CVE-2017-18452

cPanel before 64.0.21 allows code execution via Rails configuration files SEC-259...

CVE-2019-20843

An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files...

CVE-2020-7518

A CWE-20: Improper input validation vulnerability exists in Easergy Builder Version 1.4.7.2 and older which could allow an attacker to modify project configuration files...

CVE-2020-10053

A vulnerability has been identified in SIMATIC RTLS Locating Manager All versions V2.12. The affected application writes sensitive data, such as database credentials in configuration files. A local attacker with access to the configuration files could use this information to launch further attack...

CVE-2020-10054

A vulnerability has been identified in SIMATIC RTLS Locating Manager All versions V2.12. The affected application does not properly handle the import of large configuration files. A local attacker could import a specially crafted file which could lead to a denial-of-service condition of the...

CVE-2020-7296

Privilege Escalation vulnerability in McAfee Web Gateway MWG prior to 9.2.1 allows authenticated user interface user to access protected configuration files via improper access control in the user interface...

PT-2026-1685

Name of the Vulnerable Software and Affected Versions WP Cost Estimation versions up to and including 9.642 Description The WP Cost Estimation plugin for WordPress is affected by a flaw allowing arbitrary file uploads and deletion. This is due to a lack of file type validation in the lfb upload...

phpMyFAQ Improper Authorization Vulnerability (GHSA-9cg9-4h4f-j6fg)

phpMyFAQ is prone to an improper authorization vulnerability. SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:phpmyfaq:phpmyfaq";...

CVE-2020-36909

CVE-2020-36909 affects SnapGear Management Console SG560 3.1.5. The vulnerability is described as an arbitrary file read/write through the edit_config_files CGI script, where authenticated users can manipulate POST parameters to the /cgi-bin/cgix/edit_config_files endpoint to access and modify fi...

SnapGear Management Console SG560 路径遍历漏洞

SnapGear Management Console SG560 is a versatile network security gateway from SnapGear. A path traversal vulnerability exists in the SnapGear Management Console SG560, which stems from a file manipulation vulnerability in the editconfigfiles CGI script that could result in reading, writing, and...

CVE-2025-34171

CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under...

CVE-2025-34171

CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under...

Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

Summary An unauthenticated attacker can pollute the internal state restoreFilePath of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files e.g., security.json,...

CVE-2025-66398

Summary (CVE-2025-66398) : Signal K Server (signalk-server) before version 2.19.0 is vulnerable to unauthenticated state pollution via the /skServer/validateBackup endpoint. An attacker can pollute the global restoreFilePath, hijack the administrator’s Restore workflow, and overwrite critical con...

Feast vulnerable to Deserialization of Untrusted Data

A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at feast/sdk/python/feast/infra/computeengines/kubernetes/main.py. The vulnerability arises from the use of yaml.load..., Loader=yaml.Loader to...

CVE-2025-69257

theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations e.g., /.config/theshit/ without validating ownership or permissions when...

CVE-2025-69257 theshit vulnerable to unsafe loading of user-owned Python rules when running as root.

theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations e.g., /.config/theshit/ without validating ownership or permissions when...

CVE-2025-69257 theshit vulnerable to unsafe loading of user-owned Python rules when running as root.

theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations e.g., /.config/theshit/ without validating ownership or permissions when...

CVE-2025-69257

CVE-2025-69257 (theshit) is a local privilege escalation vulnerability in the command-line tool that loads Python rules/configs from user-writable locations (e.g., ~/.config/theshit/) without validating ownership/permissions when executed with elevated privileges. If invoked with sudo or EUID=0, ...

CVE-2025-69257 theshit vulnerable to unsafe loading of user-owned Python rules when running as root.

theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations e.g., /.config/theshit/ without validating ownership or permissions when...