Jenkins Email Extension Plugin 安全漏洞

The Jenkins Email Extension Plugin is an open-source extension for Jenkins that handles email notifications and build messages. The Jenkins Email Extension Plugin versions 1933.v45cec755423f and earlier contain security vulnerabilities. These vulnerabilities stem from allowing base64-encoded imag...

OESA-2026-2215 python-nbconvert security update

The nbconvert tool, jupyter nbconvert, converts notebooks to various other formats via Jinja templates. The nbconvert tool allows you to convert an .ipynb notebook file into various static formats including HTML, LaTeX, PDF, Reveal JS, Markdown md, ReStructured Text rst and executable script...

OESA-2026-2195 python-nbconvert security update

The nbconvert tool, jupyter nbconvert, converts notebooks to various other formats via Jinja templates. The nbconvert tool allows you to convert an .ipynb notebook file into various static formats including HTML, LaTeX, PDF, Reveal JS, Markdown md, ReStructured Text rst and executable script...

EUVD-2026-24025

nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding...

GHSA-7JQV-FW35-GMX9 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding

Summary When HTMLExporter.embedimages=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. Patches Upgrade to...

CVE-2026-39378 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when HTMLExporter.embedimages=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook...

CVE-2026-39378 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when HTMLExporter.embedimages=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook...

CVE-2026-39378

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when HTMLExporter.embedimages=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook...

Linux Distros Unpatched Vulnerability : CVE-2026-39378

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when...

CVE-2026-22202

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to...

EUVD-2024-3153

Malicious code in bioql PyPI...

EUVD-2023-2911

Malicious code in bioql PyPI...

CVE-2025-61589

Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid a to render diagrams allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server throug...

SUSE CVE-2025-50738

The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be...

Cross-site Scripting (XSS)

github.com/usememos/memos is vulnerable to Cross-site Scripting XSS. The vulnerability is due to unrestricted external image embedding because markdown images with arbitrary URLs are automatically fetched when viewing a memo, exposing the user's IP address, browser User-Agent, and other...

CVE-2025-50738

The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be...

CVE-2024-45291

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with $writer-setEmbedImagestrue; those files will be included in th...

CVE-2024-45291

PHPSpreadsheet (PHPSpreadsheet) contains a path traversal/SRV (Server-Side Request Forgery) vulnerability in the HTML writer when embedImages is enabled. An XLSX can link images from arbitrary paths; output data: URLs may include local files and, with wrappers like expect://, enable remote reques...

Absolute Path Traversal

Overview Affected versions of this package are vulnerable to Absolute Path Traversal via the HTML writer process when embedding images. An attacker can read arbitrary files on the server and perform arbitrary HTTP GET requests by constructing an XLSX file that links images from arbitrary paths or...

PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled

Summary It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with $writer-setEmbedImagestrue; those files will be included in the output as data: URLs, regardless of the file's type. Also URLs can be...