Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to improper resetting of the generated MFA code after successful authentication. An attacker can gain unauthorized access by submitting an empty string as the MFA code in subsequent...

MAL-2025-191388 Malicious code in @vucod/email (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e91b5731b235151065b43287967fa368625822413bb181076f044b34a155d0c5 The package @vucod/email was found to contain malicious code. Source: google-open-source-security...

EUVD-2021-2537

Malware in sbrugna...

EUVD-2024-21271

Malicious code in bioql PyPI...

MAL-2025-7062 Malicious code in @amber-team/react-email (npm)

The package @amber-team/react-email was found to contain malicious code...

MAL-2025-3042 Malicious code in @hongfangze/email (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d003c3bc820422c79a6708a76107d9828e3df78ada0a45bd3c6732eba57c888b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

BIT-PYTHON-MIN-2023-36632

The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed ...

Code injection

mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is tested on the...

CVE-2024-23824 mailcow ipixel flood attack leads to Denial of Service in admin page

mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is tested on the...

CVE-2023-36632

The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed ...

Code injection

DISPUTED The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was...

CVE-2023-36632

The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed ...

PSF-2023-4

The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed ...

CVE-2023-26490

mailcow is a dockerized email package, with multiple containers linked in one bridged network. The Sync Job feature - which can be made available to standard users by assigning them the necessary permission - suffers from a shell command injection. A malicious user can abuse this vulnerability to...

CVE-2023-26490

The CVE-2023-26490 entry describes a shell command injection in mailcow’s Sync Job feature within a dockerized mail server. The vulnerability arises from imapsync’s XOAUTH2 workflow creating a shell command to invoke openssl, with user password segments embedded in the command without validation,...

CVE-2023-26490 mailcow is vulnerable to shell command injection via xoauth2 authentication in imapsync​

mailcow is a dockerized email package, with multiple containers linked in one bridged network. The Sync Job feature - which can be made available to standard users by assigning them the necessary permission - suffers from a shell command injection. A malicious user can abuse this vulnerability to...

GHSA-J377-2X76-558H Improper Input Validation in is-email

is-email helps validate an email address. A ReDoS regular expression denial of service flaw was found in the Segment is-email package before 1.0.1 for Node.js. An attacker that is able to provide crafted input to the isEmailinput function may cause an application to consume an excessive amount of...

Regular Expression Denial of Service (ReDoS)

Overview is-email is a Loosely validate an email address. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the isEmail function. PoC: var isEmail = require"is-email" function buildblankn var ret = "" for var i = 0; i n; i++ ret += "@" return ret +...