GHSA-HPV8-X276-M59F vLLM Vulnerable to Remote DoS via Special-Token Placeholders

Summary This report explains a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequences supplied without matching data cause vLLM to index into empty grids during...

vLLM Vulnerable to Remote DoS via Special-Token Placeholders

Summary This report explains a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequences supplied without matching data cause vLLM to index into empty grids during...

GHSA-HMCX-CH82-3FV2 Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component

Vulnerability Report: Grav CMS Unauthenticated Path Traversal & Arbitrary File Write ZERO-DAY Unauthenticated Path Traversal leading to Arbitrary Directory Creation and Configuration Injection Summary Grav CMS v1.7.49.5 and latest development source is vulnerable to a Zero-Day Path Traversal...

Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component

Vulnerability Report: Grav CMS Unauthenticated Path Traversal & Arbitrary File Write ZERO-DAY Unauthenticated Path Traversal leading to Arbitrary Directory Creation and Configuration Injection Summary Grav CMS v1.7.49.5 and latest development source is vulnerable to a Zero-Day Path Traversal...

Directory Traversal

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Directory Traversal via the FormFlash process when the sessionid parameter mapped to form-flash-id in POST requests is not properly sanitized...

Directory Traversal

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Directory Traversal via the FormFlash process when the sessionid parameter mapped to form-flash-id in POST requests is not properly sanitized...

Directory Traversal

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Directory Traversal via the setpackagedata function. An attacker can overwrite or create files in arbitrary directories by supplying crafted values to the...

PyLoad Vulnerable to Path Traversal via Package Folder Name

Insufficient sanitization of package folder names allows writing files outside the intended download directory. Affected Component - src/pyload/core/api/init.py - Function: addpackage Description Package folder names are sanitized using insufficient string replacement: python folder =...

GHSA-97R3-5W84-R4Q8 PyLoad Vulnerable to Path Traversal via Package Folder Name

Insufficient sanitization of package folder names allows writing files outside the intended download directory. Affected Component - src/pyload/core/api/init.py - Function: addpackage Description Package folder names are sanitized using insufficient string replacement: python folder =...

Directory Traversal

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Directory Traversal via the addpackage function. An attacker can write files outside the intended download directory by submitting specially crafted folder...

Directory Traversal

Overview wireshark-mcp is an A production-grade Model Context Protocol MCP server for Wireshark Affected versions of this package are vulnerable to Directory Traversal via the wiresharkexportobjects process when the destdir parameter is attacker-controlled and no mandatory path restriction is...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the S3FileMiddleware process. An attacker can access arbitrary files by sending specially crafted requests that escape pre-signed upload locations, causing the application to load files from unintended locations...

MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint

Impact What kind of vulnerability is it? Who is impacted? A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outside the configured drive roots, bounded only by the MinIO process UID...

GHSA-XH8F-G2QW-GCM7 MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint

Impact What kind of vulnerability is it? Who is impacted? A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outside the configured drive roots, bounded only by the MinIO process UID...

Directory Traversal

Overview github.com/minio/minio/cmd is an open source object storage server compatible with Amazon S3 APIs. Affected versions of this package are vulnerable to Directory Traversal via the ReadMultiple process. An attacker can access files outside the intended directory by sending a specially...

cPanelSniper-

cPanelSniper CVE-2026-41940 — c...

GHSA-P3HW-MV63-RF9W gix's submodule name validation bypass + trust inheritance flaw enables path traversal and credential disclosure

Summary Submodule name validation bypass plus missing validation in production code paths allows path traversal via crafted .gitmodules. Combined with a trust inheritance flaw in Submodule::open, this enables reading arbitrary git repository configs including credentials from traversed paths with...

gix's submodule name validation bypass + trust inheritance flaw enables path traversal and credential disclosure

Summary Submodule name validation bypass plus missing validation in production code paths allows path traversal via crafted .gitmodules. Combined with a trust inheritance flaw in Submodule::open, this enables reading arbitrary git repository configs including credentials from traversed paths with...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via improper handling of resource path matching and authorization checks. An attacker can gain unauthorized access to protected resources or perform unauthorized actions by crafting requests that exploit...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via improper handling of resource path matching and authorization checks. An attacker can gain unauthorized access to protected resources or perform unauthorized actions by crafting requests that exploit...