CVE-2026-30940

CVE-2026-30940 affects baserCMS prior to version 5.2.3. A path traversal flaw exists in the theme file management API at /baser/api/admin/bc-theme-file/theme_files/add.json, allowing an authenticated administrator to inject ../ sequences in the path and create a PHP file outside the theme directo...

Security Bulletin: Security Vulnerabilities have been found in IBM Verify Identity Access Digital Credentials

Summary Security Vulnerabilities have been addressed in IBM Verify Identity Access Digital Credentials Vulnerability Details CVEID:CVE-2026-27837 DESCRIPTION: Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for...

PT-2026-29185

Name of the Vulnerable Software and Affected Versions SciTokens versions prior to 1.9.7 Description SciTokens is a library for generating and using SciTokens. The Enforcer component is susceptible to a path traversal issue. An attacker can exploit this by including 'dot-dot' .. sequences within t...

PT-2026-29152

baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API /baser/api/admin/bc-theme-file/theme files/add.json that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path...

CVE-2026-29870

A directory traversal vulnerability in the agentic-context-engine project versions up to 0.7.1 allows arbitrary file writes via the checkpointdir parameter in OfflineACE.run. The savetofile method in ace/skillbook.py fails to normalize or validate filesystem paths, allowing traversal sequences to...

CVE-2026-29870

A directory traversal vulnerability in the agentic-context-engine project versions up to 0.7.1 allows arbitrary file writes via the checkpointdir parameter in OfflineACE.run. The savetofile method in ace/skillbook.py fails to normalize or validate filesystem paths, allowing traversal sequences to...

PT-2026-29270

A directory traversal vulnerability in the agentic-context-engine project versions up to 0.7.1 allows arbitrary file writes via the checkpoint dir parameter in OfflineACE.run. The save to file method in ace/skillbook.py fails to normalize or validate filesystem paths, allowing traversal sequences...

PT-2026-29424

Name of the Vulnerable Software and Affected Versions FastMCP versions affected versions not specified Description The OpenAPIProvider in FastMCP is susceptible to an authenticated Server-Side Request Forgery SSRF vulnerability due to insufficient URL encoding of path parameters. Specifically, th...

📄 NLTK 3.9.2 Arbitrary File Read / Path Traversal

NLTK versions 3.9.2 and below suffer from an arbitrary file read issue due to a path traversal vulnerability. CVE-2026-0847 — NLTK Multiple CorpusReader Classes: Arbitrary File Read via Path Traversal --- Overview | Field | Details | |---|---| | CVE ID | CVE-2026-0847 | | Package | nltk Natural...

CVE-2026-29870

The CVE-2026-29870 entry describes a directory traversal in the agentic-context-engine (versions up to 0.7.1) that enables arbitrary file writes via the checkpoint_dir parameter in OfflineACE.run. The root cause is that save_to_file in ace/skillbook.py does not normalize or validate filesystem pa...

CVE-2026-29870

A directory traversal vulnerability in the agentic-context-engine project versions up to 0.7.1 allows arbitrary file writes via the checkpointdir parameter in OfflineACE.run. The savetofile method in ace/skillbook.py fails to normalize or validate filesystem paths, allowing traversal sequences to...

Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-10.0.1.5)

The version of AHV installed on the remote host is prior to AHV-10.0.1.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AHV-10.0.1.5 advisory. - A vulnerability has been identified in the libarchive library, specifically within the archivereadformatrarseekdata...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through improper validation of URL-encoded traversal sequences in the backend process. An attacker can delete critical configuration directories by supplying specially crafted paths. Details A Directory Traversal...

Security Bulletin: Multiple Vulnerabilities in IBM API Connect

Summary Multiple vulnerabilities were addressed in IBM API Connect version v12.1.0.2 Vulnerability Details CVEID:CVE-2012-6708 DESCRIPTION: jQuery before 1.9.0 is vulnerable to Cross-site Scripting XSS attacks. The jQuerystrInput function does not differentiate selectors from HTML in a reliable...

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the mediaUrl or fileUrl parameter keys, which are not properly normalized in the relevant process. An attacker can access sensitive files belonging to other agents...

CVE-2026-33027

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operati...

CVE-2026-33027 Nginx UI: Improper Path Validation Allows Recursive Deletion of the Nginx Configuration Directory

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operati...

CVE-2026-33027

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operati...

CVE-2026-33027 Nginx UI: Improper Path Validation Allows Recursive Deletion of the Nginx Configuration Directory

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operati...

CVE-2026-33027

Nginx UI (the web UI for Nginx) prior to version 2.3.4 is affected by improper handling of URL-encoded traversal sequences. When crafted paths are provided, the backend resolves them to the base Nginx configuration directory and can operate on the base directory (/etc/nginx). An authenticated use...