CVE-2026-29975

lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser lwjsonstream.c. The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causin...

CVE-2026-39844

NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload filename. Applications that construct file paths using file.name a pattern...

CVE-2026-48188

An improper Input Validation vulnerability in OTRS or OTRS Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NOBACKSLASHESCAPES SQL mode...

PT-2026-45008

Summary filepath.Base on the Linux container does not strip backslashes , because is only a path separator on Windows. A multipart filename like ........WindowsSystem32evil.pdf survives Gotenberg's input sanitisation and lands verbatim as the zip entry name when a multi-output route returns its...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the validatepathelementntfs function. An attacker can write arbitrary files and potentially execute code in the victim's user context by crafting malicious Git repositories with NTFS-hostile tree entries that are...

CVE-2026-44502

Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be partially bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For...

PT-2026-44135

Description symfony/html-sanitizer lets applications sanitise untrusted HTML. The configuration methods allowLinkHosts... and allowLinkSchemes... are intended to restrict targets to an allowlist of hosts/schemes; allowMediaHosts / allowMediaSchemes do the same for etc. Three distinct bypasses all...

CVE-2026-44502

Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be partially bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For...

CVE-2026-44502

Bugsink (self-hosted error tracking) has an SSRF bypass vulnerability in the webhook URL validation (validate_webhook_url) affecting versions before 2.1.3. The root cause is a mismatch between Python URL parsing (urllib.parse.urlparse) and the HTTP client stack (requests/urllib3) for malformed in...

CVE-2026-44502

Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be partially bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For...

CVE-2018-25374

Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the path parameter. Attackers can send requests to nocache.php with encoded backslash sequences to traverse directories and acce...

EUVD-2018-21897

Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the path parameter. Attackers can send requests to nocache.php with encoded backslash sequences to traverse directories and acce...

PT-2026-43226

Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the path parameter. Attackers can send requests to nocache.php with encoded backslash sequences to traverse directories and acce...

Astra Linux - уязвимость в python3.11, python2.7, python3.7

There is a low-severity vulnerability affecting CPython, specifically the ‘http.cookies’ standard library module. When parsing cookies where quoted characters are represented using backslashes, the parser uses an algorithm with quadratic complexity, resulting in excessive CPU resources being...

EUVD-2026-28787

lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser lwjsonstream.c. The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causin...

CVE-2026-42794

Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the...

PT-2026-39144

Name of the Vulnerable Software and Affected Versions lwjson version 1.8.1 Description Improper input validation in the streaming JSON parser lwjson stream.c occurs because the end-of-string detection logic incorrectly identifies escaped quote characters. The system only checks the immediately...

uutils coreutils has an Improper Input Validation Issue in its env Utility

A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S split-string option. In GNU env, backslashes within single quotes are treated literally with the exceptions of \ and '. However, the uutils implementation...

EUVD-2026-25030

A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S split-string option. In GNU env, backslashes within single quotes are treated literally with the exceptions of \ and '. However, the uutils implementation...

Linux Distros Unpatched Vulnerability : CVE-2026-35377

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S split-string option. In GN...