PT-2026-34011

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization a...

curl: lib/http2.c: SSL connections accept non-HTTP push schemes (incomplete fix for 2e8c922a)

Summary: settransferurl in lib/http2.c validates the :scheme pseudo-header of PUSHPROMISE frames only when !viasslconn — a guard added by commit 2e8c922a to block non-TLS connections from accepting TLS-scheme pushes. The symmetric case was not addressed: over TLS, viasslconn is TRUE, the guard at...

CVE-2026-30821

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELISTURLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on th...

CVE-2026-2634 Spoofed web content presented under trusted domains using scripted navigation on Firefox iOS

Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability was fixed in Firefox for iOS 147.4...

PT-2026-21830

Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability affects Focus for iOS...

CVE-2020-36891

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated MIME types, allowing malicious scripts to execute i...

CVE-2020-36891

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated MIME types, allowing malicious scripts to execute i...

CVE-2020-36891

CVE-2020-36891 describes a stored XSS in Kentico Xperience caused by uploading files with spoofed Content-Type that does not match file extensions. The vulnerability targets the file-upload handling and can allow malicious scripts to execute in users’ browsers. Connected sources provide generic r...

CVE-2020-36891 Kentico Xperience <= 12.0.49 File Upload Stored XSS

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated MIME types, allowing malicious scripts to execute i...

CVE-2020-36891 Kentico Xperience <= 12.0.49 File Upload Stored XSS

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated MIME types, allowing malicious scripts to execute i...

EUVD-2009-3956

Malware in sbrugna...

EUVD-2024-24348

Malicious code in bioql PyPI...

EUVD-2022-41055

Malicious code in bioql PyPI...

CVE-2024-52278

...

CVE-2024-27092 Content spoofing - real Hoppscotch emails

Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label Edit Team - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload external link is presented in clickable form - easier to achieve own goals by malicious actors. This iss...

F-secure Safe 安全漏洞

F-secure F-Secure SAFE is a suite of antivirus software from the Finnish company F-Secure F-secure. A security vulnerability exists in F-secure Safe Browser that stems from a flaw in the product implementation. When a user clicks on a malicious link, the browser address bar displays a legitimate...

Mail.ru: HTML injection in an email [delivery.city-mobil.ru]

It was possible to inject spoofed HTML content into delivery.city-mobil.ru registration e-mail message via forged user name...

Spoofed Content Association

Mozilla Firefox allows spoofed content association. A flaw was found in the way Firefox displayed blank pages after a user navigates to an invalid address. If a user visits an attacker-controlled web page that results in a blank page, the attacker could inject content into that blank page, possib...

Reverb.com: XSS in buying and selling pages, can created spoofed content (false login message)

Previously this issue was resolved at another location in report 351376 After spending more time searching the website, I found additional areas where this problem persists: https://sandbox.reverb.com/my/buying/orders?query= https://sandbox.reverb.com/my/selling/listings?query=...

phpmyadmin: content spoofing

This vulnerability allows an attacker to perform a content spoofing attack using the phpMyAdmin's redirection mechanism to external sites. This vulnerability is not considered to be critical since the spoofed content is escaped and no HTML injection is possible...