13586 matches found
PT-2026-39777
Name of the Vulnerable Software and Affected Versions macOS Tahoe versions prior to 26.4 Description A flaw in permissions checking allows a malicious application to access arbitrary files. This issue involves breaking the App Sandbox data containers and Transparency, Consent, and Control TCC, an...
PT-2026-27576
Name of the Vulnerable Software and Affected Versions macOS versions prior to 26.4 Description An issue involving file access was identified and resolved through enhanced input validation. An attacker could potentially gain access to protected areas of the file system. Recommendations Update to...
CVE-2026-33195
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's DiskServicepathfor does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path...
CVE-2026-33046
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaT...
CVE-2026-33046
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaT...
CVE-2026-33046 Indico discloses local files resulting in Remote Code Execution through LaTeX injection
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaT...
CVE-2026-33046 Indico discloses local files resulting in Remote Code Execution through LaTeX injection
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaT...
CVE-2026-33046 Indico discloses local files resulting in Remote Code Execution through LaTeX injection
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaT...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fromUrl function. An attacker can access sensitive files on the server by supplying a crafted URL, such as a file:// scheme, which is processed without proper validation. This allows the attacker...
EUVD-2026-14396
XML External Entity XXE vulnerability in esaml and its forks allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages. esaml parses attacker-controlled SAML messages using...
CVE-2026-28809 XXE in esaml SAML library allows local file read and potential SSRF
XML External Entity XXE vulnerability in esaml and its forks allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages. esaml parses attacker-controlled SAML messages using...
Path Traversal
croogo/croogo is vulnerable to path traversal. The vulnerability is due to improper validation of the edit-file parameter, which allows an attacker to craft malicious file paths and read arbitrary files on the server...
Indico 操作系统命令注入漏洞
Indico is an open-source event management system with rich functionality. Versions of Indico prior to 3.3.12 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the LaTeXLive vulnerability and ambiguous LaTeX syntax that could be exploited by...
PT-2026-27283
Name of the Vulnerable Software and Affected Versions Roadiz versions prior to 2.7.9 Roadiz versions prior to 2.6.28 Roadiz versions prior to 2.5.44 Roadiz versions prior to 2.3.42 Description Roadiz is a polymorphic content management system based on a node system. A flaw in the...
EUVD-2019-19961
NetNumber Titan Master 7.9.1 contains a path traversal vulnerability in the drp endpoint that allows authenticated users to download arbitrary files by injecting directory traversal sequences. Attackers can manipulate the path parameter with base64-encoded payloads containing ../ sequences to...
Exploit for Path Traversal in Apache Http_Server
https://n...
CVE-2026-4532
A security vulnerability has been detected in code-projects Simple Food Ordering System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /food/sql/food.sql of the component Database Backup Handler. The manipulation leads to files or directories accessible. It is...
CVE-2026-4532 code-projects Simple Food Ordering System Database Backup food.sql file access
A security vulnerability has been detected in code-projects Simple Food Ordering System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /food/sql/food.sql of the component Database Backup Handler. The manipulation leads to files or directories accessible. It is...
Code-Projects Simple Food Ordering System 安全漏洞
Code-Projects Simple Food Ordering System is a simple food ordering system developed by Code-Projects as open source. Versions of the Code-Projects Simple Food Ordering System prior to 1.0 contained security vulnerabilities. These vulnerabilities stemmed from an unknown feature in the database...
Directory Traversal
Overview h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to Directory Traversal via the serveStatic utility. An attacker can access arbitrary files from backend storage by sending specially crafted requests containing...