CVE-2026-34838 Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar...

EUVD-2026-18532

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar...

CVE-2026-34745 Unauthenticated Path Traversal Arbitrary File Write in /api/uploadChunked/public

Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint but was not applied to the unauthenticated /api/uploadChunked/public endpoint in the same file app/server/fireshare/api.py. An...

CVE-2026-34745 Unauthenticated Path Traversal Arbitrary File Write in /api/uploadChunked/public

Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint but was not applied to the unauthenticated /api/uploadChunked/public endpoint in the same file app/server/fireshare/api.py. An...

EUVD-2026-18507

Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint but was not applied to the unauthenticated /api/uploadChunked/public endpoint in the same file app/server/fireshare/api.py. An...

CVE-2026-34745

Fireshare: CVE-2026-34745 is an unauthenticated path-traversal/arbitrary file-write vulnerability in the public chunked-upload endpoint (/api/uploadChunked/public). Before 1.5.3, the fix applied to the authenticated endpoint (/api/uploadChunked) was not propagated to the public one, allowing an a...

CVE-2026-34591

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

DEBIAN-CVE-2026-34591

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

UBUNTU-CVE-2026-34591

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

CVE-2026-34591

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

CVE-2026-34591 Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

CVE-2026-34591

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

CVE-2026-34591

CVE-2026-34591 (Poetry) is a wheel path traversal vulnerability in Poetry for Python. From version 1.4.0 up to 2.3.2 (patched in 2.3.3), a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, enabling arbitrary file writes with the Poetry process’s privileges...

CVE-2026-34522 SillyTavern: Path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in /api/chats/import allows an authenticated attacker to...

CVE-2026-34522

SillyTavern has a path traversal vulnerability in /api/chats/import (pre-1.17.0). Unsanitized character_name is used to build the destination path with path.join, enabling write of attacker-controlled files outside the chats directory. Fix: upgrade to version 1.17.0 (patch already released).

CVE-2026-20174

A vulnerability in the Metadata update feature of Cisco Nexus Dashboard Insights could allow an authenticated, remote attacker to write arbitrary files to an affected system. This vulnerability is due to insufficient validation of the metadata update file. An attacker could exploit this...

CVE-2026-33949

Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. T...

Directory Traversal

Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to Directory Traversal via the installer.php process. An attacker can access or modify files outside the intended directory by submitting crafted input remotely. Details A Directory Traversal...

PT-2026-29874

Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint but was not applied to the unauthenticated /api/uploadChunked/public endpoint in the same file app/server/fireshare/api.py. An...

PT-2026-29881

Name of the Vulnerable Software and Affected Versions Group-Office versions prior to 6.8.156, 25.0.90, and 26.0.12 Description Group-Office, an enterprise customer relationship management and groupware tool, is affected by an insecure deserialization issue in the AbstractSettingsCollection model...