user-supplied file attachment IDs and load files directly via $em-findFile::class,...

FreeScout 安全漏洞

FreeScout is a lightweight and powerful free open-source help desk and shared inbox built using PHP Laravel framework by FreeScout Inc. Versions of FreeScout 1.8.208 and earlier contain security vulnerabilities. These vulnerabilities stem from issues with the attachment handling logic and the SVG...

[SECURITY] [DLA 4434-1] sogo security update

Debian LTS Advisory DLA-4434-1 [email protected] https://www.debian.org/lts/security/ Tobias Frost January 06, 2026 https://wiki.debian.org/LTS Package : sogo Version : 5.0.1-4+deb11u3 CVE ID : CVE-2024-34462 CVE-2025-63499 Debian Bug : 1071163 1121952 Several XSS vulnerabiltiies have...

EUVD-2002-0452

Malware in sbrugna...

EUVD-2025-5904

Malicious code in bioql PyPI...

EUVD-2023-44083

Malicious code in bioql PyPI...

EUVD-2021-7561

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2024-23792

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. The attack requires a logged-in other user ...

CVE-2025-43763

A server-side request forgery SSRF vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 that affects custom object attachment fields. This flaw...

Memos 安全漏洞

Memos is a Memos open source open source hosted meme center with knowledge management and social features. A security vulnerability exists in Memos version 0.22, which stems from the Upload Attachment and User Avatar features being vulnerable to a stored cross-site scripting attack that could...

CVE-2025-5082 WP Attachments <= 5.0.12 - Reflected Cross-Site Scripting via attachment_id Parameter

The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attachmentid’ parameter in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

CVE-2023-45651

Cross-Site Request Forgery CSRF vulnerability in Marco Milesi WP Attachments allows Cross Site Request Forgery.This issue affects WP Attachments: from n/a through 5.0.11...

Exploit for Missing Authorization in Directsoftware Order_Attachments_For_Woocommerce

🚀 WooCommerce Arbitrary File Upload Exploit CVE-2024-9756...

PT-2025-9068 · WordPress · Order Attachments For Woocommerce

Name of the Vulnerable Software and Affected Versions: Order Attachments for WooCommerce plugin for WordPress version 2.5.1 and earlier Description: The issue allows unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory, which can contain file...

qdPM Code Issues Vulnerabilities

qdPM is a web-based open source project management tool. A security vulnerability exists in qdPM version 9.2, which stems from a remote code execution vulnerability. The vulnerability allows an attacker to upload a .php file to the /uploads URI via the Add Attachments function to execute remote...

PrestaShop Input Validation Error Vulnerability

PrestaShop is an open source e-commerce solution from PrestaShop, Inc. in the United States. The solution provides multiple payment methods, short message alerts and product image scaling. An input validation error vulnerability exists in PrestaShop versions prior to 8.1.1, which stems from a...

PT-2022-20745 · Open Xchange · Ox App Suite

Name of the Vulnerable Software and Affected Versions: OX App Suite versions through 8.2 Description: The issue allows for XSS via an attachment or OX Drive content when a client uses the len or off parameter. This can be exploited when the client utilizes specific parameters in conjunction with...