Lucene search
K

253 matches found

OSV
OSV
added 2026/04/09 3:35 p.m.7 views

GHSA-92MM-2PJQ-R785 HashiCorp's go-getter library may allow arbitrary file reads

HashiCorp's go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package...

7.5CVSS5.8AI score0.00583EPSS
Exploits1References3
OSV
OSV
added 2026/04/09 2:16 p.m.4 views

DEBIAN-CVE-2026-4660

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package...

7.5CVSS5.5AI score0.00583EPSS
Exploits1References1
OSV
OSV
added 2026/04/09 2:16 p.m.5 views

UBUNTU-CVE-2026-4660

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package...

7.5CVSS5.8AI score0.00583EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/09 1:47 p.m.58 views

CVE-2026-4660 Go-getter may allow to arbitrary filesystem reads through git operations

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package...

7.5CVSS0.00583EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/09 1:47 p.m.5 views

CVE-2026-4660

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package...

7.5CVSS6AI score0.00583EPSS
Exploits1References2
CVE
CVE
added 2026/04/09 1:47 p.m.55 views

CVE-2026-4660

CVE-2026-4660 affects HashiCorp go-getter up to v1.8.5, where a crafted URL during certain git operations can cause arbitrary filesystem reads. The issue is fixed in go-getter v1.8.6; the v2 branch/package is unaffected. If you use go-getter, upgrade to v1.8.6 or later. The provided sources do no...

7.5CVSS6AI score0.00583EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/04/07 7:10 p.m.22 views

CVE-2026-39363 Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?r...

8.2CVSS0.02907EPSS
Exploits3References1
CVE
CVE
added 2026/04/02 4:47 p.m.27 views

CVE-2026-34830

CVE-2026-34830 affects Rack, specifically when using Rack::Sendfile#map_accel_path prior to versions 2.2.23, 3.1.21, and 3.2.6. The vulnerability arises because the X-Accel-Mapping header value is interpolated directly into a regular expression without escaping, allowing an attacker that can supp...

7.5CVSS5.8AI score0.00209EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/04/02 4:47 p.m.17 views

CVE-2026-34830 Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfilemapaccelpath interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not...

5.9CVSS0.00209EPSS
Exploits0References1
OSV
OSV
added 2026/03/31 11:53 p.m.3 views

GHSA-QF48-QFV4-JJM9 OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image

Summary Feishu upload path resolution could read files outside the configured localRoots sandbox before handing them to the upload path. Impact A tool caller constrained to workspace or localRoots paths could exfiltrate arbitrary host files through Feishu upload actions. Affected Component...

6CVSS6AI score0.00339EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.11 views

PHP File Manager 访问控制错误漏洞

PHP File Manager is a complete file system management tool developed by Dulldusk’s developers. Version 1.7.8 of PHP File Manager contains an access control vulnerability, which stems from local file inclusion. This vulnerability could allow unauthenticated attackers to read arbitrary files by...

6.9CVSS5.9AI score0.00557EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/19 1:0 a.m.4 views

CVE-2026-31996 OpenClaw < 2026.2.19 - safeBins stdin-only bypass via sort output and recursive grep flags

OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers to execute unintended filesystem operations through sort output flags or recursive grep flags. Attackers with command execution access can leverage sort -o flag for...

4.4CVSS6.1AI score0.0014EPSS
Exploits0References3
OSV
OSV
added 2026/03/13 9:2 a.m.4 views

BIT-CONSUL-2026-2808 Consul vulnerable to arbitrary file reads through the vault kubernetes authentication provider

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5...

6.8CVSS5.8AI score0.00475EPSS
Exploits0References2
NVD
NVD
added 2026/03/09 8:16 p.m.13 views

CVE-2026-0846

A vulnerability in the filestring function of the nltk.util module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by...

8.6CVSS0.00428EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/03/06 4:55 p.m.5 views

CVE-2025-45691

A flaw was found in Ragas. Improper validation of URLs supplied in the retrievedcontexts parameter when handling multimodal inputs leads to Server-Side Request Forgery SSRF. This vulnerability allows attackers to perform arbitrary file reads, conduct internal port scans and access cloud metadata...

7.5CVSS5.8AI score0.00534EPSS
Exploits1References7
CNNVD
CNNVD
added 2026/03/06 12:0 a.m.5 views

Getsurreal Surreal ToDo 路径遍历漏洞

Getsurreal Surreal ToDo is a task management application developed by Getsurreal. The version 0.6.1.2 of Getsurreal Surreal ToDo contains a path traversal vulnerability. This vulnerability stems from an issue with local file inclusion in the content parameter, which may allow unverified attackers...

6.9CVSS7.4AI score0.008EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/05 7:30 p.m.6 views

CVE-2026-28783

Craft is a content management system CMS. Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either ha...

9.4CVSS6.1AI score0.00464EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/05 12:0 a.m.8 views

Fonoster 安全漏洞

Fonoster is a cloud communication platform developed by Fonoster. Versions of Fonoster prior to 0.6.1 contained security vulnerabilities. These vulnerabilities were caused by directory traversal vulnerabilities in the VoiceServer endpoints, which could lead to the reading of arbitrary files...

5.8CVSS7.4AI score0.02362EPSS
Exploits1References2
OSV
OSV
added 2026/03/04 7:16 p.m.7 views

PYSEC-2026-98

A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling...

7.5CVSS7.8AI score0.00924EPSS
Exploits3References2
NVD
NVD
added 2026/02/21 12:16 a.m.12 views

CVE-2026-27202

GetSimple CMS is a content management system. All versions of GetSimple CMS have a flaw in the Uploaded Files feature that allows for arbitrary file reads. This issue has not been fixed at the time of publication...

8.8CVSS0.00527EPSS
Exploits1References1
Rows per page
Query Builder