PYSEC-2026-130

A path traversal vulnerability was identified in Ray Dashboard default port 8265 in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences e.g., ../ to access files outside the...

CVE-2026-32981

A path traversal vulnerability was identified in Ray Dashboard default port 8265 in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences e.g., ../ to access files outside the...

CVE-2026-32981 Ray Dashboard <= 2.8.0 Path Traversal Leading to Local File Disclosure

A path traversal vulnerability was identified in Ray Dashboard default port 8265 in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences e.g., ../ to access files outside the...

CVE-2026-30838 league/commonmark: DisallowedRawHtml extension bypass via whitespace in HTML tag names

league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing . For example, would pass through unfiltered and be rendered as a...

CVE-2026-28427

OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By including ../ sequences in the request path, an attacker can traverse outside the intended...

PT-2026-1090

Name of the Vulnerable Software and Affected Versions QuMagie versions prior to 2.8.1 Description A cross-site scripting XSS issue exists in QuMagie. This allows remote attackers to potentially bypass security measures or access application data. Recommendations Update to QuMagie version 2.8.1 or...

CVE-2025-13073 HandL UTM Grabber / Tracker < 2.8.1 - Reflected XSS via handl_landing_page

The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2025-59340

jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory.constructFromCanonical, it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classe...

LaRecipe 安全漏洞

LaRecipe is a software by Saleem Hadad سليم حداد individual developer that uses MarkDown to write and publish documentation for Laravel applications. A security vulnerability exists in LaRecipe versions prior to 2.8.1 that stems from server-side template injection and could lead to remote code...

CVE-2024-11838

External Control of File Name or Path vulnerability in PlexTrac allows Local Code Inclusion through use of an undocumented API endpoint.This issue affects PlexTrac: from 1.61.3 before 2.8.1...

CVE-2024-11833

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in PlexTrac allows arbitrary file writes.This issue affects PlexTrac: from 1.61.3 before 2.8.1...

PT-2024-36097 · Thehp · Thehp Aio Contact

Name of the Vulnerable Software and Affected Versions: Thehp AIO Contact versions prior to 2.8.1 Description: The issue is related to improper neutralization of input during web page generation, which can lead to Cross-site Scripting. Recommendations: For versions prior to 2.8.1, update to a...

Apache Airflow 安全漏洞

Apache Airflow is the United States Apache Apache Foundation's set of open source platform for creating, managing and monitoring workflow. The platform is scalable and dynamic monitoring and other characteristics. An information disclosure vulnerability exists in Apache Airflow versions prior to...

HTMLy 路径遍历漏洞

HTMLy is a PHP-based open source blogging platform. A path traversal vulnerability exists in HTMLy versions prior to 2.8.1. A remote attacker can exploit this vulnerability to delete arbitrary files with the help of modified file parameters...

Google TensorFlow输入验证错误漏洞

Google TensorFlow is a suite of end-to-end open source platforms for machine learning from Google USA. An input validation error vulnerability exists in Google TensorFlow versions prior to 2.9.0, prior to 2.8.1, prior to 2.7.2, and prior to 2.6.4, which stems from the fact that tf.rawops.StagePee...