wasmtime 安全漏洞

Wasmtime is a lightweight WebAssembly runtime open source by the Bytecode Alliance. There is a security vulnerability in Wastime, which stems from a defect in the implementation of TypedFunc::callasync when the component-model-async feature is enabled by default. This could lead to a kernel crash...

Caddy 安全漏洞

Caddy is an open-source, cross-platform HTTP/Web server developed by the Caddy company. Versions of Caddy prior to 2.11.1 contained security vulnerabilities. These vulnerabilities stemmed from the HTTP path request matcher’s sensitivity to case differences when processing patterns that included...

PT-2026-21802

Name of the Vulnerable Software and Affected Versions Fiber versions 3.0.0 and earlier Fiber versions 3.0.0 through 3.0.0 Description A Path Traversal flaw exists in Fiber, potentially allowing a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file...

httpd: Apache HTTP Server: CGI environment variable override

A configuration override flaw has been discovered in the apache HTTP server. Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server...

httpd: Apache HTTP Server: CGI environment variable override

A configuration override flaw has been discovered in the apache HTTP server. Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server...

Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFixes for January 2026.

Summary Security vulnerabilities are addressed with IBM Business Automation Insights 24.0.0-IF006. These vulnerabilities have been also adressed in 24.0.1-IF006 and 25.0.0-IF003. Vulnerability Details CVEID:CVE-2018-5711 DESCRIPTION: gdgifin.c in the GD Graphics Library aka libgd, as used in PHP...

PT-2026-21834

Name of the Vulnerable Software and Affected Versions Rollup versions prior to 2.80.0 Rollup versions prior to 3.30.0 Rollup versions prior to 4.59.0 Description Rollup, a JavaScript module bundler, contains a flaw due to insecure file name sanitization in its core engine. This allows an attacker...

PT-2026-21918

Name of the Vulnerable Software and Affected Versions basic-ftp versions prior to 5.2.0 Description The basic-ftp FTP client library for Node.js contains a path traversal vulnerability CWE-22 in the downloadToDir method. A malicious FTP server can send directory listings with filenames containing...

PT-2026-24799

Name of the Vulnerable Software and Affected Versions strukturag libheif versions up to 1.21.2 Description A flaw exists in strukturag libheif, specifically within the Track::load function located in the libheif/sequences/track.cc file, related to the stsz/stts component. This can lead to an...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Tuzitio Camaleon_Cms

CVE-2024-46987 — Camaleon CMS Arbitrary Path Traversal Fo...

Arbitrary File Write via Path Traversal in Orbax Checkpoint Asset Dict Keys

Description When loading a Keras model from an Orbax checkpoint directory, the writenesteddicttodir function uses dict keys from the checkpoint's asset data directly in os.path.join without any path sanitization. A crafted Orbax checkpoint can include absolute paths or path traversal sequences .....

PortSwigger-DirectroyTraversal

PortSwigger Lab: File Path Traversal Non-Recursive Strip Bypa...

CVE-2026-26329

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's upload action. The server passed these paths to Playwright's setInputFiles APIs...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the 'findrunroot function in the FileStore tracking component. An attacker can access arbitrary files on the server by planting a malicious meta.yaml in an artifact folder to redirect artifact URI resolution to...

Directory Traversal

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal via the 'findrunroot function in the FileStore...

SUSE CVE-2026-26064

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writin...

CVE-2026-2472

A flaw was found in google-cloud-aiplatform. This Stored Cross-Site Scripting XSS vulnerability allows an unauthenticated remote attacker to execute arbitrary JavaScript code within a victim's Jupyter or Colab environment. This is achieved by injecting malicious script escape sequences into model...

Cross-site Scripting (XSS)

Overview google-cloud-aiplatform is a Vertex AI API client library Affected versions of this package are vulnerable to Cross-site Scripting XSS via the genai/evalsvisualization component. An attacker can execute arbitrary JavaScript code in a victim's Jupyter or Colab environment by injecting...

GHSA-QV8J-HGPC-VRQ8 Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS)

Stored Cross-Site Scripting XSS in the genai/evalsvisualization component of Google Cloud Vertex AI SDK google-cloud-aiplatform versions from 1.98.0 up to but not including 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment...

Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS)

Stored Cross-Site Scripting XSS in the genai/evalsvisualization component of Google Cloud Vertex AI SDK google-cloud-aiplatform versions from 1.98.0 up to but not including 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment...