GHSA-2MJQ-54QG-7W6J NFS CSI driver for Kubernetes is Vulnerable to Path Traversal through Volume Identifier Parameter

A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequenc...

NFS CSI driver for Kubernetes is Vulnerable to Path Traversal through Volume Identifier Parameter

A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequenc...

CVE-2026-3339

The Keep Backup Daily plugin for WordPress is vulnerable to Limited Path Traversal in all versions up to, and including, 2.1.1 via the kbdopenuploaddir AJAX action. This is due to insufficient validation of the kbdpath parameter, which is only sanitized with sanitizetextfield - a function that do...

PT-2026-26927

phpTransformer 2016.9 contains a directory traversal vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the path parameter. Attackers can send requests to the jQueryFileUploadmaster server endpoint with traversal sequences ../../../../../../ to list and...

PT-2026-26925

SeoToaster Ecommerce 3.0.0 contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files by manipulating path parameters in backend theme endpoints. Attackers can send POST requests to /backend/backend theme/editcss/ or /backend/backend theme/editjs/ wi...

PT-2026-26922

Green CMS 2.x contains a path traversal vulnerability that allows authenticated attackers to download arbitrary files and directories by injecting directory traversal sequences. Attackers can manipulate the theme name parameter in the themeexporthandle action or supply base64-encoded file paths t...

PT-2026-26798

The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated...

Linux Distros Unpatched Vulnerability : CVE-2026-33236

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language...

CVE-2026-3339

The Keep Backup Daily plugin for WordPress is vulnerable to Limited Path Traversal in all versions up to, and including, 2.1.1 via the kbdopenuploaddir AJAX action. This is due to insufficient validation of the kbdpath parameter, which is only sanitized with sanitizetextfield - a function that do...

CVE-2026-3339

The CVE-2026-3339 entry affects the Keep Backup Daily plugin for WordPress (versions ≤ 2.1.1). It enables a Limited Path Traversal via the kbd_open_upload_dir AJAX action because kbd_path is only sanitized with sanitize_text_field(), which does not remove traversal sequences. An authenticated att...

CVE-2026-3339 Keep Backup Daily <= 2.1.1 - Authenticated (Admin+) Limited Path Traversal via 'kbd_path' Parameter

The Keep Backup Daily plugin for WordPress is vulnerable to Limited Path Traversal in all versions up to, and including, 2.1.1 via the kbdopenuploaddir AJAX action. This is due to insufficient validation of the kbdpath parameter, which is only sanitized with sanitizetextfield - a function that do...

CVE-2026-3339 Keep Backup Daily <= 2.1.1 - Authenticated (Admin+) Limited Path Traversal via 'kbd_path' Parameter

The Keep Backup Daily plugin for WordPress is vulnerable to Limited Path Traversal in all versions up to, and including, 2.1.1 via the kbdopenuploaddir AJAX action. This is due to insufficient validation of the kbdpath parameter, which is only sanitized with sanitizetextfield - a function that do...

CVE-2026-3864

A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequenc...

DEBIAN-CVE-2026-33236

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the subdir and id attributes when processing remote XML index...

CVE-2026-33236

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the subdir and id attributes when processing remote XML index...

CVE-2026-32733

Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming DCC SEND requests. A remote IRC user could send a filename with path traversal sequences like ../../.ssh/authorizedkeys and the fil...

CVE-2026-33236

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the subdir and id attributes when processing remote XML index...

UBUNTU-CVE-2026-33236

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the subdir and id attributes when processing remote XML index...

CVE-2026-33236

CVE-2026-33236 affects the NLTK downloader in versions up to 3.9.3, where remote XML index processing does not validate the subdir and id attributes. This allows an attacker-controlled XML index server to supply path traversal values (e.g., ../) that can lead to arbitrary directory creation, file...

CVE-2026-33236 NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the subdir and id attributes when processing remote XML index...