11225 matches found
CVE-2026-28807 Path Traversal in wisp.serve_static allows arbitrary file read
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.servestatic function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded...
CVE-2026-28807 Path Traversal in wisp.serve_static allows arbitrary file read
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.servestatic function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded...
CVE-2026-28807
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.servestatic function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded...
EEF-CVE-2026-28807 Path Traversal in wisp.serve_static allows arbitrary file read
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.servestatic function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded...
CVE-2026-30942
A flaw was found in Flare, a file sharing platform. An authenticated path traversal vulnerability exists in the /api/avatars/filename endpoint, allowing a logged-in user to read arbitrary files from the application container. This occurs because the filename parameter is not properly sanitized,...
GO-2026-4646 SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage in github.com/siyuan-note/siyuan/kernel
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage in github.com/siyuan-note/siyuan/kernel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is...
CVE-2026-30958
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file...
CVE-2026-30958
OneUptime CVE-2026-30958 describes an unauthenticated path traversal vulnerability in the /workflow/docs/:componentName endpoint, where the componentName parameter is directly concatenated into the server file path used by res.sendFile(), enabling arbitrary file reads. Root cause: lack of sanitiz...
CVE-2026-30958 OneUptime: Path Traversal — Arbitrary File Read (No Auth)
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file...
CVE-2026-30958 OneUptime: Path Traversal — Arbitrary File Read (No Auth)
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file...
EUVD-2026-10564
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file...
CVE-2026-30958 OneUptime: Path Traversal — Arbitrary File Read (No Auth)
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file...
CVE-2026-30942
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/filename allows any logged-in user to read arbitrary files from within the application container. The filename URL...
CVE-2026-30942 Flare has a Path Traversal in /api/avatars/[filename]
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/filename allows any logged-in user to read arbitrary files from within the application container. The filename URL...
CVE-2026-30942
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/filename allows any logged-in user to read arbitrary files from within the application container. The filename URL...
CVE-2025-41755
A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system. The endpoint accepts a parameter specifying the log file to open e.g., /tmp/weblogsomenumber, but this parameter is not properly validated, allowing an attacker to modify it to...
CVE-2026-3585 The Events Calendar <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import
The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajaxcreateimport' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the...
CVE-2026-3585 The Events Calendar <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import
The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajaxcreateimport' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the...
CVE-2026-3585
The Events Calendar WordPress plugin (up to v6.15.17) is affected by a path traversal vulnerability in the ajax_create_import function. The issue allows authenticated attackers with Author-level access or higher to read arbitrary files on the server, exposing sensitive information. The vulnerabil...
Directory Traversal
Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Directory Traversal via the Loader.candidates resolution when require.resolve is used as a fallback; an attacker can read arbitrary...