CVE-2026-32251 Tolgee has an XXE Injection in Translation Import

Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources .xml and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files...

GHSA-2238-XC5R-V9HJ @tinacms/graphql has a Path Traversal issue

Description TinaCMS allows users to create, update, and delete content documents using relative file paths relativePath, newRelativePath via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join without validating that the resolved path...

CVE-2026-31894

WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob and filegetcontents to read SQL files from the extracted contents. Neither the extraction nor the file reading...

Intelbras TIP 200 Lite和Intelbras TELEFONE IP TIP200 安全漏洞

The Intelbras TIP 200 Lite and the Intelbras TELEFONE IP TIP200 are both products of the Brazilian company Intelbras. The Intelbras TIP 200 Lite is an IP phone device. It operates as an IP terminal and supports up to two SIP accounts. It features high voice quality HD Voice, LCD display 2x15, and...

HashiCorp Consul和HashiCorp Consul Enterprise 安全漏洞

HashiCorp Consul and HashiCorp Consul Enterprise are both products of the American company HashiCorp. HashiCorp Consul is a distributed, highly available data center awareness solution. It is used for connecting and configuring applications across dynamic distributed infrastructures. HashiCorp...

EUVD-2026-10563

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file...

OneUptime 路径遍历漏洞

OneUptime is a comprehensive solution developed by OneUptime OpenSource. It is used to monitor and manage your online services. Versions of OneUptime prior to 10.0.21 contained a path traversal vulnerability. This vulnerability stemmed from the /workflow/docs/ endpoint’s path traversal, which cou...

MBS多款产品 安全漏洞

MBS UBR-01 Mk II, etc., are products of the German MBS company. MBS UBR-01 Mk II is a remote base station device. MBS UBR-02 is also a remote base station device. MBS UBR-LON is a communication interface device for industrial automation systems. Several MBS products have security vulnerabilities;...

flask_ssti_exploit

Tools for Exploiting SSTI Vulnerabilities under Flask Di...

flask_ssti_exploit

Tools for Exploiting SSTI Vulnerabilities under Flask Di...

ragas 安全漏洞

Ragas is an open-source toolkit developed by Vibrant Labs for optimizing and evaluating large language models. Versions of Ragas from v0.2.3 to v0.2.14 contain security vulnerabilities. These vulnerabilities stem from improper URL validation and cleaning of the retrievedcontexts parameter, which...

[R1] Nessus Manager Versions 10.10.3 and 10.11.3 Fix One Vulnerability

R1 Nessus Manager Versions 10.10.3 and 10.11.3 Fix One Vulnerability Arnie Cabral Tue, 03/03/2026 - 12:08 A path traversal vulnerability exists in Nessus Manager where an authenticated, remote attacker could read arbitrary OS system files...

Copeland多款产品 路径遍历漏洞

Both Copeland XWEB 500D PRO and Copeland XWEB 500B PRO are advanced commercial and industrial refrigeration monitoring and management systems developed by the American company Copeland. Several products of Copeland have been identified with a path traversal vulnerability. This vulnerability stems...

CVE-2026-26938

Improper Neutralization of Special Elements Used in a Template Engine CWE-1336 exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery SSRF via Code Injection CAPEC-242. This requires an...

GetSimple CMS 安全漏洞

GetSimple CMS is an open-source content management system developed by GetSimple CMS. There is a security vulnerability in GetSimple CMS, which stems from a flaw in the file upload function, potentially allowing arbitrary file reading...

CVE-2026-26746

OpenSourcePOS 3.4.1 contains a Local File Inclusion LFI vulnerability in the Sales.php::getInvoice function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code...

WordPress plugin WP AUDIO GALLERY 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

penpot 安全漏洞

Penpot is an open-source design tool developed by Penpot for collaboration in design and coding. Versions of Penpot prior to 2.13.2 contained a security vulnerability. This vulnerability allowed authenticated users to access arbitrary files by providing local file paths as font data blocks,...

OpenClaw 路径遍历漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a path traversal vulnerability. The vulnerability stems from the Feishu extension that allows sendMediaFeishu to treat an attacker-controlled mediaUrl value as a local file system path and read it...

CVE-2026-23491

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the getfile method of the Guest module's Get controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attacker...