CVE-2026-47123

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent user replies based on In-Reply-To / References headers. The notification reply path...

EUVD-2026-33440

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent user replies based on In-Reply-To / References headers. The notification reply path...

CVE-2026-47123 FreeScout: Agent Impersonation via Missing HMAC Verification on Notification Reply Message-ID Path

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent user replies based on In-Reply-To / References headers. The notification reply path...

Astra Linux - уязвимость в tar

GNU Tar version 1.34 has a one-byte out-of-bounds read operation, which allows for the use of uninitialized memory during a conditional jump. Exploitation to alter the control flow has not been demonstrated. The issue occurs in the fromheader section of the list.c file, due to a V7 archive where...

GHSA-5HGJ-7GM9-CFF5 AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address

Summary objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message From:/Reply-To:. The...

Astra Linux - уязвимость в thunderbird

Thunderbird parses addresses in a way that can allow sender spoofing in cases where the server allows an invalid From address to be used. For example, if the From header contains an invalid value like “Spoofed Name”, Thunderbird will treat “[email protected]” as the actual address. This...

Fedora 42 : asterisk (2026-98decbde87)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-98decbde87 advisory. Update to Asterisk 18.26.4, addressing numerous security vulnerabilities accumulated since the long-stale 18.12.1 package. The following CVEs are...

GHSA-4CM8-XPFV-JV6F ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation

Summary The email channel authorizes senders based on the parsed From header identity only. If upstream email authentication/enforcement is weak for example, relaxed SPF/DKIM/DMARC handling, an attacker can spoof an allowlisted sender address and have the message treated as trusted input. Details...

CVE-2026-30820

Flowise, a UI for building LLM flows, is affected pre-3.0.13. The vulnerability arises because the server trusts any HTTP client that sends the header x-request-from: internal, allowing an authenticated tenant with only a session cookie to bypass /api/v1/** authorization checks and access interna...

Access Control Bypass

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Access Control Bypass in the middleware that processes requests to /api/v1 endpoints. An attacker can gain unauthorized access to internal administration APIs by spoofing the x-request-from header as...

CVE-2021-33056

Belledonne Belle-sip before 4.5.20, as used in Linphone and other products, can crash via an invalid From header in a SIP message...

CVE-2025-61084

MDaemon Mail Server 23.5.2 validates SPF, DKIM, and DMARC using the email enclosed in angle brackets in the From: header of SMTP DATA. An attacker can craft a From: header with multiple invisible Unicode thin spaces to display a spoofed sender while passing validation, allowing email spoofing eve...

CVE-2025-61084

MDaemon Mail Server 23.5.2 validates SPF, DKIM, and DMARC using the email enclosed in angle brackets in the From: header of SMTP DATA. An attacker can craft a From: header with multiple invisible Unicode thin spaces to display a spoofed sender while passing validation, allowing email spoofing eve...

CVE-2025-61084

MDaemon Mail Server 23.5.2 is described as validating SPF, DKIM, and DMARC using the From header content enclosed in angle brackets () during SMTP DATA. An attacker can craft a From header using multiple invisible Unicode thin spaces to display a spoofed sender while still passing validation, ena...

PT-2025-45105

Name of the Vulnerable Software and Affected Versions MDaemon Mail Server version 23.5.2 Description MDaemon Mail Server version 23.5.2 validates Sender Policy Framework SPF, DomainKeys Identified Mail DKIM, and Domain-based Message Authentication, Reporting & Conformance DMARC using the email...

CVE-2025-61084

MDaemon Mail Server 23.5.2 validates SPF, DKIM, and DMARC using the email enclosed in angle brackets in the From: header of SMTP DATA. An attacker can craft a From: header with multiple invisible Unicode thin spaces to display a spoofed sender while passing validation, allowing email spoofing eve...

MDaemon Mail Server 安全漏洞

MDaemon Mail Server is an e-mail server software from MDaemon Inc. in the United States. A security vulnerability exists in MDaemon Mail Server version 23.5.2, which originates from a flaw in the use of email validation SPF, DKIM, and DMARC using the pointed brackets in the From header of the SMT...

CVE-2025-61084

MDaemon Mail Server 23.5.2 validates SPF, DKIM, and DMARC using the email enclosed in angle brackets in the From: header of SMTP DATA. An attacker can craft a From: header with multiple invisible Unicode thin spaces to display a spoofed sender while passing validation, allowing email spoofing eve...

Authenticated SMTP users may spoof other identities due to ambiguous “From” header interpretation

Overview Email message header syntax can be exploited to bypass authentication protocols such as SPF, DKIM, and DMARC. These exploits enable attackers to deliver spoofed emails that appear to originate from trusted sources. Recent research has explored using the originator fields, such as From: a...

EUVD-2006-0981

Malware in sbrugna...