CVE-2026-39348 OrangeHRM is Missing Authorization Checks in AbstractFileController Subclasses Expose Job Specification and Vacancy Attachments

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to attachment identifier...

OrangeHRM 安全漏洞

OrangeHRM is a human resources management system developed by the American company OrangeHRM. This system supports functions such as personnel information management, leave management, attendance management, and recruitment management. Versions of OrangeHRM prior to 5.8 contained security...

CVE-2026-25742

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access enablespectatoraccess / WEBPUBLICSTREAMSENABLED is disabled, attachments originating from web-public...

CVE-2026-25742

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access enablespectatoraccess / WEBPUBLICSTREAMSENABLED is disabled, attachments originating from web-public...

CVE-2026-25742 Zulip: Anonymous File Access After Disabling Spectator Access

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access enablespectatoraccess / WEBPUBLICSTREAMSENABLED is disabled, attachments originating from web-public...

CVE-2026-25742

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access enablespectatoraccess / WEBPUBLICSTREAMSENABLED is disabled, attachments originating from web-public...

EUVD-2026-18835

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access enablespectatoraccess / WEBPUBLICSTREAMSENABLED is disabled, attachments originating from web-public...

CVE-2026-25742 Zulip: Anonymous File Access After Disabling Spectator Access

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access enablespectatoraccess / WEBPUBLICSTREAMSENABLED is disabled, attachments originating from web-public...

CVE-2026-25742

Zulip CVE-2026-25742 affects versions before 11.6. Before 11.6, even with spectator access disabled (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED), attachments from web-public streams could be retrieved anonymously, and the endpoint /users/me//topics remained reachable to expose topic his...

CVE-2026-35539

A flaw was found in Roundcube Webmail. This cross-site scripting XSS vulnerability arises from insufficient sanitization of HTML attachments when viewed in preview mode. A remote attacker could send a specially crafted HTML attachment, which, if previewed by a victim, could lead to the execution ...

CVE-2026-35539

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment...

CVE-2026-35539

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment...

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the ACP dispatch process. An attacker can access arbitrary files on the system by supplying crafted inbound channel attachment paths that traverse outside the...

PT-2026-30211

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access enable spectator access / WEB PUBLIC STREAMS ENABLED is disabled, attachments originating from web-public...

Roundcube Webmail 跨站脚本漏洞

Roundcube Webmail is an open-source browser-based IMAP client developed by Roundcube. It supports address book management, information search, spelling checking, etc. Versions of Roundcube Webmail prior to 1.5.14 and 1.6.14 had a cross-site scripting vulnerability. This vulnerability stemmed from...

Zulip 安全漏洞

Zulip is a powerful open-source chat application developed by the American company Zulip. It combines the immediacy of real-time conversations with the productivity benefits of threaded dialogue. Versions of Zulip from 1.4.0 to 11.6 contained security vulnerabilities. These vulnerabilities occurr...

Microsoft Warns of WhatsApp Attachments Spreading Backdoor on Windows PCs

Microsoft warns of a WhatsApp attachments spreading VBS malware that installs backdoors on Windows PCs, giving hackers remote access and control systems...

CVE-2026-32917 OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP

OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote attachment paths containing shell metacharacters...

CVE-2026-32917

OpenClaw prior to 2026.3.13 is affected by a remote command injection vulnerability in the iMessage attachment staging flow. The issue arises because unsanitized remote attachment paths containing shell metacharacters are passed directly to the SCP remote operand without validation, allowing arbi...

Linux Distros Unpatched Vulnerability : CVE-2025-59031

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip- style attachments. Attacker can use specially crafted...