CVE-2025-3522 Leak of hashed Window credentials via crafted attachment URL

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validate...

CVE-2025-3522

Summary of CVE-2025-3522 (Thunderbird) : Thunderbird improperly processes the X-Mozilla-External-Attachment-URL header used for external attachments. When opening an email, Thunderbird fetches the URL to determine file size and may navigate to it when attaching is clicked. The URL is not validate...

CVE-2025-2830

By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the...

PT-2025-16353 · Mozilla +10 · Thunderbird +10

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 137.0.2 Thunderbird versions prior to 128.9.2 Description: The issue arises when an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header. In such cases, only th...

PT-2025-16352 · Mozilla +10 · Thunderbird +10

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 137.0.2 Thunderbird versions prior to 128.9.2 Description: The issue arises from Thunderbird's handling of the X-Mozilla-External-Attachment-URL header, which allows for external attachments. When an email is...

CVE-2025-32543

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in hivedigital Canonical Attachments canonical-attachments allows Reflected XSS.This issue affects Canonical Attachments: from n/a through = 1.8...

Yii 安全漏洞

Yii is a component-based, high-performance PHP framework for developing large-scale web applications developed by the YII team. A security vulnerability exists in Yii 2 versions prior to 2.0.52, which stems from improper handling of behavior attachments...

CVE-2025-32543

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in hivedigital Canonical Attachments canonical-attachments allows Reflected XSS.This issue affects Canonical Attachments: from n/a through = 1.8...

CVE-2025-32543 WordPress Canonical Attachments Plugin <= 1.8 - Stored Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in hivedigital Canonical Attachments canonical-attachments allows Reflected XSS.This issue affects Canonical Attachments: from n/a through = 1.8...

CVE-2025-32543

CVE-2025-32543 affects Canonical Attachments (WordPress plugin). Affected: Canonical Attachments (versions end-user n/a through 1.7). Root cause: Improper input neutralization during web page generation, enabling unauthenticated stored XSS. Impact: potential low/medium confidentiality, integrity,...

WordPress Canonical Attachments Plugin <= 1.8 - Stored Cross Site Scripting (XSS) vulnerability

Stored Cross Site Scripting XSS vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Canonical Attachments versions = 1.8...

WordPress plugin Canonical Attachments 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

PT-2025-15785 · Unknown · Hivedigital Canonical Attachments

Name of the Vulnerable Software and Affected Versions: hivedigital Canonical Attachments versions n/a through 1.7 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Reflected XSS. This means that an...

PT-2025-15063

Name of the Vulnerable Software and Affected Versions WhatsApp versions prior to 2.2450.6 Description A spoofing issue in WhatsApp for Windows allows attackers to disguise malicious files as harmless attachments, potentially leading to remote code execution when opened. The vulnerability is relat...

QR codes sent in attachments are the new favorite for phishers

Recently we’ve been seeing quite a few phishing campaigns using QR codes in email attachments. The lure and the targets are varied, but the use of a QR code to get someone to visit the phishing site is fast becoming a preferred method for cybercriminals. There are several reasons why cybercrimina...

CVE-2024-13567

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.3.1 via the 'awesome-support' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored...

CVE-2024-13567

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.3.1 via the 'awesome-support' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored...

WordPress plugin Awesome Support 信息泄露漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. An information disclosure...

5 Unexpected Devices You Didn’t Know Could Spread Malware

When you think of malware, your mind probably jumps to malicious downloads or email attachments. But it turns…...

CVE-2024-10366

An improper access control vulnerability IDOR exists in the delete attachments functionality of danny-avila/librechat version v0.7.5-rc2. The endpoint does not verify whether the provided attachment ID belongs to the current user, allowing any authenticated user to delete attachments of other use...