CVE-2026-47388 NocoDB: Missing Ownership Check in MCP Attachment Read

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not...

CVE-2026-53929

NocoDB (pre-2026.05.1) is affected by a Stored Cross-Site Scripting vulnerability when NC_SECURE_ATTACHMENTS=true. An authenticated uploader could deliver .html or .svg attachments that the browser renders inline from the NocoDB origin due to a header-key casing mismatch (ResponseContentDispositi...

CVE-2026-53929

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NCSECUREATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. The signed attachment handler stor...

Atlassian Confluence Download Attachments - Remote Code Execution

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this pat...

EUVD-2025-26130

Paymenter vulnerable to Remote Code Execution via public file uploads...

CVE-2026-48939

A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution...

PT-2026-51137

Name of the Vulnerable Software and Affected Versions iCagenda versions prior to 4.0.8 Description The iCagenda extension for Joomla contains a flaw in the file attachment feature of its public event submission form. Due to improper restriction of file types, unauthenticated attackers can upload...

CVE-2026-4027

A security vulnerability has been identified in FlexNet Manager Suite 2025 R1 and R2 that could allow unauthorized access to attachment files due to insufficient access control...

Astra Linux – Vulnerability in emacs

In Emacs versions before 29.3, LaTeX preview is enabled by default for e-mail attachments...

CVE-2026-11784

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replacefile function. This makes it...

Devolutions Server <= 2026.1.21 / 2026.2.0 <= 2026.2.5 Multiple Vulnerabilities (DEVO-2026-0017)

The version of Devolutions Server installed on the remote host is prior or equal to 2026.1.21 or 2026.2.0 prior or equal to 2026.2.5. It is, therefore, affected by multiple vulnerabilities, including: - Improper access control in PAM account discovery results in Devolutions Server 2026.2.5,...

NocoDB: Stored Cross-Site Scripting via Secure Attachment

Summary With NCSECUREATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. Details The signed attachment handler stored response-header overrides under PascalCase keys...

PT-2026-50475

Summary With NC SECURE ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. Details The signed attachment handler stored response-header overrides under PascalCase keys...

EUVD-2026-37203

Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions...

CVE-2026-12105

Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions...

CVE-2026-12105

Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions...

CVE-2026-12105

CVE-2026-12105 affects Devolutions Server in versions 2026.2.5 and 2026.1.21. The root cause is improper access control that allows an authenticated user to access attachments via folder duplication with inherited permissions. The documented impact is confidential data exposure (high) with a CVSS...

PT-2026-49823

Name of the Vulnerable Software and Affected Versions Devolutions Server version 2026.2.5 Devolutions Server version 2026.1.21 Description Improper access control allows an authenticated user to access attachments through a process of folder duplication with inherited permissions. Recommendations...

CVE-2026-50873

An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or SVG file...

CVE-2026-50645

There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue by...