Security Bulletin: Vulnerabilities in Apache Tomcat and hoek might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Apache Tomcat and hoek. Vulnerabilities include Relative Path Traversal vulnerability in Apache Tomcat, Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat, Improper...

PT-2026-31987

Name of the Vulnerable Software and Affected Versions systemd version 259 Description In systemd 259, the systemd-journald component can transmit ANSI escape sequences to the terminals of arbitrary users when a 'logger -p emerg' command is executed, provided that ForwardToWall=yes is configured...

PT-2026-32053

Name of the Vulnerable Software and Affected Versions gramps-webapi affected versions not specified Description A path traversal vulnerability Zip Slip exists in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with...

PT-2026-33210

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.4 Description The '/api/av/removeUnusedAttributeView' endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. This allows an attacker to inject...

PT-2026-31962

OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling attackers to...

📄 XiboCMS 3.3.4 Traversal / Code Execution

XiboCMS version 3.3.4 zip slip exploit that leverages path traversal and arbitrary file upload vulnerabilities to achieve code execution. Exploit Title: XiboCMS 3.3.4- Remote Code Execution Google Dork: N/A Date: 2025-11-18 Exploit Author: complexusprada Vendor Homepage: https://xibo.org.uk/...

SUSE CVE-2026-40024

The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tskrecover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the helm pull --untar chart URL | repo/chartname command. An attacker can cause files to be written to unintended directories, potentially overwriting existing files or placing malicious files in accessible...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the helm pull --untar chart URL | repo/chartname command. An attacker can cause files to be written to unintended directories, potentially overwriting existing files or placing malicious files in accessible...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the helm pull --untar chart URL | repo/chartname command. An attacker can cause files to be written to unintended directories, potentially overwriting existing files or placing malicious files in accessible...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the helm pull --untar chart URL | repo/chartname command. An attacker can cause files to be written to unintended directories, potentially overwriting existing files or placing malicious files in accessible...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the helm pull --untar chart URL | repo/chartname command. An attacker can cause files to be written to unintended directories, potentially overwriting existing files or placing malicious files in accessible...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the helm pull --untar chart URL | repo/chartname command. An attacker can cause files to be written to unintended directories, potentially overwriting existing files or placing malicious files in accessible...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the helm pull --untar chart URL | repo/chartname command. An attacker can cause files to be written to unintended directories, potentially overwriting existing files or placing malicious files in accessible...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the helm pull --untar chart URL | repo/chartname command. An attacker can cause files to be written to unintended directories, potentially overwriting existing files or placing malicious files in accessible...

CVE-2026-35615

PraisonAI is a multi-agent teams system. Prior to 1.5.113, validatepath calls os.path.normpath first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This makes the check completely useless and allows trivial path traversal...

CVE-2026-39308

PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious...

CVE-2026-39983

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences \r\n in file path parameters passed to high-level path APIs such as cd, remove, rename, uploadFrom, downloadTo, list, and removeDir. The library's protectWhitespace helper only handle...

CVE-2026-39981

AGiXT is a dynamic AI Agent Automation Platform. Prior to 1.9.2, the safejoin function in the essentialabilities extension fails to validate that resolved file paths remain within the designated agent workspace. An authenticated attacker can use directory traversal sequences to read, write, or...

DEBIAN-CVE-2026-39983

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences \r\n in file path parameters passed to high-level path APIs such as cd, remove, rename, uploadFrom, downloadTo, list, and removeDir. The library's protectWhitespace helper only handle...