CVE-2026-41253

In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka "hypothetical in-band...

CVE-2025-64711

CVE-2025-64711 affects PrivateBin versions 1.7.7–2.0.3. A drag-and-drop filename containing HTML is rendered as HTML in the drag-and-drop helper, enabling self‑XSS in the victim’s session on macOS/Linux when file uploads are enabled. An attacker must entice the user to attach a maliciously named ...

CVE-2024-32966

Static Web Server SWS is a tiny and fast production-ready web server suitable to serve static web files or assets. In affected versions if directory listings are enabled for a directory that an untrusted user has upload privileges for, a malicious file name like .txt will allow JavaScript code...

CVE-2024-35226

Smarty is a template engine for PHP, facilitating the separation of presentation HTML/CSS from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. Al...

CVE-2024-35226 PHP Code Injection by malicious attribute in extends-tag in Smarty

Smarty is a template engine for PHP, facilitating the separation of presentation HTML/CSS from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. Al...

Improver Validation of File Name Causes RCE

Description Due to insufficient sanitization of the music file name, it is possible to execute arbitrary commands on the victims computer, through a specially crafted file name. Note that this bug was only found exploitable only on the MacOS version of this application. Although still applicable ...

Design/Logic Flaw

The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of...

CVE-2021-23439

This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded a user needs to be tricked into uploading such a file...

CVE-2021-23439

This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded a user needs to be tricked into uploading such a file...

Cross-site Scripting (XSS)

Overview file-upload-with-preview is an A simple file-upload utility that shows a preview of the uploaded image. Written in pure JavaScript. No dependencies. Works well with Bootstrap 4 or without a framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS. A file...

CVE-2020-4163

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under specialized conditions, could allow an authenticated user to create a maliciously crafted file name which would be misinterpreted as jsp content and executed. IBM X-Force ID: 174397...

Cross-site Scripting (XSS)

Python SimpleHTTPServer is vulnerable to cross-site scripting XSS. The listdirectory function in Lib/SimpleHTTPServer.py does not set a charset parameter in the Content-Type HTTP header, allowing an attacker to inject arbitrary Javascript through UTF-7 encoding into Internet Explorer 7 browser vi...

CVE-2018-8924

Cross-site scripting XSS vulnerability in Title Tootip in Synology Office before 3.0.3-2143 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name...

CVE-2018-8924

Cross-site scripting XSS vulnerability in Title Tootip in Synology Office before 3.0.3-2143 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name...

CVE-2018-8924

Cross-site scripting XSS vulnerability in Title Tootip in Synology Office before 3.0.3-2143 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name...

Cross site scripting

Cross-site scripting XSS vulnerability in Title Tootip in Synology Office before 3.0.3-2143 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name...

Cross site scripting

Cross-site scripting XSS vulnerability in File Sharing Notify Toast in Synology Drive before 1.0.2-10275 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name...

CVE-2018-8921

Cross-site scripting XSS vulnerability in File Sharing Notify Toast in Synology Drive before 1.0.2-10275 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name...

CVE-2018-8921

Cross-site scripting XSS vulnerability in File Sharing Notify Toast in Synology Drive before 1.0.2-10275 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name...

CVE-2018-8921

Cross-site scripting XSS vulnerability in File Sharing Notify Toast in Synology Drive before 1.0.2-10275 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name...