CVE-2026-1776

Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...

CVE-2026-1776 Camaleon CMS AWS Uploader Authenticated Path Traversal Arbitrary File Read

Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...

CVE-2026-1776

Camaleon CMS CVE-2026-1776 affects versions 2.4.5.0–2.9.0 prior to commit f54a77e, with a path traversal vulnerability in the CamaleonCmsAwsUploader AWS S3 backend. Authenticated users can trigger download_private_file to bypass path validation (valid_folder_path?) and read arbitrary files on the...

CVE-2026-29185

A flaw was found in the Backstage SCM Source Code Management integration component. This vulnerability allows an attacker to include encoded path traversal sequences within SCM URLs. When these URLs are processed, the traversal segments can redirect requests to unintended SCM provider API...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via improper sanitization in the cleanUpString function. An attacker can execute arbitrary commands on the server by injecting specially crafted Liquidsoap string interpolation sequences into user-controllable...

GHSA-93FX-5QGC-WR38 AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs

Summary AzuraCast's ConfigWriter::cleanUpString method fails to sanitize Liquidsoap string interpolation sequences ..., allowing authenticated users with StationPermissions::Media or StationPermissions::Profile permissions to inject arbitrary Liquidsoap code into the generated configuration file...

AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs

Summary AzuraCast's ConfigWriter::cleanUpString method fails to sanitize Liquidsoap string interpolation sequences ..., allowing authenticated users with StationPermissions::Media or StationPermissions::Profile permissions to inject arbitrary Liquidsoap code into the generated configuration file...

Directory Traversal

Overview nltk is a Natural Language Toolkit NLTK is a Python package for natural language processing. Affected versions of this package are vulnerable to Directory Traversal via the filestring function. An attacker can access sensitive files by supplying specially crafted input paths, such as...

Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

Impact The PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can u...

GHSA-HM3F-Q6RW-M6WH Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

Impact The PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can u...

Security Bulletin: Multiple vulnerabilities addressed in Cloudera Base on premises Cloudera Runtime 7.3.1.700 SP3 CHF 2

Summary Security Bulletin: Multiple vulnerabilities addressed in Cloudera Base on premises Cloudera Runtime 7.3.1.700 SP3 CHF 2 Vulnerability Details CVEID:CVE-2025-27221 DESCRIPTION: In the URI gem before 1.0.3 for Ruby, the URI handling methods URI.join, URImerge, URI+ have an inadvertent leaka...

Security Bulletin: Common vulnerabilities addressed in Cloudera Observability 3.6.2

Summary Security Bulletin: Common vulnerabilities addressed in Cloudera Observability 3.6.2 Vulnerability Details CVEID:CVE-2025-53864 DESCRIPTION: Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested...

CVE-2026-30848

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured...

CVE-2026-29778

pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the editpackage function implements insufficient sanitization for the packfolder parameter. The current protection relies on a single-pass string replacement of "../", which can be...

PT-2026-24112

Name of the Vulnerable Software and Affected Versions Camaleon CMS versions 2.4.5.0 through 2.9.0 Description Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, have a path traversal issue in the AWS S3 uploader implementation. Authenticated users can read arbitrary files from...

Coverage-Guided Multi-Agent Harness Generation for Java Library Fuzzing

Coverage-guided fuzzing has proven effective for software testing, but targeting library code requires specialized fuzz harnesses that translate fuzzer-generated inputs into valid API invocations. Manual harness creation is time-consuming and requires deep understanding of API semantics,...

RUSTSEC-2026-0038 RustSec Advisory

Impact Vulnerability Type: Improper Control of Generation of Code 'Code Injection' CWE-94 / Improper Check for Unusual or Exceptional Conditions CWE-754 / Improper Input Validation CWE-20 / Use of Low-Level Functionality CWE-695 / Improper Privilege Management CWE-269 / External Control of System...

RustSec Advisory

Impact Vulnerability Type: Improper Control of Generation of Code 'Code Injection' CWE-94 / Improper Check for Unusual or Exceptional Conditions CWE-754 / Improper Input Validation CWE-20 / Use of Low-Level Functionality CWE-695 / Improper Privilege Management CWE-269 / External Control of System...

Plasma

Plasma !Pythonhttps://img.shields.io/badge/python-3.10%2B-...

PT-2026-24192

Name of the Vulnerable Software and Affected Versions rssn versions prior to 0.2.9 Description The rssn scientific computing library for Rust has an issue in its JIT Just-In-Time compilation engine, which is exposed through the CFFI Foreign Function Interface. Insufficient input validation and...