Astra Linux - уязвимость в thunderbird

An HTML email containing links to .pdf files can trigger automatic, unsolicited downloads of those files to the user’s desktop or home directory without any prompts, even if auto-saving is disabled. This behavior can be exploited to fill the disk with junk data e.g., using /dev/urandom on Linux o...

CVE-2026-2741

A flaw was found in Vaadin. During the automatic download and extraction of Node.js, a remote attacker could exploit a path traversal vulnerability. By intercepting or controlling the Node.js download, an attacker could serve a specially crafted ZIP archive. This malicious archive would allow fil...

Zip Slip Path Traversal on Node Unpack

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. See CWE-22 Improper Limitation of a Pathname to a Restricted Directory 'Pat...

CVE-2025-59100

The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be accessed anymore. However, it was noticed that sometimes t...

A WhatsApp bug lets malicious media files spread through group chats

WhatsApp is going through a rough patch. Some users would argue it has been ever since Meta acquired the once widely trusted messaging platform. User sentiment has shifted from “trusted default messenger” to a grudgingly necessary Meta product. Privacy-aware users still see WhatsApp as one of the...

CVE-2025-59100

The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be accessed anymore. However, it was noticed that sometimes t...

HenBR-Autoload

HenBR-Autoload Download any PS4 exploit in one click...

PT-2025-49290

Name of the Vulnerable Software and Affected Versions Nextcloud Calendar versions prior to 4.7.17 Nextcloud Calendar versions prior to 5.2.4 Description A malicious user could create a calendar event with a specially crafted attachment that links to a file on the same Nextcloud server. This actio...

CVE-2025-5986

A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data e.g. using /dev/urandom on Linux or to...

CVE-2025-3877

Rejected reason: This CVE was marked as fixed, but due to other code landing - was not actually fixed. It was subsequently fixed in CVE-2025-5986...

Xiaomi Mi App Store Open Redirect Vulnerability

A security vulnerability exists in Xiaomi Mi App Store, an app store of Xiaomi, a Chinese company. The vulnerability is due to the Xiaomi App Store not verifying the validity of incoming data, which could be exploited by an attacker to cause the app store to automatically download and install app...

CVE-2020-14118

An intent redirection vulnerability in the Mi App Store product. This vulnerability is caused by the Mi App Store does not verify the validity of the incoming data, can cause the app store to automatically download and install apps...

CVE-2020-14118

An intent redirection vulnerability in the Mi App Store product. This vulnerability is caused by the Mi App Store does not verify the validity of the incoming data, can cause the app store to automatically download and install apps...

Xiaomi Mi App Store 输入验证错误漏洞

A security vulnerability exists in Xiaomi Mi App Store, an app store of Xiaomi, a Chinese company. The vulnerability is due to the Xiaomi App Store not verifying the validity of incoming data, which could be exploited by an attacker to cause the app store to automatically download and install app...

Remote code execution

Sketch before 75 allows library feeds to be used to bypass file quarantine. Files are automatically downloaded and opened, without the com.apple.quarantine extended attribute. This results in remote code execution, as demonstrated by CommandString in a terminal profile to Terminal.app...

Microsoft Windows: Automatic Download and Install of updates (Store)

This test checks the setting for policy OpenVAS Vulnerability Test $Id: winstoreautoupdatedownload.nasl 11363 2018-09-12 13:46:05Z emoss $ Check value for Turn off Automatic Download and Install of updates Authors: Emanuel Moss Copyright: Copyright c 2018 Greenbone Networks GmbH,...

Description of the security update for the ATMFD.dll information disclosure vulnerability in Windows Server 2008: January 3, 2018

Description of the security update for the ATMFD.dll information disclosure vulnerability in Windows Server 2008: January 3, 2018 Summary An information disclosure vulnerability exists in Adobe Type Manager Font Driver ATMFD.dll when it fails to properly handle objects in memory. An attacker who...

EmbedInHTML - Embed and hide any file in an HTML file

What this tool does is taking a file any type of file, encrypt it, and embed it into an HTML file as ressource, along with an automatic download routine simulating a user clicking on the embedded ressource. Then, when the user browses the HTML file, the embedded file is decrypted on the fly, save...

Chrome Browser Hack Opens Door to Credential Theft

A vulnerability in Google’s Chrome browser allows hackers to automatically download a malicious file onto a victim’s PC that could be used to steal credentials and launch SMB relay attacks. Bosko Stankovic, information security engineer at DefenseCode, found the flaw in the default configuration ...

Mission '1 Billion' — Microsoft will Automatically Offer Windows 10 Upgrade

Microsoft wholeheartedly wants you to upgrade your PCs to Windows 10, so much so that the company plans to automatically download its new operating system to Windows 7/8 computers next year. Just two weeks ago, Microsoft accidentally pushed Windows 10 installation to Windows 7 and Windows 8/8.1...