Lucene search
K

12348 matches found

NVD
NVD
added last week9 views

CVE-2026-58166

OpenBMB ChatDev through 2.2.0, fixed in commit 4fd4da6, contains a path traversal vulnerability that allows unauthenticated remote attackers to write or delete arbitrary files by supplying a malicious multipart filename in the file upload endpoint. Attackers can send a crafted filename containing...

9.1CVSS0.00628EPSS
Exploits0References4
EUVD
EUVD
added last week7 views

EUVD-2026-40360

SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the...

8.1CVSS5.9AI score0.00766EPSS
Exploits0References6
CVE
CVE
added last week11 views

CVE-2026-58372

SeaweedFS prior to 4.34 is affected by a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler. Authenticated S3 principals with write access to a single bucket can delete arbitrary objects in other tenants’ buckets by sending object keys containing ../ in the DeleteObjects ...

8.1CVSS5.9AI score0.00766EPSS
Exploits0References6
Cvelist
Cvelist
added last week32 views

CVE-2026-58166 OpenBMB ChatDev - Unauthenticated Path Traversal in Upload Handler Allows Arbitrary File Write and Delete

OpenBMB ChatDev through 2.2.0, fixed in commit 4fd4da6, contains a path traversal vulnerability that allows unauthenticated remote attackers to write or delete arbitrary files by supplying a malicious multipart filename in the file upload endpoint. Attackers can send a crafted filename containing...

9.1CVSS0.00628EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-53930

Name of the Vulnerable Software and Affected Versions SeaweedFS versions prior to 4.34 Description A path traversal issue exists in the S3 gateway DeleteMultipleObjectsHandler. Authenticated S3 principals with write access to one bucket can delete arbitrary objects in buckets belonging to other...

8.1CVSS6AI score0.00766EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/06/29 5:22 p.m.33 views

CVE-2026-57956 SigNoz 0.130.1 - Cross-Organization Insecure Direct Object Reference in Alert Rules

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules...

6.4CVSS0.00177EPSS
Exploits0References2
CVE
CVE
added 2026/06/29 5:20 p.m.11 views

CVE-2026-57950

Summary (CVE-2026-57950): ruoyi-vue-pro before 2026.05 contains a broken access control in ErpSaleOrderController due to incorrect permission namespace enforcement. The controller applies the erp:sale-out namespace instead of the intended erp:sale-order namespace, allowing attackers with erp:sale...

8.6CVSS5.8AI score0.00294EPSS
Exploits0References3
NVD
NVD
added 2026/06/29 3:16 p.m.10 views

CVE-2026-49049

The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters...

7.5CVSS0.00228EPSS
Exploits2References1
CVE
CVE
added 2026/06/29 2:34 p.m.72 views

CVE-2026-49049

The CVE-2026-49049 entry concerns the Helix3 Joomla extension by joomshaper. The vulnerability arises from an exposed ajax handler task within Helix3 that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files, and update template parameters. This indicates a remot...

7.5CVSS5.9AI score0.00228EPSS
Exploits2References1Affected Software1
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-377 Langflow Knowledge Bases API is Vulnerable to Path Traversal

Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API DELETE /api/v1/knowledgebases. This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can exploit thi...

9.6CVSS6AI score0.04417EPSS
Exploits1References5
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-358 InvokeAI Arbitrary File Deletion vulnerability

In invoke-ai/invokeai version v5.0.2, the web API POST /api/v1/images/delete is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite...

9.1CVSS7.5AI score0.01348EPSS
Exploits0References6
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-254 AgentScope path traversal vulnerability

A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. The vulnerability is present in the /delete-workflow endpoint, allowing an attacker to delete arbitrary files from the filesystem. This issue arises due to improper input validation, enabling t...

9.1CVSS7.4AI score0.00953EPSS
Exploits1References8
NVD
NVD
added 2026/06/29 9:16 a.m.10 views

CVE-2026-13549

A security flaw has been discovered in CodeAstro Complaint Management System 1.0. The affected element is the function deletereport of the file application/controllers/Report.php of the component Report Endpoint. The manipulation results in authorization bypass. The attack can be executed remotel...

6.4CVSS0.00293EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/29 8:0 a.m.6 views

EUVD-2026-40051

A security flaw has been discovered in CodeAstro Complaint Management System 1.0. The affected element is the function deletereport of the file application/controllers/Report.php of the component Report Endpoint. The manipulation results in authorization bypass. The attack can be executed remotel...

6.4CVSS5.8AI score0.00293EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.10 views

PT-2026-53282

Name of the Vulnerable Software and Affected Versions Helix3 plugin for Joomla affected versions not specified Description An ajax handler task allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files, and update template parameters. Recommendations At the moment,...

7.5CVSS6AI score0.00228EPSS
Exploits2References8
Positive Technologies
Positive Technologies
added 2026/06/27 12:0 a.m.15 views

PT-2026-53042

Name of the Vulnerable Software and Affected Versions HD Quiz versions 2.2.0 through 2.2.1 Description The HD Quiz plugin for WordPress contains a Cross-Site Request Forgery CSRF flaw. This occurs because the hdq validate nonce function fails to properly validate nonces, which are unique tokens...

4.3CVSS5.7AI score0.00179EPSS
Exploits0References20
EUVD
EUVD
added 2026/06/26 11:33 p.m.11 views

EUVD-2026-38067

Subsonic API: any authenticated user can delete or read any other user's playlist IDOR...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/26 9:4 p.m.9 views

EUVD-2026-38058

mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call...

8.1CVSS5.8AI score0.00264EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/26 8:49 a.m.6 views

CVE-2026-53193

A flaw was found in the Linux kernel's Advanced Linux Sound Architecture ALSA timer component. This vulnerability occurs when a timer object is freed while timer instances are still associated with it, particularly when userspace-driven timers are involved. A local user can exploit this by...

7.8CVSS5.8AI score0.00141EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.11 views

PT-2026-52778

Name of the Vulnerable Software and Affected Versions Teable affected versions not specified Description The v2 REST API controller lacks @Permissions metadata on ORPC endpoints, which enables authenticated users to bypass authorization checks. This allows unauthorized reading of table schemas,...

8.8CVSS5.8AI score0.00371EPSS
Exploits0References6
Rows per page
Query Builder