Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the serveExport process. An attacker can access and exfiltrate sensitive files, including databases and logs, by sending specially crafted requests with double URL encoding to bypass path validation. Details A...

Directory Traversal

Overview @samanhappy/mcphub is an A hub server for mcp servers Affected versions of this package are vulnerable to Directory Traversal in the uploadMcpbFile process when the name field from the uploaded manifest.json is concatenated directly into file system paths without sanitization or...

GHSA-P3H2-2J4P-P83G MCPHub has Path Traversal via Malicious MCPB Manifest Name

MCPB File Upload Handler extracts a ZIP file and reads manifest.json from it. The name field in the manifest is directly concatenated into a file path line 107 without any sanitization or path traversal character validation. An attacker can craft a malicious MCPB file where manifest.name is set t...

MCPHub has Path Traversal via Malicious MCPB Manifest Name

MCPB File Upload Handler extracts a ZIP file and reads manifest.json from it. The name field in the manifest is directly concatenated into a file path line 107 without any sanitization or path traversal character validation. An attacker can craft a malicious MCPB file where manifest.name is set t...

Directory Traversal

Overview i18next-locize-backend is an i18next-locize-backend is a backend layer for i18next to use locize service which can be used in node.js, in the browser and for deno. Affected versions of this package are vulnerable to Directory Traversal via the lng, ns, projectId, or version parameters,...

GHSA-C3H8-G69V-PJRG i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header

Summary Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the...

i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header

Summary Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the...

GHSA-J759-J44W-7FR8 xmldom has XML node injection through unvalidated comment serialization

Summary The package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. --- Details The issue is in t...

xmldom has XML node injection through unvalidated comment serialization

Summary The package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. --- Details The issue is in t...

CVE-2026-33733

CVE-2026-33733 affects EspoCRM prior to version 9.3.4, where admin TemplateManager endpoints incorrectly handle attacker-controlled name and scope values. This allows an authenticated admin to use directory traversal (../) to escape the intended template directory and read, create, overwrite, or ...

CVE-2026-33733 EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled name and scope values and pass them into template path construction without normalization or traversal filtering. As a result, an...

CVE-2026-33733 EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled name and scope values and pass them into template path construction without normalization or traversal filtering. As a result, an...

CVE-2026-33733

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled name and scope values and pass them into template path construction without normalization or traversal filtering. As a result, an...

EUVD-2026-25082

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled name and scope values and pass them into template path construction without normalization or traversal filtering. As a result, an...

CVE-2026-34414

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value...

EUVD-2026-6695

Inspektor Gadget uses unsanitized ANSI Escape Sequences In columns Output Mode...

GHSA-34R5-6J7W-235F Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode

Description String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the...

Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode

Description String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the...

CVE-2026-34414

CVE-2026-34414 affects Xerte Online Toolkits versions ≤ 3.15. A relative path traversal vulnerability exists in the elFinder connector endpoint at /editor/elfinder/php/connector.php, where the name parameter in rename commands is not sanitized for path traversal sequences. An attacker can supply ...

CVE-2026-34414 Xerte Online Toolkits Path Traversal via connector.php

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value...