Security Bulletin: IBM App Connect Enterprise is vulnerable to Uncontrolled Recursion due to Node.js module yaml (CVE-2026-33532)

Summary IBM App Connect Enterprise Connector Discovery and OpenAPI Editor, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise runtime are vulnerable to Uncontrolled Recursion due to Node.js module yaml. Vulnerability Details CVEID:CVE-2026-33532 DESCRIPTION: yaml is a...

Security Bulletin: IBM App Connect Enterprise is vulnerable to FTP command injection and denial of service due to Node.js module basic-ftp ( CVE-2026-39983 & CVE-2026-41324 )

Summary IBM App Connect Enterprise Connector Discovery and OpenAPI Editor, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise runtime are vulnerable to FTP command injection and denial of service due to Node.js module basic-ftp. Vulnerability Details CVEID:CVE-2026-399...

Security Bulletin: IBM Cloud Pak for Data System 1.0 is affected by multiple vulnerabilities

Summary IBM Cloud Pak for Data System 1.0 CPDS 1.0 includes multiple third-party components that are affected by various security vulnerabilities. These vulnerabilities include denial of service issues in the Linux kernel and Python components, command injection vulnerabilities in Python's imapli...

PT-2026-48342

Summary Two Net::IMAP commands, id and enable, do not validate their arguments. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands. Please note that passing untrusted inputs to these commands is usually inappropriate and expected to be uncommon. Details Whe...

PT-2026-48169

An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to...

CVE-2026-36726

The CVE-2026-36726 entry describes an arbitrary file deletion vulnerability in bookcars v8.3, exposed at the /api/delete-temp-license/{file} endpoint. The issue allows unauthenticated attackers to delete arbitrary files by supplying directory traversal sequences. The CVSS v3.1 vector indicates Ne...

CVE-2026-36723

An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to...

CVE-2026-36726

An arbitrary file deletion vulnerability in the /api/delete-temp-license/file endpoint of bookcars v8.3 allows unauthenticated attackers to delete arbitrary files via supplying directory traversal sequences...

CVE-2026-36723

An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to...

CVE-2026-36723

CVE-2026-36723 affects bookcars v8.3. An unrestricted file rename vulnerability in the /api/create-user component allows authenticated attackers to exploit directory traversal to move files from temporary storage to arbitrary locations on the server filesystem, enabling unauthorized access to sen...

CVE-2026-36726

An arbitrary file deletion vulnerability in the /api/delete-temp-license/file endpoint of bookcars v8.3 allows unauthenticated attackers to delete arbitrary files via supplying directory traversal sequences...

PT-2026-47764

WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Attackers can supply directory traversal sequences through the wpv-image GET parameter to access sensitiv...

PT-2026-47771

Apptha Slider Gallery 1.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the imgname parameter. Attackers can send requests to asgallDownload.php with directory traversal sequences ../ to access sensitive files outside the...

PT-2026-48172

An arbitrary file deletion vulnerability in the /api/delete-temp-license/file endpoint of bookcars v8.3 allows unauthenticated attackers to delete arbitrary files via supplying directory traversal sequences...

PT-2026-47773

Mac Photo Gallery 3.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the albid parameter. Attackers can send requests to macdownload.php with directory traversal sequences to access sensitive files like wp-load.php outside...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through the getsummary function in porcelain.formatpatch API. An attacker can cause files to be written outside the intended output directory by crafting commit subjects with path traversal characters, potentially...

Security Bulletin: Langflow OSS affected by vulnerabilies in Axios versions prior to 1.15.0

Summary Langflow OSS affected by vulnerabilies in Axios versions prior to 1.15.0 Vulnerability Details CVEID:CVE-2026-40175 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in...

CVE-2026-43966

Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cowhttpstructhd:escapestring/2 in cowlib only escapes \ and ", passing all other byt...

Security Bulletin: Multiple vulnerabilities within IBM HTTP Server, affect IBM Tivoli Monitoring.

Summary Multiple vulnerabilities within IBM HTTP Server which is included as part of IBM Tivoli Monitoring ITM portal server have been addressed. Vulnerability Details CVEID:CVE-2025-66200 DESCRIPTION: moduserdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users...

CVE-2026-43966

Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cowhttpstructhd:escapestring/2 in cowlib only escapes \ and ", passing all other byt...