CVE-2026-33027 Nginx UI: Improper Path Validation Allows Recursive Deletion of the Nginx Configuration Directory

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operati...

Directory Traversal

Overview crewai-tools is a Set of tools for the crewAI framework Affected versions of this package are vulnerable to Directory Traversal via the JSON loader tool due to lack of path validation. An attacker can access arbitrary files on the server by supplying crafted file paths. Details A Directo...

Directory Traversal

Overview @tinacms/graphql is a GraphQL database generating component for Tina, the headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Directory Traversal due to improper validation of backslashes on...

Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation

Summary The nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory /etc/nginx. In particular, this allows an...

GHSA-M8P8-53VF-8357 Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation

Summary The nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory /etc/nginx. In particular, this allows an...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to node modules Hono and Undici

Summary IBM App Connect Enterprise runtime and IBM App Connect Enterprise Discovery Connectors are vulnerable to multiple vulnerabilities due to node modules Hono and Undici. Vulnerability Details CVEID:CVE-2026-29045 DESCRIPTION: Hono is a Web application framework that provides support for any...

SUSE-SU-2026:20982-1 Security update for tomcat10

This update for tomcat10 fixes the following issues: Update to Tomcat 10.1.52: - CVE-2025-55752: directory traversal via rewrite with possible RCE if PUT is enabled bsc1252753. - CVE-2025-55754: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat bsc125290...

OPENSUSE-SU-2026:20444-1 Security update for tomcat10

This update for tomcat10 fixes the following issues: Update to Tomcat 10.1.52: - CVE-2025-55752: directory traversal via rewrite with possible RCE if PUT is enabled bsc1252753. - CVE-2025-55754: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat bsc125290...

(Pwn2Own) QNAP QHora-322 qvpn_db_mgr role_type Improper Neutralization of Escape Sequences Authentication Bypass Vulnerability

This vulnerability allows remote attackers to bypass authentication on affected QNAP QHora-322 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the roletype parameter...

Nginx UI 安全漏洞

Nginx UI is a web interface for Nginx developed by Jacky. Versions of Nginx UI prior to 2.3.4 contained security vulnerabilities. These vulnerabilities stemmed from improper handling of URL-encoded traversal sequences, which could allow authenticated users to delete the entire /etc/nginx director...

PT-2026-29088

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.4 Description Nginx UI improperly handles URL-encoded traversal sequences in its configuration, potentially leading to a partial Denial of Service. Specifically, specially crafted paths can cause the backend to...

Amazon Linux 2023 : gvfs, gvfs-archive, gvfs-client (ALAS2023-2026-1475)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1475 advisory. A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode PASV response. The client...

Amazon Linux 2023 : python3-markdown (ALAS2023-2026-1492)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1492 advisory. Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-...

Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation

The nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory /etc/nginx. In particular, this allows an authenticated us...

ANT-2026-9VJ9JJXQ · junrar · Path Traversal

path-traversal medium GHSA-j273-m5qq-6825 Severity Claude high · Security research firm - · Maintainer medium Discovered by Claude Mythos Preview REPORT The report below was sent to the maintainer and sealed at approval. ANT-2026-9VJ9JJXQ: Arbitrary file write due to backslash path traversal...

ANT-2026-VS18SA90 · nginx · Arbitrary File Write

arbitrary-file-write critical CVE-2026-27654 Severity Claude critical · Security research firm critical · Maintainer - Discovered by Claude Mythos Preview REPORT Anthropic's analysis, sealed at approval. Disclosure to the maintainer was performed by Calif. ANT-2026-VS18SA90: unauthenticated remot...

Improper Neutralization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Neutralization via the approval prompt process. An attacker can inject malicious ANSI escape sequences into terminal output by supplying crafted tool metadata, potentially spoofi...

OpenClaw has ACP CLI approval prompt ANSI escape sequence injection

Summary ACP CLI approval prompt ANSI escape sequence injection Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.2.13, = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details ACP tool titles could previously...

GHSA-4HMJ-39M8-JWC7 OpenClaw has ACP CLI approval prompt ANSI escape sequence injection

Summary ACP CLI approval prompt ANSI escape sequence injection Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.2.13, = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details ACP tool titles could previously...

CVE-2026-2442

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences 'CRLF Injection' in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on...