TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction

Summary The TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system Details When running tinacms dev, the CLI...

GHSA-M48G-4WR2-J2H6 TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction

Summary The TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system Details When running tinacms dev, the CLI...

TinaCMS Vulnerable to Path Traversal Leading to Arbitrary File Read, Write and Delete

Summary The TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. Details When running tinacms dev, the CLI starts a local HTTP server default port...

GHSA-2F24-MG4X-534Q TinaCMS Vulnerable to Path Traversal Leading to Arbitrary File Read, Write and Delete

Summary The TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. Details When running tinacms dev, the CLI starts a local HTTP server default port...

CVE-2026-32251

Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources .xml and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files...

CVE-2026-32251

Tolgee is affected by CVE-2026-32251 before version 3.166.3. The XML parsers used for importing Android XML resources (.xml) and .resx files do not disable external entity processing, allowing an authenticated user who can import translation files to read arbitrary server files and perform server...

EUVD-2026-11691

Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources .xml and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files...

CVE-2026-29066 Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the...

CVE-2026-29066 Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the...

CVE-2026-29066

TinaCMS CLI before 2.1.8 is affected by CVE-2026-29066: the dev server configures Vite with server.fs.strict: false, removing the filesystem restriction and permitting an unauthenticated attacker who can reach the dev server to read arbitrary host files. The issue impacts the TinaCMS CLI devServe...

CVE-2026-29066 Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the...

CVE-2026-28793 Path Traversal Leading to Arbitrary File Read, Write and Delete in TinaCMS

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, th...

CVE-2026-2808

A flaw was found in HashiCorp Consul. When configured with Kubernetes authentication, a highly privileged attacker can exploit this vulnerability to perform arbitrary file reads. This could lead to the disclosure of sensitive information from the system...

Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5...

GHSA-CPFQ-66P2-336J Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5...

EUVD-2026-11487

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5...

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack via the the Vault Kubernetes Authentication Provider. An attacker can access sensitive files by specifying tokenpath configuration parameter to any file on the Consul server node that later returned as jwt data and sent t...

Security Bulletin: Consul vulnerable to arbitrary file reads through the vault kubernetes authentication provider

Summary HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5. Vulnerability Details CVEID:CVE-2026-2808...

DEBIAN-CVE-2026-2808

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5...

CVE-2026-2808

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5...