PT-2026-31426

Name of the Vulnerable Software and Affected Versions LORIS versions 21.0.0 through 27.0.2 and 28.0.0 Description LORIS is a self-hosted web application for neuroimaging research data and project management. A flaw exists where the backend endpoint did not properly verify file access permissions...

CVE-2026-5630

The CVE-2026-5630 affects assafelovic gpt-researcher (up to 3.4.3), specifically the Report API component at backend/server/app.py. A manipulation of an unknown function enables cross-site scripting and can be exploited remotely. An exploit has been published; however, no remediation or fixes are...

CVE-2026-26202 Penpot has Arbitrary File Read via create-font-variant RPC endpoint

Penpot is an open-source design tool for design and code collaboration. Prior to version 2.13.2, an authenticated user can read arbitrary files from the server by supplying a local file path e.g. /etc/passwd as a font data chunk in the create-font-variant RPC endpoint, resulting in the file...

EUVD-2025-31490

Malicious code in bioql PyPI...

Yifang CMS 代码问题漏洞

Yifang CMS is a PHP enterprise website development and construction management system of China Yifang Company. A code issue vulnerability exists in Yifang CMS 2.0.2 and earlier versions, which stems from the incorrect operation of the parameter uploadpath of the function webUploader of the...

SUSE CVE-2025-38443

In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbdgenlconnect error path There is a use-after-free issue in nbd: block nbd6: Receive control failed result -104 block nbd6: shutting down sockets ==================================================================...

AZL-72923 CVE-2025-38443 affecting package kernel for versions less than 5.15.200.1-1

In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbdgenlconnect error path There is a use-after-free issue in nbd: block nbd6: Receive control failed result -104 block nbd6: shutting down sockets ==================================================================...

DEBIAN-CVE-2025-38443

In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbdgenlconnect error path There is a use-after-free issue in nbd: block nbd6: Receive control failed result -104 block nbd6: shutting down sockets ==================================================================...

UBUNTU-CVE-2025-38443

In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbdgenlconnect error path There is a use-after-free issue in nbd: block nbd6: Receive control failed result -104 block nbd6: shutting down sockets ==================================================================...

OpenAgents 路径遍历漏洞

OpenAgents is an open language agent platform open-sourced by xlang-ai. OpenAgents has a path traversal vulnerability, the vulnerability stems from a path traversal problem in the function createuploadfile in file backend/api/file.py...

CVE-2024-3227

A vulnerability was found in Panwei eoffice OA up to 9.5. It has been declared as critical. This vulnerability affects unknown code of the file /general/system/interface/themeset/saveimage.php of the component Backend. The manipulation of the argument imagetype leads to path traversal:...

CVE-2025-3165

A vulnerability classified as critical has been found in thu-pacman chitu 0.1.0. This affects the function torch.load of the file chitu/chitu/backend.py. The manipulation of the argument ckptpath/quantckptdir leads to deserialization. An attack has to be approached locally...

PT-2025-14773 · Unknown · Thu-Pacman Chitu

Name of the Vulnerable Software and Affected Versions: thu-pacman chitu version 0.1.0 Description: A critical vulnerability has been found in thu-pacman chitu. This issue affects the torch.load function in the file chitu/chitu/backend.py. The manipulation of the ckpt path/quant ckpt dir argument...

CVE-2025-2708 zhijiantianya ruoyi-vue-pro Backend File Upload Interface upload path traversal

A vulnerability, which was classified as critical, was found in zhijiantianya ruoyi-vue-pro 2.4.1. This affects an unknown part of the file /admin-api/infra/file/upload of the component Backend File Upload Interface. The manipulation of the argument path leads to path traversal. It is possible to...

CVE-2025-0484

A vulnerability was found in Fanli2012 native-php-cms 1.0 and classified as critical. This issue affects some unknown processing of the file /fladmin/sysconfigdoedit.php of the component Backend. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit h...

CVE-2024-46373

Dedecms V5.7.115 contains an arbitrary code execution via file upload vulnerability in the backend...

Contao 代码问题漏洞

Contao is an open source Content Management System CMS developed in PHP by Contao Open Source. The system supports search engines, rights management, and CSS frameworks. A code issue vulnerability exists in Contao 4.0.0 and prior versions, which originates from a backend user with file manager...

NiceGUI 安全漏洞

NiceGUI is an easy-to-use, Python-based UI framework open-sourced by NiceGUI. A security vulnerability exists in NiceGUI versions prior to 1.4.21. An attacker exploiting this vulnerability can access any file on the backend file system...

CVE-2024-28190 Contao core bundle vulnerable to cross site scripting in the file manager

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files back end and front end, which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 an...

CVE-2022-40886

DedeCMS 5.7.98 has a file upload vulnerability in the background...