Lucene search
K

261 matches found

NVD
NVD
added yesterday6 views

CVE-2026-61432

PraisonAI praisonaiagents before 1.6.78 contains a path traversal vulnerability in the FastContext feature praisonaiagents.context.fast. FastContextAgent.executetool prepends the configured workspacepath only for relative paths and neither rejects absolute paths nor canonicalizes joined paths...

6.9CVSS
Exploits0References3
CVE
CVE
added yesterday6 views

CVE-2026-61432

PraisionAI (praisonaiagents) before 1.6.78 has a path traversal flaw in the FastContext feature. FastContextAgent.execute_tool() only prefixes workspace_path for relative paths and does not reject absolute paths or canonicalize joined paths, allowing tool arguments or model-generated calls to gre...

6.9CVSS6.1AI score
Exploits0References3
CVE
CVE
added yesterday4 views

CVE-2026-61431

PraxionAI (note: the spelling in the record appears as PraisonAI) before version 4.6.78 exposes a path traversal vulnerability in the ContextGatherer. The flaw stems from failing to validate include paths in .praisoncontext and .praisoninclude files, allowing an attacker with local access to supp...

6.8CVSS6.2AI score
Exploits0References3
EUVD
EUVD
added yesterday5 views

EUVD-2026-42898

PraisonAI praisonaiagents before 1.6.78 contains a path traversal vulnerability in the FastContext feature praisonaiagents.context.fast. FastContextAgent.executetool prepends the configured workspacepath only for relative paths and neither rejects absolute paths nor canonicalizes joined paths...

6.9CVSS6.1AI score
Exploits0References3
Cvelist
Cvelist
added 2026/06/30 9:27 p.m.32 views

CVE-2026-50003 OFFIS DCMTK Toolkit Path Traversal

A malicious or compromised server can make a DCMTK client using bit-preserving C-GET storage mode write files outside the chosen output directory, using both relative ../ paths and absolute paths...

9.8CVSS0.00435EPSS
Exploits0References3
CVE
CVE
added 2026/06/30 9:27 p.m.34 views

CVE-2026-50003

The CVE-2026-50003 issue affects the DCMTK toolkit. A malicious or compromised server can exploit the bit-preserving C-GET storage mode in the DCMTK client to write files outside the designated output directory, using both relative (../) paths and absolute paths. Multiple sources (RH CVE entry, E...

9.8CVSS5.8AI score0.00435EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/24 5:13 p.m.5 views

CVE-2026-48789

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, on Windows, the document folder listing route can accept an encoded absolute Windows path that resolves outside the intended documents directory. The shared...

4.3CVSS5.9AI score0.00231EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/24 5:13 p.m.10 views

CVE-2026-48789

CVE-2026-48789 affects AnythingLLM on Windows prior to version 1.13.0. The document folder listing route can accept an encoded absolute Windows path that resolves outside the intended documents directory. The shared path containment helper rejects POSIX-style "../" traversal but does not reject W...

4.3CVSS5.9AI score0.00231EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 5:13 p.m.32 views

CVE-2026-48789 AnythingLLM: Windows path containment bypass in document folder route

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, on Windows, the document folder listing route can accept an encoded absolute Windows path that resolves outside the intended documents directory. The shared...

4.3CVSS0.00231EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 4:21 p.m.50 views

CVE-2026-55447 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path. All components based on BaseFileComponent are vulnerable to t...

9.6CVSS0.00411EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.8 views

PT-2026-51644

Name of the Vulnerable Software and Affected Versions motionEye versions prior to 0.44.0 Description An absolute path traversal issue exists in multiple media file handlers within the media playback and download functionality. The affected handlers accept a user-controlled filename parameter and...

8.7CVSS6AI score0.00623EPSS
Exploits1References8
NVD
NVD
added 2026/06/22 2:17 p.m.10 views

CVE-2026-56446

MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a...

8.7CVSS0.00383EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/22 12:31 p.m.8 views

EUVD-2026-38229

MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a...

8.7CVSS6.6AI score0.00383EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.19 views

PT-2026-51310

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description A site administrator can configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Since log entries can contain attacker-controlled content, an authenticated attacker...

8.7CVSS6.4AI score0.00383EPSS
Exploits0References9
NVD
NVD
added 2026/06/18 4:16 p.m.10 views

CVE-2025-52465

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web pa...

7.2CVSS0.00353EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/17 6:43 p.m.5 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the createuploadfile function. An attacker can exhaust server disk space and obtain sensitive file system information by uploading arbitrary files without authentication and receiving...

9.3CVSS6AI score0.00332EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/06/17 2:16 p.m.15 views

Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}

Summary A path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache directory, by exploiting an incomplete startswith containment check that lacks a trailing path separator...

4.3CVSS5.3AI score0.00244EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/13 12:0 a.m.21 views

PT-2026-49072

Name of the Vulnerable Software and Affected Versions LWS Optimize – All-in-One Speed Booster & Cache Tools versions prior to 3.3.20 Description The plugin is subject to an arbitrary file read issue. This occurs because the combine current css function trusts values harvested from page HTML and...

4.9CVSS5.4AI score0.00336EPSS
Exploits0References6
SUSE CVE
SUSE CVE
added 2026/06/12 2:25 a.m.11 views

SUSE CVE-2026-48855

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh sshsftpd module allows File Discovery. The SSHFXPREADLINK handler in sshsftpd sends the raw result of file:readlink/2 to the client without calling chrootfilename/2 to strip the backend root prefix. An...

2.3CVSS5.3AI score0.00277EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/11 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-48855

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh sshsftpd module allows File Discovery. The SSHFXPREADLINK handler in...

6.5CVSS5.9AI score0.00277EPSS
Exploits0References3
Rows per page
Query Builder