11280 matches found
CVE-2026-12565 Path Traversal (Zip-Slip) in unarchive module
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools e.g. GNU tar which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extractio...
CVE-2026-48055
Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle extraction logic. The application does not sanitize archive entry filenames during extraction,...
CVE-2026-48055
Streambert (Electron-based desktop app) has a Zip Slip vulnerability in its subtitle extraction logic affecting versions up to 2.4.0. The code concatenates raw archive entry names to a temporary directory, enabling path traversal and arbitrary file writes if a malicious ZIP with traversal sequenc...
CVE-2026-48055 Streambert: Arbitrary File Write (Zip Slip) via Subtitle Extraction
Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle extraction logic. The application does not sanitize archive entry filenames during extraction,...
Fake Microsoft Alerts Used to Deploy North Korean NarwhalRAT Malware
The North Korean state-sponsored hacking group known as ScarCruft aka APT37 has been observed using spear-phishing messages impersonating Microsoft Account security notifications to deliver a new malware called NarwhalRAT. "The attack email contained a message impersonating an MS account security...
[SECURITY] Fedora 44 Update: 7zip-26.01-1.fc44
7-Zip is a file archiver with a high compression ratio. The main features of 7-Zip are: High compression ratio in 7z format with LZMA and LZMA2 compression Supported formats: Packing / unpacking: 7z, XZ, BZIP2, GZIP, TAR, ZIP and WIM Unpacking only: AR, ARJ, CAB, CHM, CPIO, CramFS, DMG, EXT, FAT,...
PT-2026-50120
Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle extraction logic. The application does not sanitize archive entry filenames during extraction,...
CVE-2018-25437
WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the downloadbackup.php endpoint. Attackers can directly access the downloadbackup.php script in the admin/datamanagement...
CVE-2018-25437
CVE-2018-25437 concerns WordPress CherryFramework Themes 3.1.4, where an information disclosure vulnerability lets unauthenticated attackers download sensitive backup files via download_backup.php in admin/data_management, exposing the entire wp-content/themes directory. According to the provided...
CVE-2018-25437 WordPress CherryFramework Themes 3.1.4 Backup File Download
WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the downloadbackup.php endpoint. Attackers can directly access the downloadbackup.php script in the admin/datamanagement...
CVE-2018-25437 WordPress CherryFramework Themes 3.1.4 Backup File Download
WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the downloadbackup.php endpoint. Attackers can directly access the downloadbackup.php script in the admin/datamanagement...
PT-2026-49592
Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS a zip bomb edge case. Workaround...
SUSE SLES15 Security Update : python (SUSE-SU-2026:2387-1)
The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2387-1 advisory. This update for python fixes the following issues - CVE-2026-1703: files may be extracted outside the installation directory when installing an...
EUVD-2025-210130
Heap out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed zip file containing XML may allow Local Execution of Code or Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus ...
CVE-2025-7011
Heap out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed zip file containing XML may allow Local Execution of Code or Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus ...
CVE-2025-7011
This CVE-2025-7011 describes a heap out-of-bounds read in the Avast Gen Digital antivirus engine when processing a malformed ZIP containing XML, potentially enabling local code execution or antivirus process denial-of-service. Affected products include Avast Antivirus, AVG Antivirus, Norton Antiv...
CVE-2025-7011 Avast antivirus heap OOB when scanning a malformed zip file
Heap out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed zip file containing XML may allow Local Execution of Code or Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus ...
CVE-2025-7011 Avast antivirus heap OOB when scanning a malformed zip file
Heap out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed zip file containing XML may allow Local Execution of Code or Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus ...
GHSA-GXJX-7M74-HCQ8 File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames
Summary filebrowser builds the download-as-zip / download-as-tar archive entry names with filepath.ToSlash, which on a Linux host is a no-op for backslashes \ is only a path separator on Windows. A file whose name contains Windows-style traversal ......\evil.txt is accepted by the resource...
Security update for python
This update for python fixes the following issues CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously crafted wheel archives bsc1257599. CVE-2026-3219: pip doesn't reject concatenated ZIP bsc1262429. CVE-2026-4786: Incomplete...