CVE-2025-67084

The CVE-2025-67084 entry concerns InvoicePlane up to version 1.6.3, where an authenticated file-upload flaw allows uploading arbitrary PHP files into attachments, enabling remote code execution (RCE). Affected component is the file upload handling in attachments; the root cause is not explicitly ...

PT-2026-2983

Name of the Vulnerable Software and Affected Versions Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress versions up to and including 1.3.9.2 Description The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is susceptible to unauthorized...

PT-2026-3056

ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded...

CVE-2022-50908

Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation...

Exploit for CVE-2025-68472

CVE-2025-68472 !1https://github...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the email attachments due to the missing verification for API requests to localhost. An attacker can execute arbitrary scripts in the context of the user's browser by sending specially crafted emails...

CVE-2022-50908

Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation...

CVE-2022-50908

Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation...

CVE-2022-50908

MailHog 1.0.1 is affected by a stored XSS vulnerability in attachments that allows execution of arbitrary API calls (e.g., message deletion, browser manipulation) when a crafted email is processed. Technical details from multiple sources indicate the issue stems from improper handling of attachme...

CVE-2022-50908 Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)

Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation...

CVE-2022-50908 Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)

Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation...

PT-2026-2384

Name of the Vulnerable Software and Affected Versions Mailhog version 1.0.1 Description Mailhog version 1.0.1 has a stored cross-site scripting issue. Attackers can inject malicious scripts through email attachments. By sending crafted emails with XSS payloads, attackers can execute arbitrary API...

MailHog 跨站脚本漏洞

MailHog is MailHog open source a SMTP protocol testing tool . Mailhog version 1.0.1 suffers from a cross-site scripting vulnerability that stems from stored cross-site scripting , which could lead to an attacker injecting malicious scripts and executing arbitrary API calls via email attachments...

MiracleLinux 9 : xdg-utils-1.1.3-13.el9_6 (AXSA:2025-10482:01)

The remote MiracleLinux 9 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2025-10482:01 advisory. xdg-utils: improper parse of mailto URIs allows bypass of Thunderbird security mechanism for attachments CVE-2022-4055 Tenable has extracted the preceding...

[SECURITY] [DLA 4434-1] sogo security update

Debian LTS Advisory DLA-4434-1 [email protected] https://www.debian.org/lts/security/ Tobias Frost January 06, 2026 https://wiki.debian.org/LTS Package : sogo Version : 5.0.1-4+deb11u3 CVE ID : CVE-2024-34462 CVE-2025-63499 Debian Bug : 1071163 1121952 Several XSS vulnerabiltiies have...

CVE-2023-49243

Vulnerability of unauthorized access to email attachments in the email module. Successful exploitation of this vulnerability may affect service confidentiality...

CVE-2023-45856

qdPM 9.2 allows remote code execution by using the Add Attachments feature of Edit Project to upload a .php file to the /uploads URI...

CVE-2023-4933

The WP Job Openings WordPress plugin before 3.4.3 does not block listing the contents of the directories where it stores attachments to job applications, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled...

CVE-2023-40386

A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Sonoma 14. An app may be able to access Notes attachments...

CVE-2022-35487

Zammad 5.2.0 suffers from Incorrect Access Control. Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files...