CVE-2026-5027 Langflow - Path Traversal Arbitrary File Write via upload_user_file

The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences '../'...

CVE-2026-5027

Langflow

Security update for redis

This update for redis fixes the following issue: a user can manipulate data read by a connection by injecting sequences into a Redis error reply bsc1258706. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

SUSE-SU-2026:1122-1 Security update for redis

This update for redis fixes the following issue: - a user can manipulate data read by a connection by injecting sequences into a Redis error reply bsc1258706...

BIT-NGINX-GATEWAY-2026-28753 NGINX ngx_mail_proxy_module vulnerability

NGINX Plus and NGINX Open Source have a vulnerability in the ngxmailsmtpmodule module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation...

BIT-NGINX-2026-28753 NGINX ngx_mail_proxy_module vulnerability

NGINX Plus and NGINX Open Source have a vulnerability in the ngxmailsmtpmodule module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal when using a custom frontend. An attacker can write files outside of the intended storage root by crafting a malicious API message when an untrusted frontend is used with syntax or --build-arg BUILDKITSYNTAX. Note:...

Security Bulletin: Security Configuration vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2025-14914)

Summary IBM WebSphere Application Server Liberty is vulnerable to a remote code execution attack which can affect IBM Spectrum Protect Operations Center. Vulnerability Details CVEID:CVE-2025-14914 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal in the explodeExtension function. An attacker can access unauthorized files by supplying specially crafted file extensions containing path separators. Details A Directory Traversal attack also known as path traversal...

PT-2026-28741

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.10.0 Description A path traversal flaw exists in the 'POST /api/v2/files' endpoint due to inadequate sanitization of the filename parameter within multipart form data. This allows an attacker to use traversal...

Langflow 安全漏洞

Langflow is an open-source visualization framework developed by Langflow for building multi-agent and RAG applications. Langflow has a security vulnerability that stems from the lack of cleanup of the filename parameter in the multipart form data when the endpoint POST /api/v2/files is used. This...

Medium: gvfs

Issue Overview: A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode PASV response. The client unconditionally trusts this information and attempts to connect to the specified endpoint,...

CVE-2026-30303

The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser the Unix-based shell-quote library to analyze commands on the...

CVE-2026-30302

The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser the Unix-based shell-quote library to analyze commands on the...

CVE-2026-30302

The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser the Unix-based shell-quote library to analyze commands on the...

CVE-2026-30303

The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser the Unix-based shell-quote library to analyze commands on the...

CVE-2026-30302

The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser the Unix-based shell-quote library to analyze commands on the...

PT-2026-28395

Name of the Vulnerable Software and Affected Versions CodeRider-Kilo affected versions not specified Description A flaw exists in the command auto-approval module of CodeRider-Kilo that bypasses its whitelist security mechanism, leading to a potential OS Command Injection. This is due to the use ...

GitLab CodeRider-Kilo 安全漏洞

GitLab CodeRider-Kilo is an artificial intelligence programming assistant provided by GitLab Inc. There is a security vulnerability in GitLab CodeRider-Kilo. This vulnerability stems from the command autapproval module using an incompatible command parser on the Windows platform and failing to...

Gravity Cloud Services Axon Code 安全漏洞

Gravity Cloud Services Axon Code is an intelligent code programming assistant provided by Gravity Cloud Services. There is a security vulnerability in Gravity Cloud Services Axon Code. This vulnerability stems from the command autapproval module using an incompatible command parser on the Windows...