Astra Linux - уязвимость в python-django

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method used by "startapp --template" and "startproject --template" allows for directory traversal through archives that contain absolute or relative paths with dot segments...

bun-archive-traversal-poc

Bun Archive Extraction Traversal PoCs Target: oven-sh/bun...

PT-2026-38610

Name of the Vulnerable Software and Affected Versions FacturaScripts affected versions not specified Description A flaw in the Plugins::add function allows for a Zip Slip attack. The system does not properly validate file paths within uploaded ZIP archives in the Plugins.php file. Although the...

CVE-2026-40148

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the safeextractall function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractal...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-006303)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006303 advisory. An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract function, used by the startapp...

CVE-2026-32771

Summary of CVE-2026-32771 (CTFer.io Monitoring) : In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go is vulnerable to a path traversal flaw caused by a missing trailing path separator in a strings.HasPrefix check. This allows an attacker to craft archives that ...

CVE-2026-29064

Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or...

BIT-DJANGO-2025-59682

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common...

Updated python-django packages fix a security vulnerability

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate, QuerySet.alias, QuerySet.aggregate, and QuerySet.extra are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the kwarg...

EUVD-2020-0011

Malware in sbrugna...

EUVD-2025-28315

Malicious code in bioql PyPI...

CVE-2025-59682

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common...

CVE-2025-59682

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common...

CVE-2025-59682

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : vim (SUSE-SU-2025:03300-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03300-1 advisory. Updated to 9.1.1629: - CVE-2025-53905: Fixed malicious tar archive may causing a path traversal...

Linux Distros Unpatched Vulnerability : CVE-2020-10691

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a...

Linux Distros Unpatched Vulnerability : CVE-2020-16116

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal. CVE-2020-1611...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via a two-step extraction process involving a crafted symlink and a subsequent archive containing a relative path that targets a critical file. An attacker can overwrite files outside the intended extraction director...

CVE-2023-32676

Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the Install assessment functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted T...

GHSA-MR7H-W2QC-FFC2 pytorch-lightning vulnerable to Arbitrary File Write via /v1/runs API endpoint

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the pluginserver, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path...