GHSA-F84P-CVGM-XGJJ protobuf.js is Vulnerable to OS Command Injection in the CLI

Summary pbts invoked JSDoc by building a shell command string from input file paths and executing it through childprocess.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. Impact An attacker who can...

Microsoft Word Information Disclosure Vulnerability

Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally...

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Access of resource using incompatible type 'type confusion' in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally...

CVE-2026-6865

CVE-2026-6865 corresponds to a path traversal vulnerability (CWE-22) arising from improper handling of user-supplied input during server-side file path processing. The connected records describe the issue as allowing unauthorized access to sensitive files due to pathname limitations, with a CVSSv...

SUSE CVE-2025-22242

Worker process denial of service through file read operation. .A vulnerability exists in the Master's “pubret” method which is exposed to all minions. The un-sanitized input value “jid” is used to construct a path which is then opened for reading. An attacker could exploit this vulnerabilities by...

PT-2026-40533

Name of the Vulnerable Software and Affected Versions protobufjs-cli versions prior to 1.2.1 protobufjs-cli versions prior to 2.0.2 Description The pbts command-line tool invokes JSDoc by constructing a shell command string from input file paths and executing it via child process.exec. File paths...

PT-2026-40231

External control of file name or path in Microsoft Office Word allows an unauthorized attacker to disclose information over a network...

CVE-2026-31237

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using...

CVE-2026-7817

Local file inclusion LFI and server-side request forgery SSRF vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied apikeyfile and apiurl preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by...

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

External control of file name or path in Microsoft Edge Chromium-based allows an unauthorized attacker to disclose information over a network...

CVE-2026-8256 Devs Palace ERP Online mr-save cross site scripting

A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. This vulnerability affects unknown code of the file /accounts/mr-save. Such manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. T...

PT-2026-40243

Name of the Vulnerable Software and Affected Versions Microsoft Edge Chromium-based affected versions not specified Description External control of a file name or path allows an unauthorized attacker to disclose sensitive information over a network. Recommendations At the moment, there is no...

EUVD-2026-28955

A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. The impacted element is an unknown function of the file /inventory/supplier-save. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicl...

CVE-2026-8219

DevS Palace ERP Online (up to 4.0.0) has a Cross-Site Scripting flaw in the /inventory/supplier-save function. The description notes manipulation leads to XSS and remote exploitation is possible; exploit disclosed publicly. Root cause and exact vulnerable component are not detailed beyond this, a...

Devs Palace ERP Online 跨站脚本漏洞

Devs Palace ERP Online is a cloud-based enterprise resource planning and business management system developed by Devs Palace. Versions of Devs Palace ERP Online 4.0.0 and earlier contained a cross-site scripting vulnerability. This vulnerability originated from an unknown function in the file...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal in validatefilepath in viewcomponentssystemtestcontroller.rb, which is accessible via the system test entrypoint. An attacker with access to this endpoint, which is mounted in Rails.env.test?, can read files in a...

EUVD-2026-28810

Insufficient input validation of the feature file name in feature::LOADFEATUREFILE adminbin call can cause arbitrary file read when a relative file path is passed...

CVE-2026-29201

Insufficient input validation in the feature::LOADFEATUREFILE AdminBin call in cPanel/WHM can lead to arbitrary file read when a relative file path is supplied. Affected product/version scope includes cPanel/WHM prior to versions listed as fixed in PT-2026-38673 (and WP Squared) such as 11.136.0....

Directory Traversal

Overview potato-annotation is an A flexible, stand-alone, web-based platform for text annotation tasks Affected versions of this package are vulnerable to Directory Traversal via the validatepathsecurity function. An attacker can gain unauthorized access to files outside the intended project...

PraisonAI 输入验证错误漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.6.34 contained a vulnerability related to input validation errors. This vulnerability stemmed from the file processing tool in the MCP server failing to perform containment...