CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

41 matches found

RedhatCVE•added 2026/03/26 3:1 p.m.•2 views

CVE-2026-33166

Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file -result.json,...

8.6CVSS6AI score0.00028EPSS

Exploits1References1

vulnersOsv•added 2026/03/21 12:40 a.m.•2 views

com.braimanm:uitaf (>=3.0.0 <=3.2.3), com.braimanm:uitaf-playwright (>=1.0.0-alpha <=1.0.1-alpha) +7 more potentially affected by CVE-2026-33166 via io.qameta.allure:allure-generator (>=2.10.0 <=2.37.0)

io.qameta.allure:allure-generator MAVEN version =2.10.0, =3.0.0, =1.0.0-alpha, =1.1.0, =0.1.17, =0.1.17, =1.0-RC1, =2.10.0, =2.37.0 - org.uitaf:uitaf-playwright =1.0.1 Source cves: CVE-2026-33166 Source advisory: SNYK:JAVA-IOQAMETAALLURE-15763503...

8.6CVSS5.8AI score0.00028EPSS

Exploits1

NVD•added 2026/03/20 10:16 p.m.•3 views

CVE-2026-33166

8.6CVSS0.00028EPSS

Exploits1References1

OSV•added 2026/03/20 9:38 p.m.•1 views

CVE-2026-33166 Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)

8.6CVSS6.1AI score0.00028EPSS

Exploits1References3

ATTACKERKB•added 2026/03/20 9:38 p.m.•1 views

CVE-2026-33166

8.6CVSS6AI score0.00028EPSS

Exploits1References2Affected Software1

CVE•added 2026/03/20 9:38 p.m.•5 views

CVE-2026-33166

CVE-2026-33166 (Allure Report path traversal): Allure 2.x prior to 2.38.0 is vulnerable to arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive ...

8.6CVSS6AI score0.00028EPSS

Exploits1References1Affected Software1

Cvelist•added 2026/03/20 9:38 p.m.•21 views

CVE-2026-33166 Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)

8.6CVSS0.00028EPSS

Exploits1References1

Vulnrichment•added 2026/03/20 9:38 p.m.•1 views

CVE-2026-33166 Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)

8.6CVSS6AI score0.00028EPSS

Exploits1References1

CNNVD•added 2026/03/20 12:0 a.m.•2 views

Allure Report 路径遍历漏洞

Allure Report is a flexible and lightweight multi-language test report tool developed under the Allure Framework. Versions of Allure Report prior to 2.38.0 contained a path traversal vulnerability. This vulnerability stemmed from issues with path traversal during the processing of test results,...

8.6CVSS5.9AI score0.00028EPSS

Exploits1References1

OSV•added 2026/03/18 7:53 p.m.•3 views

GHSA-64HM-GFWQ-JPPW Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)

Summary The Allure report generator is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file -result.json, -container.json, or .plist that points an attachment source to a sensitive file on the host system. During repor...

8.6CVSS6AI score0.00028EPSS

Exploits1References3

vulnersOsv•added 2026/03/18 7:53 p.m.•3 views

8.6CVSS5.8AI score0.00028EPSS

Exploits1

Positive Technologies•added 2026/03/18 12:0 a.m.•5 views

PT-2026-26203

8.6CVSS6.1AI score0.00028EPSS

Exploits1References7

OSV•added 2025/11/24 4:31 p.m.•1 views

MAL-2025-190912 Malicious code in @postman/wdio-allure-reporter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e12dee0f26482378a3726898a1190f71749f0cca809d0d6dc3d9c3419473924f The package @postman/wdio-allure-reporter was found to contain malicious code. Source: google-open-source-security...

6.8AI score

Exploits0References3

OSSF Malicious Packages•added 2025/11/24 4:31 p.m.•4 views

Malicious code in @postman/wdio-allure-reporter (npm)

6.9AI score

Exploits0References3

EUVD•added 2025/10/03 8:7 p.m.•3 views

EUVD-2025-19057

Malicious code in bioql PyPI...

7.5CVSS6.3AI score0.00202EPSS

Exploits0References3

Veracode•added 2025/06/27 2:51 p.m.•5 views

XML External Entity (XXE) Injection

Allure is vulnerable to XML External Entity XXE injection. The vulnerability is due to improper XML parser configuration due to insecure settings in the xunit-xml-plugin that allow external entity expansion when processing .xml test result files...

7.5CVSS6.5AI score0.00202EPSS

Exploits0References4Affected Software3

RedhatCVE•added 2025/06/26 8:18 p.m.•9 views

CVE-2025-52888

Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity XXE vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser DocumentBuilderFactory and...

7.5CVSS6.9AI score0.00202EPSS

Exploits0References1

Github Security Blog•added 2025/06/25 2:14 p.m.•11 views

Allure Report allows Improper XXE Restriction via DocumentBuilderFactory

Summary A critical XML External Entity XXE vulnerability exists in the xunit-xml-plugin used by Allure 2. The plugin fails to securely configure the XML parser DocumentBuilderFactory and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitra...

7.5CVSS7.1AI score0.00202EPSS

Exploits0References4Affected Software3

OSV•added 2025/06/25 2:14 p.m.•4 views

GHSA-H7QF-QMF3-85QG Allure Report allows Improper XXE Restriction via DocumentBuilderFactory

7.5CVSS7.1AI score0.00202EPSS

Exploits0References4

NVD•added 2025/06/24 8:15 p.m.•4 views

CVE-2025-52888

7.5CVSS0.00202EPSS

Exploits0References2

Rows per page