CVE-2026-43891

Summary: CVE-2026-43891 and related advisories describe an arbitrary local file read in changedetection.io caused by trusting attacker-controlled history.txt entries restored via crafted backups. Prior to 0.55.1, history values containing path separators are treated as filesystem paths and can re...

JetBrains IntelliJ IDEA Arbitrary Local File Read (CVE-2026-41882)

The version of JetBrains IntelliJ IDEA installed on the remote host is prior to 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, or 2026.1.1. It is, therefore, affected by an arbitrary local file read vulnerability: - In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1...

GHSA-8757-69J2-HX56 changedetection.io has an Arbitrary Local File Read via a crafted backup restore

Details The vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into th...

CVE-2026-33354 AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`

WWBN AVideo is an open source video platform. In versions up to and including 26.0, POST /objects/aVideoEncoder.json.php accepts a requester-controlled chunkFile parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint...

Astro Development Server has Arbitrary Local File Read

Summary A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to t...

EUVD-2025-198185

Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote...

CVE-2024-1561 Arbitrary Local File Read via Component Method Invocation in gradio-app/gradio

An issue was discovered in gradio-app/gradio, where the /componentserver endpoint improperly allows the invocation of any method on a Component class with attacker-controlled arguments. Specifically, by exploiting the moveresourcetoblockcache method of the Block class, an attacker can copy any fi...

GHSA-RRP4-2XX3-MV29 Command injection in gh-ost

Gh-ost version = 1.1.2 allows users to inject DSN strings via the -database parameter. This is a low severity vulnerability as the attacker must have access to the target host or trick an administrator into executing a malicious gh-ost command on a host running gh-ost, plus network access from ho...

Design/Logic Flaw

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault on all new-window events where the url or options is not...