Lucene search
+L

17 matches found

cve
cve
added 6 days ago10 views

CVE-2026-55466

CVE-2026-55466 (Snipe-IT) is a stored XSS vulnerability in the UploadFileRequest path before version 8.6.2. The sanitizer only processes SVG content when PHP finfo reports image/svg+xml, and UploadedFilesController serves attachments inline without StorageHelper::allowSafeInline(), enabling a low...

8.7CVSS6.1AI score0.00316EPSS
Exploits1References3Affected Software1
cvelist
cvelist
added 6 days ago32 views

CVE-2026-55466 Snipe-IT: Stored XSS via inline-served attachment

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml and UploadedFilesController serves attachments inline without using StorageHelper::allowSafeInline, allowing a low-privilege user to upload active...

6.2CVSS0.00316EPSS
Exploits1References3
cvelist
cvelist
added 2026/06/23 7:44 p.m.27 views

CVE-2026-53929 NocoDB: Stored Cross-Site Scripting via Secure Attachment

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NCSECUREATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. The signed attachment handler stor...

5.1CVSS0.00288EPSS
Exploits0References1
euvd
euvd
added 2025/10/07 12:30 a.m.7 views

EUVD-2010-2806

Malware in sbrugna...

3.5CVSS6.4AI score0.00887EPSS
Exploits0References6
euvd
euvd
added 2025/10/03 8:7 p.m.5 views

EUVD-2022-2935

Malicious code in bioql PyPI...

5.3CVSS4.7AI score0.01068EPSS
Exploits0References4
github
github
added 2022/05/24 5:11 p.m.17 views

Moodle Email media URL tokens were not checking for user status

A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token...

5.3CVSS7AI score0.01068EPSS
Exploits0References4Affected Software1
osv
osv
added 2022/05/24 5:11 p.m.55 views

GHSA-774Q-WFCP-VC2Q Moodle Email media URL tokens were not checking for user status

A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token...

5.3CVSS5AI score0.01068EPSS
Exploits0References4
osv
osv
added 2020/03/18 1:15 p.m.28 views

CVE-2019-14883

A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token...

5.3CVSS6.6AI score0.01068EPSS
Exploits0References2
ubuntucve
ubuntucve
added 2020/03/18 1:15 p.m.23 views

CVE-2019-14883

A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token...

5.3CVSS5.8AI score0.01068EPSS
Exploits0References3
mskb
mskb
added 2019/01/08 8:0 a.m.63 views

Description of the security update for Outlook 2016: January 8, 2019

None None...

6.5CVSS6.6AI score0.06783EPSS
Exploits0
nvd
nvd
added 2015/01/09 6:59 p.m.20 views

CVE-2014-9271

Cross-site scripting XSS vulnerability in filedownload.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename...

5.4CVSS5.1AI score0.01522EPSS
Exploits1References7
ubuntucve
ubuntucve
added 2015/01/09 6:59 p.m.26 views

CVE-2014-9271

Cross-site scripting XSS vulnerability in filedownload.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename...

5.4CVSS6.2AI score0.01522EPSS
Exploits1References5
prion
prion
added 2015/01/09 6:59 p.m.19 views

Cross site scripting

Cross-site scripting XSS vulnerability in filedownload.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename...

4.3CVSS5.6AI score0.01522EPSS
Exploits1References7Affected Software2
cvelist
cvelist
added 2015/01/09 6:0 p.m.28 views

CVE-2014-9271

Cross-site scripting XSS vulnerability in filedownload.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename...

5.1AI score0.01522EPSS
Exploits1References7
prion
prion
added 2010/09/07 5:0 p.m.16 views

Cross site scripting

Cross-site scripting XSS vulnerability in MantisBT before 1.2.2 allows remote authenticated users to inject arbitrary web script or HTML via an HTML document with a .gif filename extension, related to inline attachments...

3.5CVSS5.7AI score0.00887EPSS
Exploits0References5Affected Software1
cvelist
cvelist
added 2010/09/07 4:30 p.m.30 views

CVE-2010-2802

Cross-site scripting XSS vulnerability in MantisBT before 1.2.2 allows remote authenticated users to inject arbitrary web script or HTML via an HTML document with a .gif filename extension, related to inline attachments...

5.8AI score0.00887EPSS
Exploits0References5
osv
osv
added 2006/03/07 11:2 a.m.2 views

DEBIAN-CVE-2006-1045

The HTML rendering engine in Mozilla Thunderbird 1.5, when "Block loading of remote images in mail messages" is enabled, does not properly block external images from inline HTML attachments, which could allow remote attackers to obtain sensitive information, such as application version or IP...

2.6CVSS6.5AI score0.0486EPSS
Exploits1References1
Rows per page
Query Builder