Lucene search
K

44531 matches found

CVE
CVE
added 2026/05/08 6:51 p.m.20 views

CVE-2026-29201

Insufficient input validation in the feature::LOADFEATUREFILE AdminBin call in cPanel/WHM can lead to arbitrary file read when a relative file path is supplied. Affected product/version scope includes cPanel/WHM prior to versions listed as fixed in PT-2026-38673 (and WP Squared) such as 11.136.0....

8.6CVSS6.1AI score0.00435EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/08 6:51 p.m.6 views

CVE-2026-29201

Insufficient input validation of the feature file name in feature::LOADFEATUREFILE adminbin call can cause arbitrary file read when a relative file path is passed...

8.6CVSS5.9AI score0.00435EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/08 6:51 p.m.37 views

CVE-2026-29201

Insufficient input validation of the feature file name in feature::LOADFEATUREFILE adminbin call can cause arbitrary file read when a relative file path is passed...

8.6CVSS0.00435EPSS
Exploits0References1
OSV
OSV
added 2026/05/08 6:31 p.m.6 views

GHSA-3RF6-X59V-5JFV dash-uploader has a directory traversal vulnerability

Impact An unauthenticated path traversal vulnerability exists in dash-uploader versions 0.1.0 through 0.7.0a2. The library's HTTP request handler at dashuploader/httprequesthandler.py reads three form parameters uploadid, resumableFilename, resumableIdentifier from request.form.get and passes the...

9.8CVSS6AI score0.05982EPSS
Exploits4References8
Github Security Blog
Github Security Blog
added 2026/05/08 6:31 p.m.9 views

dash-uploader has a directory traversal vulnerability

Impact An unauthenticated path traversal vulnerability exists in dash-uploader versions 0.1.0 through 0.7.0a2. The library's HTTP request handler at dashuploader/httprequesthandler.py reads three form parameters uploadid, resumableFilename, resumableIdentifier from request.form.get and passes the...

9.8CVSS6AI score0.05982EPSS
Exploits4References8Affected Software1
UbuntuCve
UbuntuCve
added 2026/05/08 2:16 p.m.9 views

CVE-2026-41493

YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions...

7.5CVSS5.9AI score0.00388EPSS
Exploits0References3
CVE
CVE
added 2026/05/08 1:38 p.m.16 views

CVE-2026-44340

PraisonAI prior to 4.6.37 does not validate member.linkname or reject symlink/hardlink archive members in _safe_extractall, and calls tar.extractall(dest_dir) without a data filter. A bundle could contain a symlink inside dest_dir with a linkname outside it, followed by a file path traversing the...

8.7CVSS5.9AI score0.00433EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/08 1:38 p.m.7 views

CVE-2026-44340

PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the safeextractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate...

8.7CVSS5.9AI score0.00433EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/08 1:32 p.m.8 views

CVE-2026-44336

PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP Model Context Protocol server praisonai mcp serve registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a pat...

9.4CVSS6.3AI score0.00619EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/05/08 1:32 p.m.33 views

CVE-2026-44336

PRAISIAI MCP server before 4.6.34 registers four file-handling tools (prasionai.rules.create, praisonai.rules.show, praisonai.rules.delete, praisonai.workflow.show) that accept paths via MCP tools/call arguments and concatenate them to ~/.praison/rules/ (workflow.show allows absolute paths) with ...

9.6CVSS6.3AI score0.00619EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/05/08 1:13 p.m.34 views

CVE-2026-44127 Local File Inclusion (LFI) and Arbitrary File Deletion

SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the...

8.8CVSS0.15653EPSS
Exploits0References2
CVE
CVE
added 2026/05/08 1:13 p.m.18 views

CVE-2026-44127

CVE-2026-44127 : SEPPmail Secure Email Gateway prior to 15.0.4 contains an unauthenticated path traversal in the identifier parameter of /api.app/attachment/preview. This allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privile...

8.8CVSS5.9AI score0.15653EPSS
Exploits0References2
OSV
OSV
added 2026/05/08 10:39 a.m.6 views

SUSE-SU-2026:1764-1 Security update for vim

This update for vim fixes the following issue: Security fixes: - CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes bsc1261833. Other fixes: - Update to 9.2.0398. 9.2.0398: MS-Windows: missing strptime support 9.2.0397: tabpanel: double-click opens...

7.8CVSS6.2AI score0.0062EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/05/08 8:36 a.m.119 views

Exploit for Code Injection in Crushftp

CVE-2024-4040 — CrushFTP SSTI / LFI Proof of Concept For...

10CVSS6.2AI score0.99539EPSS
Exploits22
CVE
CVE
added 2026/05/08 3:32 a.m.23 views

CVE-2026-44298

The Kimai CVE-2026-44298 affects Kimai versions 2.32.0–2.55.x. It enables an admin user with upload_invoice_template permission to trigger pdfContext.setOption('associated_files', ...) during sandboxed Twig rendering, forwarding to mPDF2 SetAssociatedFiles() and allowing file_get_contents() on e...

4.9CVSS5.7AI score0.00278EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/05/08 12:31 a.m.8 views

Directory Traversal

Overview short-video-maker is a Creates short videos for TikTok, Instagram Reels, and YouTube Shorts using the Model Context Protocol MCP and a REST API. Affected versions of this package are vulnerable to Directory Traversal via the req.params.tmpFile parameter in the REST API. An attacker can...

6.9CVSS6.3AI score0.00575EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.8 views

cPanel 输入验证错误漏洞

cPanel is a web-based automated hosting platform developed by the cPanel company in the United States. This platform is primarily used for automating the management of websites and servers. cPanel has a vulnerability related to input validation errors. This vulnerability stems from insufficient...

8.6CVSS6.1AI score0.00435EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.12 views

PT-2026-39297

Name of the Vulnerable Software and Affected Versions SharpCompress affected versions not specified Description A path traversal issue exists in the IArchive.WriteToDirectory method, specifically within the WriteToDirectoryInternal and WriteToDirectoryAsyncInternal functions. This allows a...

6.5CVSS5.9AI score0.00313EPSS
Exploits1References7
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.14 views

Flarum 路径遍历漏洞

Flarum is an open-source forum software developed by Flarum for building communities. Versions of Flarum prior to 1.8.16 and 2.0.0-rc.1 contained a path traversal vulnerability. This vulnerability stemmed from the lack of restrictions on the values of LESS configuration variables, which could lea...

4.9CVSS5.9AI score0.00404EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.15 views

PT-2026-39282

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.1.124 Description An issue exists in the self-hosted artificial intelligence platform where the application fails to validate or sanitize the filename during file uploads. When attaching files to a prompt via the...

7.3CVSS5.9AI score0.00336EPSS
Exploits1References6
Rows per page
Query Builder