20901 matches found
PT-2026-6211
Name of the Vulnerable Software and Affected Versions melange versions 0.11.3 through 0.40.2 Description melange is a tool that allows users to build apk packages using declarative pipelines. A security issue exists where an attacker who can influence the tar stream from a QEMU guest VM could wri...
PT-2026-6469
An attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing Path Traversal via ../ sequences. Fix:...
PT-2026-21625
Name of the Vulnerable Software and Affected Versions ImageMagick versions prior to 7.1.2-15 ImageMagick versions prior to 6.9.13-40 Description ImageMagick is software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the path security policy is enforced...
melange QEMU runner could write files outside workspace directory
An attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing Path Traversal via ../ sequences...
CVE-2026-25059
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. Thi...
CVE-2025-66480
Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint /fs that handles...
Directory Traversal
Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Directory Traversal via improper validation in the validateAppId function. An attacker can access arbitrary files and directories outside the intended directory by...
SignalK Server has Path Traversal leading to information disclosure
Summary A Path Traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId function blocks forward slashes / but not backslashes , which are treated as...
GHSA-VRHW-V2HW-JFFX SignalK Server has Path Traversal leading to information disclosure
Summary A Path Traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId function blocks forward slashes / but not backslashes , which are treated as...
CVE-2026-25059
OpenList Frontend contains a path traversal vulnerability (CWE-22) in multiple file operation handlers (server/handles/fsmanage.go) that was present before version 4.1.10. Filename components in req.Names are concatenated with validated directories via stdpath.Join, allowing ".." sequences to byp...
CVE-2026-25059 OpenList affected by Path Traversal in file copy and remove handlers
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. Thi...
CVE-2026-25059 OpenList affected by Path Traversal in file copy and remove handlers
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. Thi...
CVE-2026-25059
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. Thi...
CVE-2026-25059 OpenList affected by Path Traversal in file copy and remove handlers
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. Thi...
CVE-2025-66480 Wildfire has Arbitrary File Upload via Directory Traversal in UploadFileAction
Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint /fs that handles...
CVE-2025-66480
Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint /fs that handles...
CVE-2025-66480 Wildfire has Arbitrary File Upload via Directory Traversal in UploadFileAction
Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint /fs that handles...
CVE-2025-66480
CVE-2025-66480 concerns Wildfire IM’s im-server, where the UploadFileAction (endpoint /fs) mishandles uploaded filenames. The writeFileUploadData logic directly concatenates the configured storage directory with the uploaded filename without stripping directory traversal sequences (e.g., ../../),...
CVE-2025-66480 Wildfire has Arbitrary File Upload via Directory Traversal in UploadFileAction
Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint /fs that handles...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the FsRemove and FsCopy functions. An attacker can access and manipulate files outside of their authorized directory by injecting traversal sequences into filename components. This allows unauthorized file remova...