pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of nodemodules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal sequences like ../../ remain intact. Details Th...

Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is affected by a Request Smuggling Vulnerability in Netty (CVE-2025-67735)

Summary Netty is used by IBM DevOps Deploy / IBM UrbanCode Deploy UCD as part of the agent-server and server-server inter-communication services. CVE-2025-67735 Vulnerability Details CVEID:CVE-2025-67735 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In version...

CVE-2026-24469

C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's...

PT-2026-4842

Name of the Vulnerable Software and Affected Versions Gakido versions prior to 0.1.1 Description Gakido, a Python HTTP client designed for browser impersonation and anti-bot evasion, contains a flaw that allows for HTTP header injection. This occurs due to the lack of proper sanitization of...

PT-2026-4825

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.28.1 Description pnpm is susceptible to a path traversal issue in its bin linking mechanism. Malicious npm packages can exploit this to create executable shims or symlinks outside of the node modules/.bin directory. T...

openSUSE 16 Security Update : python313 (openSUSE-SU-2026:20081-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20081-1 advisory. - Update to 3.13.11: - Security - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service bsc1254997 ...

Grafana Loki Path Traversal - CVE-2021-36156 Bypass

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...

PT-2026-21013

Name of the Vulnerable Software and Affected Versions Loki affected versions not specified Description An issue in the log aggregation and storage system exists due to improper restriction of the directory path name. By using double encoding to bypass validation of the namespace parameter for pat...

PT-2026-4844

Name of the Vulnerable Software and Affected Versions go-tuf versions prior to 2.4.1 Description go-tuf is a Go implementation of The Update Framework TUF. The TAP 4 Multirepo Client uses the map file repository name string repoName as a filesystem path component when selecting the local metadata...

[SECURITY] [DLA 4452-1] apache2 security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-4452-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucariès January 24, 2026 https://wiki.debian.org/LTS -...

CVE-2026-21521

Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network...

CVE-2026-24469

C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's...

EUVD-2026-4601

C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's...

CVE-2026-24469

CVE-2026-24469 concerns the C++ HTTP Server (versions 1.0 and below) with a path traversal vulnerability in RequestHandler::handleRequest. The issue stems from failing to sanitize the user-controlled URL path filename before concatenating it to the files_directory base path, enabling an unauthent...

CVE-2026-24469 C++ HTTP Server has Critical Path Traversal Vulnerability in RequestHandler Allowing Arbitrary File Read

C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's...

CVE-2026-24469 C++ HTTP Server has Critical Path Traversal Vulnerability in RequestHandler Allowing Arbitrary File Read

C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's...

CVE-2026-24469

C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's...

PT-2026-4564

C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's...

Debian dla-4452 : apache2 - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4452 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4452-1 [email protected]...

CVE-2023-7335

EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames parameter to read arbitrary files from the server filesystem,...