Total
21 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3909 | 1 Mozilla | 1 Thunderbird | 2026-02-26 | N/A | 8.1 HIGH |
| Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1. | |||||
| CVE-2026-0777 | 2026-02-23 | N/A | 7.8 HIGH | ||
| Xmind Attachment Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xmind. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of attachments. When opening an attachment, the user interface fails to warn the user of unsafe actions. An attacker can leverage this vulnerability to execute code in the context of current user. Was ZDI-CAN-26034. | |||||
| CVE-2026-25805 | 1 Zed | 1 Zed | 2026-02-19 | N/A | 6.4 MEDIUM |
| Zed is a multiplayer code editor. Prior to 0.219.4, Zed does not show with which parameters a tool is being invoked, when asking for allowance. Further it does not show after the tool was being invoked, which parameters were used. Thus, maybe unwanted or even malicious values could be used without the user having a chance to notice it. Patched in Zed Editor 0.219.4 which includes expandable tool call details. | |||||
| CVE-2025-3839 | 2026-01-26 | N/A | 8.0 HIGH | ||
| A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior. | |||||
| CVE-2025-14412 | 1 Sodapdf | 1 Soda Pdf | 2026-01-21 | N/A | 7.8 HIGH |
| Soda PDF Desktop XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27495. | |||||
| CVE-2025-14415 | 1 Sodapdf | 1 Soda Pdf | 2026-01-21 | N/A | 7.8 HIGH |
| Soda PDF Desktop Launch Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the Launch action. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27494. | |||||
| CVE-2025-58335 | 1 Jetbrains | 1 Junie | 2026-01-20 | N/A | 5.5 MEDIUM |
| In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54, 251.284.54, 251.284.50, 243.284.54, 243.284.50 information disclosure was possible via search_project function | |||||
| CVE-2025-14404 | 1 Pdfsam | 1 Enhanced | 2026-01-15 | N/A | 7.0 HIGH |
| PDFsam Enhanced XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27498. | |||||
| CVE-2025-14403 | 1 Pdfsam | 1 Enhanced | 2026-01-15 | N/A | 7.8 HIGH |
| PDFsam Enhanced Launch Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the Launch action. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27500. | |||||
| CVE-2025-14402 | 1 Pdfsam | 1 Enhanced | 2026-01-15 | N/A | 7.0 HIGH |
| PDFsam Enhanced DOC File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of DOC files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27499. | |||||
| CVE-2025-14414 | 1 Sodapdf | 1 Soda Pdf Desktop | 2026-01-07 | N/A | 7.8 HIGH |
| Soda PDF Desktop Word File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Word files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27496. | |||||
| CVE-2025-14416 | 1 Pdfforge | 1 Pdf Architect | 2026-01-02 | N/A | 7.0 HIGH |
| pdfforge PDF Architect DOC File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of DOC files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27503. | |||||
| CVE-2025-14418 | 1 Pdfforge | 1 Pdf Architect | 2026-01-02 | N/A | 7.0 HIGH |
| pdfforge PDF Architect XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27502. | |||||
| CVE-2025-14417 | 1 Pdfforge | 1 Pdf Architect | 2026-01-02 | N/A | 7.8 HIGH |
| pdfforge PDF Architect Launch Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the Launch action. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27501. | |||||
| CVE-2024-3044 | 3 Debian, Fedoraproject, Libreoffice | 3 Debian Linux, Fedora, Libreoffice | 2025-12-10 | N/A | 6.5 MEDIUM |
| Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted. | |||||
| CVE-2025-0092 | 1 Google | 1 Android | 2025-09-02 | N/A | 6.5 MEDIUM |
| In handleBondStateChanged of AdapterService.java, there is a possible permission bypass due to misleading or insufficient UI. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2025-2450 | 1 Ni | 1 Vision Builder Ai | 2025-08-18 | N/A | 8.8 HIGH |
| NI Vision Builder AI VBAI File Processing Missing Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NI Vision Builder AI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of VBAI files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22833. | |||||
| CVE-2025-31334 | 1 Rarlab | 1 Winrar | 2025-07-01 | N/A | 6.8 MEDIUM |
| Issue that bypasses the "Mark of the Web" security warning function for files when opening a symbolic link that points to an executable file exists in WinRAR versions prior to 7.11. If a symbolic link specially crafted by an attacker is opened on the affected product, arbitrary code may be executed. | |||||
| CVE-2024-2609 | 2 Debian, Mozilla | 3 Debian Linux, Firefox, Thunderbird | 2025-04-01 | N/A | 6.1 MEDIUM |
| The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR < 115.10, and Thunderbird < 115.10. | |||||
| CVE-2024-30057 | 1 Microsoft | 1 Edge | 2024-11-21 | N/A | 5.4 MEDIUM |
| Microsoft Edge for iOS Spoofing Vulnerability | |||||