Lucene search
K

606 matches found

NVD
NVD
added 2 days ago6 views

CVE-2026-59946

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...

6.1CVSS0.00136EPSS
Exploits0References5
NVD
NVD
added 2 days ago6 views

CVE-2026-55874

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side...

7.7CVSS0.00327EPSS
Exploits0References4
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-42285

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side...

7.7CVSS6AI score0.00327EPSS
Exploits0References4
CVE
CVE
added 2026/06/25 4:44 p.m.21 views

CVE-2026-55699

CVE-2026-55699 affects pnpm. Prior to versions 10.34.2 and 11.5.3, manifest bin object keys such as "", ".", and ".." could bypass the bin-name guard. In a scenario where a malicious global package is installed, downstream global remove/update/add-replacement flows could re-derive those names and...

6.5CVSS5.9AI score0.00286EPSS
Exploits1References1Affected Software1
NVD
NVD
added 2026/06/25 2:16 p.m.9 views

CVE-2026-56122

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traver...

8.7CVSS0.00377EPSS
Exploits0References3
CVE
CVE
added 2026/06/25 1:34 p.m.13 views

CVE-2026-56122

Winstone Servlet Engine up to version 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences not sanitized when serving static files from the configured webroot. Attackers can traverse ...

8.7CVSS6AI score0.00377EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/25 1:34 p.m.38 views

CVE-2026-56122 Winstone Servlet Engine 0.9.10 Path Traversal via HTTP Request Paths

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traver...

8.7CVSS0.00377EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.8 views

PT-2026-52524

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.2 pnpm versions prior to 11.5.3 Description Manifest bin object keys such as "", ".", and ".." bypass the bin-name guard. If a malicious package is installed globally, subsequent global remove, update, or...

6.5CVSS5.8AI score0.00286EPSS
Exploits1References6
Snyk
Snyk
added 2026/06/22 8:18 p.m.3 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the handler/router.go process. An attacker can access arbitrary files on the host filesystem by sending requests with percent-encoded backslashes %5C that bypass path sanitization. Details A Directory Traversal...

8.7CVSS6.5AI score0.00408EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/10 11:12 p.m.9 views

Directory Traversal

Overview Magick.NET-Q8-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.8CVSS6.2AI score0.00128EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/09 12:0 a.m.14 views

Apache Airflow 路径遍历漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. There is a path traversal vulnerability in the Apache...

6.5CVSS5.4AI score0.00695EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:29 p.m.10 views

CVE-2026-4917

IBM Guardium Data Protection 12.1 could allow an administrative user to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences /../ to write arbitrary files on the system...

4.9CVSS5.6AI score0.00356EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/29 1:3 p.m.14 views

EUVD-2026-33305

WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded...

6.9CVSS6AI score0.00455EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/27 2:12 p.m.10 views

CVE-2026-3345

IBM Langflow Desktop =1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences /../ to view arbitrary files on the system...

6.5CVSS6AI score0.00374EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 12:25 p.m.43 views

CVE-2026-3366 InfoSphere Optim Test Data Fabrication is affected by Arbitrary File Read

IBM InfoSphere Optim Test Data Fabrication 1.0.0, 1.0.0.1, 1.0.0.2, 1.0.2, 1.0.2.2, 1.0.2.3, 1.0.2.4, 1.0.2.5, 1.0.2.6, 1.0.2.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences /../ to view...

7.5CVSS0.00596EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/19 3:38 p.m.9 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal due to improper path validation in the repository checkout process. An attacker can modify files outside the intended target directory, including .git directories, by supplying a maliciously crafted repository payloa...

5.4CVSS6.3AI score0.00297EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/11 7:26 p.m.38 views

CVE-2026-42882 oxyno-zeta/s3-proxy: Security Issues in Resource Path Matching

oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authentication middleware evaluates resource path patterns against the...

9.4CVSS0.00554EPSS
Exploits0References3
CVE
CVE
added 2026/05/11 7:26 p.m.13 views

CVE-2026-42882

CVE-2026-42882 affects oxyno-zeta/s3-proxy (Go). Prior to version 5.0.0, an authentication bypass arises from a mismatch between the auth middleware and bucket handler when parsing resource paths. The auth layer uses the percent-encoded request URI (r.URL.RequestURI()) while the bucket handler bu...

9.4CVSS5.8AI score0.00554EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/04/25 7:22 a.m.11 views

CVE-2026-29050

melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline.uses to a...

6.1CVSS5.6AI score0.0014EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/23 11:58 p.m.7 views

CVE-2026-29050 melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses

melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline.uses to a...

6.1CVSS5.5AI score0.0014EPSS
Exploits0References1
Rows per page
Query Builder