CVE-2026-30282

An arbitrary file overwrite vulnerability in UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 allows attackers to overwrite critical internal files via the file import process, leading to arbtrary code execution or information exposure...

Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing)

Summary The Capgo CLI writes sensitive local files .capgo API key file and build credentials JSON using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer’s machine when...

Exploit for CVE-2026-31802

CVE-2026-31802: tar Symlink Path Traversal / Arbitrary File Ov...

CVE-2026-29065 changedetection.io: Zip Slip vulnerability in the backup restore functionality

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54.4...

PT-2026-23608

Name of the Vulnerable Software and Affected Versions node-tar versions prior to 7.5.10 Description The node-tar package contains a flaw where it can be tricked into creating a hardlink that points outside the extraction directory. This is achieved by using a drive-relative link target, such as...

CVE-2025-66945

CVE-2025-66945 affects Zdir Pro 4.x ZIP extraction API (/api/extract). A path traversal vulnerability can cause files to be written outside the intended directory, enabling arbitrary file overwrites and potentially remote code execution. Connected sources confirm the issue exists; exploitation de...

CVE-2026-26157

A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentiall...

PT-2026-7665

Name of the Vulnerable Software and Affected Versions BusyBox affected versions not specified Description A flaw exists in BusyBox’s archive extraction utilities due to incomplete path sanitization. An attacker can create malicious archives that, when extracted under specific conditions, may allo...

CVE-2026-23950

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the path-reservations system. On case-insensitive or normalization-insensitive filesystems such as macOS APFS, In which it has...

CVE-2026-23950 node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the path-reservations system. On case-insensitive or normalization-insensitive filesystems such as macOS APFS, In which it has...

CVE-2026-23745

node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...

DEBIAN-CVE-2026-23745

node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...

CVE-2026-23745

node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...

GHSA-8QQ5-RM4J-MR97 node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

Summary The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and...

node-tar path traversal vulnerability

node-tar is a software package for file compression/decompression developed by Isaacs. Versions of node-tar 7.5.2 and earlier contained a path traversal vulnerability. This vulnerability stemmed from uncleaned link paths, which could lead to arbitrary file overwriting and symbolic link poisoning...

MiracleLinux 8 : socat-1.7.4.1-2.el8_10 (AXSA:2025-10502:01)

The remote MiracleLinux 8 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2025-10502:01 advisory. socat: arbitrary file overwrite via predictable /tmp directory CVE-2024-54661 Tenable has extracted the preceding description block directly from the...

EUVD-2025-199671

Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive...

CVE-2025-62511

yt-grabber-tui is a C++ terminal user interface application for downloading YouTube content. yt-grabber-tui version 1.0 contains a Time-of-Check to Time-of-Use TOCTOU race condition CWE-367 in the creation of the default configuration file config.json. In version 1.0, loadjsonsettings in...

CVE-2025-62511 yt-grabber-tui local arbitrary file overwrite via TOCTOU race in config file creation

yt-grabber-tui is a C++ terminal user interface application for downloading YouTube content. yt-grabber-tui version 1.0 contains a Time-of-Check to Time-of-Use TOCTOU race condition CWE-367 in the creation of the default configuration file config.json. In version 1.0, loadjsonsettings in...

EUVD-2025-34935

yt-grabber-tui is a C++ terminal user interface application for downloading YouTube content. yt-grabber-tui version 1.0 contains a Time-of-Check to Time-of-Use TOCTOU race condition CWE-367 in the creation of the default configuration file config.json. In version 1.0, loadjsonsettings in...