7 matches found
CVE-2026-50873
The CVE concerns flatnotes v5.5.4, where the attachment handling component is vulnerable to arbitrary file upload. A crafted HTML or SVG file can lead to arbitrary code execution, per the provided descriptions. The sources consistently reference an upload vector in the attachment handling flow an...
CVE-2026-31868 Parse Server has Stored XSS via file upload of HTML-renderable file types
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server...
CVE-2026-26272
CVE-2026-26272 – HomeBox is affected by a stored XSS in the item attachment upload feature. An authenticated user can upload HTML or SVG files containing JavaScript due to improper validation of file types; attachments are served via direct links and the script runs in the app’s origin when opene...
Statamic Cross-Site Scripting Vulnerability
Statamic is a powerful flat file Cms built on Laravel by Statamic, Inc. for storing all content, templates, assets, and settings in files instead of a database. A cross-site scripting vulnerability exists in Statamic that stems from an attacker being able to craft and upload HTML files that look...
CVE-2023-27133
TSplus Remote Work 16.0.0.0 has weak permissions for .exe, .js, and .html files under the %PROGRAMFILESX86%\TSplus-RemoteWork\Clients\www folder. This may enable privilege escalation if a different local user modifies a file. NOTE: CVE-2023-31067 and CVE-2023-31068 are only about the TSplus Remot...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS such that when users upload temporary files it is possible to upload .html or .htm files containing a malicious payload. The resulting link can be sent to an administrator user. Details Cross-site scripting or X...
May 1, 2018, update for Office 2016 (KB4022133)
None None...