PT-2026-35995

LifeSize ClearSea 3.1.4 contains directory traversal vulnerabilities that allow authenticated attackers to download and upload arbitrary files by manipulating path parameters in the smartgui interface. Attackers can exploit the upload endpoint with directory traversal sequences to write files to...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the Buckets component. An attacker can modify or overwrite files in arbitrary locations within the uploads directory by submitting crafted input that exploits directory traversal sequences. Details A Directory...

GNU InetUtils 2.6 - Telnetd Remote Privilege Escalation

Exploit Title: GNU InetUtils telnetd - Remote Privilege Escalation Date: 2026-01-24 Exploit Author: Ali Guliyev infat0x Author GitHub: https://github.com/infat0x Vendor Homepage: https://www.gnu.org/software/inetutils/ Software Link: https://ftp.gnu.org/gnu/inetutils/ Version: GNU InetUtils 2.0...

Security Bulletin: Path Traversal and Arbitrary File Write Vulnerability in IBM Langflow Desktop API v2 File Upload Endpoint

Summary IBM Langflow Desktop contains a vulnerability in its API v2 file upload functionality where the POST /api/v2/files endpoint fails to validate and sanitize user-supplied filenames before passing them to the LocalStorageService, resulting in a path traversal condition that allows...

Security Bulletin: Security Vulnerabilities affect IBM Voice Gateway

Summary Security Vulnerabilities affect IBM Voice Gateway. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-2950 DESCRIPTION: Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the .unset and .omit functions. The fix for CVE-2025-1346...

Five defender priorities from the Talos Year in Review

A familiar theme in security right now is that the barrier to entry for attackers is at an all-time low. AI tools can spin up websites within minutes that can easily direct data to disposable external data stores and send alerts for new captures -- all without code. One such case was recently...

CVE-2026-42037

A flaw was found in Axios, an HTTP client for Node.js. A remote attacker, by controlling the type property of a file-like object, could inject arbitrary MIME part headers into multipart form data. This vulnerability arises from insufficient sanitization of carriage return and line feed CRLF...

Directory Traversal

Overview notes-mcp is a MCP for managing markdown notes with YAML frontmatter Affected versions of this package are vulnerable to Directory Traversal via the rootdir or path arguments in the notesmcp.py process. An attacker can access or modify files outside the intended directory by supplying...

CVE-2026-40923

A flaw was found in Tekton Pipelines. An attacker can bypass restrictions on where volumes can be mounted by using specially crafted paths that include directory traversal sequences e.g., ... This vulnerability, stemming from an incomplete path validation check, could allow unauthorized access to...

Directory Traversal

Overview mkdocs-mcp-plugin is a MCP server for MkDocs documentation with intelligent search and retrieval capabilities Affected versions of this package are vulnerable to Directory Traversal via the readdocument and listdocuments functions in server.py when processing the docsdir or filepath...

From CRUD to Autonomous Agents: Formal Validation and Zero-Trust Security for Semantic Gateways in AI-Native Enterprise Systems

Enterprise software engineering is shifting away from deterministic CRUD/REST architectures toward AI-native systems where large language models act as cognitive orchestrators. This transition introduces a critical security tension: probabilistic LLMs weaken classical mechanisms for validation,...

PT-2026-35816

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.9.0 Description Langflow is a tool for building and deploying AI-powered agents and workflows. A path traversal flaw exists in the Knowledge Bases API endpoint "DELETE /api/v1/knowledge bases" within the delete...

Linux Distros Unpatched Vulnerability : CVE-2026-31459

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - mm/damon/sysfs: fix paramctx leak on damonsysfsnewtestctx failure Patch series mm/damon/sysfs: fix memory leak and NULL dereference issues, v4. DAMONSYSFS can...

Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : nginx vulnerabilities (USN-8210-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8210-1 advisory. It was discovered that the nginx ngxmailauthhttpmodule module incorrectly handled certain requests. An attacker could possibly use th...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through the shutil.unpackarchive function. An attacker can write files outside the intended extraction directory by supplying a ZIP archive containing absolute Windows paths C:\.... Details A Directory Traversal...

Directory Traversal

Overview kaggle-mcp is an A MCP server for kaggle apis Affected versions of this package are vulnerable to Directory Traversal via the preparekaggledataset function in src/kagglemcp/server.py when processing the competitionid argument. An attacker can access arbitrary files on the server by...

CVE-2026-41465

ProjeQtor versions 7.0 through 12.4.3 contain a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not validated against directory traversal sequences before constructing file paths. Authenticated attackers can inject directory traversal...

CVE-2026-41463

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences...

CVE-2026-30351

A path traversal vulnerability in the UI/static component of leonvanzyl autocoder commit 79d02a allows attackers to read arbitrary files via sending crafted URL path containing traversal sequences...

Security Bulletin: Multiple vulnerabilities in IBM Watsonx BI Assistant for CP4D

Summary Multiple vulnerabilities were addressed in IBM Watsonx BI Assistant for CP4D version 5.3.1.3 Vulnerability Details CVEID:CVE-2026-40175 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific...