Lucene search
K

6483 matches found

Github Security Blog
Github Security Blog
added 2026/03/07 2:19 a.m.8 views

SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage

Summary A path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double‑encoded traversal sequences, an attacker can access sensitive files such as conf/conf.json, which contains secrets including the API token,...

9.8CVSS6.5AI score0.01028EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2026/03/06 3:16 p.m.14 views

CVE-2026-2753

An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplied path input. Unauthenticated remote attackers can exploit this issue by submitting requests containing absolute filesystem paths. Successful...

7.5CVSS0.00451EPSS
Exploits0References2
NVD
NVD
added 2026/03/06 8:16 a.m.6 views

CVE-2026-29059

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's getlogfile endpoint "/api/w/workspace/jobsu/getlogfile/filename". The filename parameter is...

7.5CVSS0.02584EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/06 7:11 a.m.3 views

CVE-2026-29059 Windmill: SUPERADMIN_SECRET (rarely used) can be accessed publicly

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's getlogfile endpoint "/api/w/workspace/jobsu/getlogfile/filename". The filename parameter is...

6.9CVSS5.8AI score0.02584EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/06 7:11 a.m.95 views

CVE-2026-29059 Windmill: SUPERADMIN_SECRET (rarely used) can be accessed publicly

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's getlogfile endpoint "/api/w/workspace/jobsu/getlogfile/filename". The filename parameter is...

6.9CVSS0.02584EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/06 7:11 a.m.3 views

CVE-2026-29059

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's getlogfile endpoint "/api/w/workspace/jobsu/getlogfile/filename". The filename parameter is...

6.9CVSS5.8AI score0.02584EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/03/06 6:54 a.m.35 views

CVE-2026-29039 changedetection.io: XPath - Arbitrary File Read via unparsed-text()

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the includefilters field. These XPath expressions are processed using the elementpath library which...

9.3CVSS0.00484EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/06 6:54 a.m.7 views

CVE-2026-29039 changedetection.io: XPath - Arbitrary File Read via unparsed-text()

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the includefilters field. These XPath expressions are processed using the elementpath library which...

9.3CVSS5.8AI score0.00484EPSS
Exploits1References3
CVE
CVE
added 2026/03/06 6:54 a.m.14 views

CVE-2026-29039

Changedetection.io prior to 0.54.4 is vulnerable to an Arbitrary File Read via XPath in include_filters, where unparsed-text() can read files accessible to the application. Affected component is the XPath-based content filter processing using the elementpath parser. Impact includes reading sensit...

9.3CVSS6AI score0.00484EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/06 6:54 a.m.6 views

CVE-2026-29039 changedetection.io: XPath - Arbitrary File Read via unparsed-text()

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the includefilters field. These XPath expressions are processed using the elementpath library which...

9.3CVSS5.8AI score0.00484EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/03/06 4:32 a.m.3 views

CVE-2026-28679 HomeGallery: Path Traversal (Arbitrary File Read)

Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Prior to version 1.21.0, when a user requests a download, the application does not verify whether the requested file is located within the media source directory, which can result in sensitive system...

8.6CVSS5.7AI score0.00436EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/06 4:32 a.m.28 views

CVE-2026-28679 HomeGallery: Path Traversal (Arbitrary File Read)

Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Prior to version 1.21.0, when a user requests a download, the application does not verify whether the requested file is located within the media source directory, which can result in sensitive system...

8.6CVSS0.00436EPSS
Exploits1References2
CVE
CVE
added 2026/03/06 4:32 a.m.13 views

CVE-2026-28679

Home-Gallery.org is a self-hosted web gallery. Prior to version 1.21.0, download requests could access files outside the media source directory, allowing retrieval of sensitive system files. The issue is fixed in version 1.21.0. CVSS 3.1 base score: 8.6 (NETWORK, HIGH, Privileges NONE, User Inter...

8.6CVSS5.8AI score0.00436EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/03/06 4:32 a.m.4 views

CVE-2026-28679 HomeGallery: Path Traversal (Arbitrary File Read)

Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Prior to version 1.21.0, when a user requests a download, the application does not verify whether the requested file is located within the media source directory, which can result in sensitive system...

8.6CVSS5.7AI score0.00436EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2026/03/06 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-0847

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including...

8.6CVSS7.8AI score0.00924EPSS
Exploits3References3
NVD
NVD
added 2026/03/05 10:16 p.m.6 views

CVE-2026-29611

OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension must be installed and enabled media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath...

8.2CVSS0.00292EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/05 10:0 p.m.31 views

CVE-2026-29611 OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling

OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension must be installed and enabled media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath...

8.2CVSS0.00292EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/05 10:0 p.m.5 views

EUVD-2026-9935

OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension must be installed and enabled media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath...

8.2CVSS6AI score0.00292EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/05 10:0 p.m.2 views

CVE-2026-29611 OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling

OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension must be installed and enabled media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath...

8.2CVSS5.9AI score0.00292EPSS
Exploits0References3
CVE
CVE
added 2026/03/05 10:0 p.m.26 views

CVE-2026-29611

OpenClaw vulnerability in BlueBubbles extension media path handling affects OpenClaw versions prior to 2026.2.14. The sendBlueBubblesMedia function fails to validate mediaPath against an allowlist, allowing local file inclusion and reading arbitrary files from the host (e.g., /etc/passwd) to be e...

8.2CVSS6AI score0.00292EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder