CVE-2026-24749

The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL or DBFile::getSourceURL incorrectly add an access grant to the current session, which...

PT-2026-28494

Name of the Vulnerable Software and Affected Versions Incus versions prior to 6.23.0 Description Incus lacks validation of the image fingerprint when downloading from simplestreams image servers. This can lead to image cache poisoning, potentially allowing an attacker to provide a compromised ima...

PT-2025-51305

Name of the Vulnerable Software and Affected Versions Zomplog version 3.9 Description The software contains a cross-site scripting issue that permits authenticated users to inject malicious scripts during the creation of new pages. An attacker can leverage crafted malicious image source and onerr...

EUVD-2015-1422

Malware in sbrugna...

EUVD-2025-26244

Malicious code in bioql PyPI...

Content Injection

Next.js is vulnerable to content injection. The vulnerability is due to attacker-controlled external image sources being able to trigger file downloads with arbitrary content and filenames under specific configurations, which allows an attacker to perform phishing or deliver malicious files...

Missing Source Correlation of Multiple Independent Data

Overview next is a react framework. Affected versions of this package are vulnerable to Missing Source Correlation of Multiple Independent Data in image-optimizer. An attacker can cause arbitrary files to be downloaded with attacker-controlled content and filenames by supplying malicious external...

GHSA-XV57-4MR9-WG8V Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious...

PT-2025-35326

Name of the Vulnerable Software and Affected Versions: Next.js versions prior to 14.2.31 Next.js versions 15.0.0 through 15.4.5 Description: Next.js Image Optimization is susceptible to content injection. Attackers controlling external image sources can trigger file downloads with arbitrary conte...

Improper Validation of Integrity Check Value

Overview ironic is an OpenStack Bare Metal Provisioning Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value due missing validations of checksum files of supplied imagesource URLs, before the raw format conversion. Remediation Upgrade ironic to version...

GO-2024-2870 Credential leakage in github.com/aquasecurity/trivy

A malicious registry can cause Trivy to leak credentials for legitimate registries such as AWS Elastic Container Registry ECR, Google Cloud Artifact/Container Registry, or Azure Container Registry ACR if the registry is scanned from directly using Trivy. These tokens can then be used to push/pull...

Open-Xchange: SSRF - Image Sources in HTML Snippets - 727234 bypass

This is about incomplete fix for my recent bug 727234. In short, the /ajax/snippet?action=import endpoint allows to create HTML snippets. URLs of images are extracted from HTML and their content is fetched and attached to created snippet. For more details please see 727234. With the fix applied,...

UBUNTU-CVE-2018-5162

Plaintext of decrypted emails can leak through the src attribute of remote images, or links. This vulnerability affects Thunderbird ESR 52.8 and Thunderbird 52.8...