CVE-2026-23888 pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: 1 Malicious ZIP entries containing ../ or absolute paths that...

@kcconfigs/commitlint (>=0.1.0-beta.2 <=0.2.0), @pnpm/cache.commands (>=1000.0.52 <=1000.0.54) +35 more potentially affected by CVE-2026-23888 via @pnpm/fetching.binary-fetcher (>=1005.0.0 <=1005.0.1)

@pnpm/fetching.binary-fetcher NPM version =1005.0.0, =0.1.0-beta.2, =1000.0.52, =1001.2.17, =1001.1.13, =1016.0.0, =1002.2.21, =1003.0.24, =1002.0.3, =1000.0.52, =1001.0.16, =1001.1.10, =1002.1.28, =1000.3.8, =1002.0.23, =1000.1.51, =1000.1.53 and more Source cves: CVE-2026-23888 Source advisory:...

CVE-2026-23888

creationtimestamp| type| source ---|---|--- 2026-01-26 15:42:53+00:00| published-proof-of-concept| https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868 2026-01-27 01:14:58+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mdelh3443z2i...

CVE-2020-23888

A User Mode Write AV in Editor!TMethodImplementationIntercept+0x53f6c3 of WildBit Viewer v6.6 allows attackers to cause a denial of service DoS via a crafted psd file...

CVE-2025-23888

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in GrandSlambert Custom Page Extensions custom-page-extensions allows Reflected XSS.This issue affects Custom Page Extensions: from n/a through = 0.6...

CVE-2025-23888

creationtimestamp| type| source ---|---|--- 2025-01-24 11:04:52+00:00| published-proof-of-concept| https://t.me/DarkWebInformerCVEAlerts/2890 2025-01-24 11:40:43+00:00| seen| https://infosec.exchange/users/cve/statuses/113883142065872513 2025-01-24 12:43:53+00:00| seen|...

CVE-2025-23888 WordPress Custom Page Extensions Plugin <= 0.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in GrandSlambert Custom Page Extensions custom-page-extensions allows Reflected XSS.This issue affects Custom Page Extensions: from n/a through = 0.6...

CVE-2023-23888

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Rank Math Rank Math SEO allows Path Traversal.This issue affects Rank Math SEO: from n/a through 1.0.107.2...

CVE-2023-23888

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Rank Math Rank Math SEO allows Path Traversal.This issue affects Rank Math SEO: from n/a through 1.0.107.2...

CVE-2023-23888 WordPress Rank Math SEO plugin <= 1.0.107.2 - Local File Inclusion vulnerability

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Rank Math Rank Math SEO allows Path Traversal.This issue affects Rank Math SEO: from n/a through 1.0.107.2...

CVE-2023-23888

The CVE-2023-23888 entry concerns the WordPress Rank Math SEO plugin (

CVE-2024-23888 Cross-Site Scripting (XSS) vulnerability in Cups Easy

A vulnerability has been reported in Cups Easy Purchase & Inventory, version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting XSS vulnerability via /cupseasylive/stocktransactionslist.php, in the itemidy parameter. Exploitation of this...

WordPress Rank Math SEO Plugin <= 1.0.107.2 is vulnerable to Local File Inclusion

Software Rank Math SEO Type Plugin Vulnerable versions = 1.0.107.2 Fixed in 1.0.107.3 OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2023-23888 Patch priority Low CVSS severity Low 7.6 Developer Claim ownership PSID e3a7d6a3381a Credits Rafie Muhammad Patchstack Required...

CVE-2020-23888

creationtimestamp| type| source ---|---|--- 2021-11-11 00:37:06+00:00| seen| https://t.me/cibsecurity/32219...

CVE-2020-23888

A User Mode Write AV in Editor!TMethodImplementationIntercept+0x53f6c3 of WildBit Viewer v6.6 allows attackers to cause a denial of service DoS via a crafted psd file...

CVE-2020-23888

A User Mode Write AV in Editor!TMethodImplementationIntercept+0x53f6c3 of WildBit Viewer v6.6 allows attackers to cause a denial of service DoS via a crafted psd file...

CVE-2020-23888

WildBit Viewer v6.6 is affected by CVE-2020-23888 due to a User Mode Write AV in Editor!TMethodImplementationIntercept+0x53f6c3, which can be triggered by a specially crafted PSD file to cause a denial of service. Multiple connected sources corroborate the issue and frame it as a buffer-related v...

McAfee ePolicy Orchestrator Multiple Vulnerabilities (SB10352)

The instance of McAfee ePolicy Orchestrator installed on the remote host is potentially affected by the following vulnerabilities: - An unvalidated client-side URL redirect vulnerability exists in McAfee ePolicy Orchestrator ePO. An unauthenticated, remote attacker could exploit this to cause an...

CVE-2021-23888

creationtimestamp| type| source ---|---|--- 2021-03-27 21:28:57+00:00| published-proof-of-concept| https://t.me/cKure/4574 2021-03-27 22:24:55+00:00| published-proof-of-concept| https://t.me/thebugbountyhunter/5270 2021-03-28 12:54:06+00:00| published-proof-of-concept| https://t.me/canyoupwnme/67...

CVE-2021-23888 McAfee ePO unvalidated URL redirect vulnerability

Unvalidated client-side URL redirect vulnerability in McAfee ePolicy Orchestrator ePO prior to 5.10 Update 10 could cause an authenticated ePO user to load an untrusted site in an ePO iframe which could steal information from the authenticated user...