GHSA-G239-Q96Q-X4QM @vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint

Summary The /viterscfindSourceMapURL endpoint in @vitejs/plugin-rsc allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a file:// URL in the filename query parameter. Severity:...

CVE-2025-68155

@vitejs/plugin-rs provides React Server Components RSC support for Vite. Prior to version 0.5.8, the /viterscfindSourceMapURL endpoint in @vitejs/plugin-rsc allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sendi...

EUVD-2025-203834

@vitejs/plugin-rs provides React Server Components RSC support for Vite. Prior to version 0.5.8, the /viterscfindSourceMapURL endpoint in @vitejs/plugin-rsc allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sendi...

CVE-2025-68155 @vitejs/plugin-rsc has Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint on Development

@vitejs/plugin-rs provides React Server Components RSC support for Vite. Prior to version 0.5.8, the /viterscfindSourceMapURL endpoint in @vitejs/plugin-rsc allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sendi...

CVE-2025-68155 @vitejs/plugin-rsc has Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint on Development

@vitejs/plugin-rs provides React Server Components RSC support for Vite. Prior to version 0.5.8, the /viterscfindSourceMapURL endpoint in @vitejs/plugin-rsc allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sendi...

CVE-2025-68155

The CVE concerns @vitejs/plugin-rsc (used with Vite) in development mode. Prior to version 0.5.8, the endpoint /__vite_rsc_findSourceMapURL accepts a file:// URL in the filename query parameter, converts it to a filesystem path, and reads the target file without validating its location, returning...

CVE-2025-68155 @vitejs/plugin-rsc has Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint on Development

@vitejs/plugin-rs provides React Server Components RSC support for Vite. Prior to version 0.5.8, the /viterscfindSourceMapURL endpoint in @vitejs/plugin-rsc allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sendi...

CVE-2025-65076 Arbitrary File Read and Delete via Path Traversal in WaveStore Server

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete any file on the server using path traversal in the ilog script. This script is being run with root...

CVE-2025-65076 Arbitrary File Read and Delete via Path Traversal in WaveStore Server

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete any file on the server using path traversal in the ilog script. This script is being run with root...

CVE-2025-65076

Summary: CVE-2025-65076 affects the WaveView client. A path traversal flaw in the ilog script, executed with root privileges on the WaveStore Server, allows a high-privilege attacker to read or delete arbitrary server files. Affected components (from provided sources): WaveView client interfacing...

CVE-2025-65075 Arbitrary File Read and Delete via Path Traversal in WaveStore Server

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete files, with the permissions of dvr user, on the server using path traversal in the alog script. This iss...

CVE-2025-65075 Arbitrary File Read and Delete via Path Traversal in WaveStore Server

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete files, with the permissions of dvr user, on the server using path traversal in the alog script. This iss...

CVE-2025-65075

Summary: CVE-2025-65075/65074/65076 pertains to the WaveView client exposing path-traversal vulnerabilities in WaveStore Server commands/scripts. Public reports describe arbitrary file read/delete via path traversal in specific server-side scripts (alog, showerr, ilog) executed with high/root pri...

PT-2025-51776

@vitejs/plugin-rs provides React Server Components RSC support for Vite. Prior to version 0.5.8, the / vite rsc findSourceMapURL endpoint in @vitejs/plugin-rsc allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by...

WordPress Wp Job Portal Arbitrary File Read Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation, and WordPress plugin is an application plugin. An arbitrary file read vulnerability exists in WordPress Wp Job Portal, which stems from improper handling of the downloadCustomUploadedFile function, and can be exploited ...

Vite Plugin React 安全漏洞

Vite Plugin React is an open source plugin for Vite. A security vulnerability exists in Vite Plugin React versions prior to 0.5.8 that stems from an arbitrary file read vulnerability in the /viterscfindSourceMapURL endpoint...

Adobe ColdFusion XML External Entity References Improperly Restricted Vulnerability

Adobe ColdFusion is a dynamic Web server platform and application development framework maintained by Adobe for rapidly building and deploying data-driven dynamic Web sites, Web applications, and enterprise-class services. Adobe ColdFusion suffers from an improperly restricted XML external entity...

Directory Traversal

AstrBot is vulnerable to Directory Traversal. The vulnerability is due to an arbitrary file read vulnerability in the encodeimagebs64 function, where attackers can construct malicious URLs to read any specified file, resulting in sensitive data leakage...

XML External Entity (XXE) Injection

peppolpy is vulnerable to XML External Entity XXE injection. The vulnerability is due to insecure Saxon XML parser configuration, where external entities are allowed during XML invoice validation, enabling attackers to read local files and exfiltrate their contents to a remote host...

CVE-2025-13972

The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'whtdownloadbigobjectorigin' parameter in all versions up to, and including, 3.16.0. This is due to insufficient path validation in the handlebigobjectdownloadrequest function. This makes it possible for...