CVE-2026-27117

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.11, a path traversal vulnerability "Zip Slip" exists in bit7z's archive extraction functionality. The library does not adequately validate file paths contained in archive...

CVE-2026-27117 bit7z has a path traversal vulnerability

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.11, a path traversal vulnerability "Zip Slip" exists in bit7z's archive extraction functionality. The library does not adequately validate file paths contained in archive...

CVE-2026-27117 bit7z has a path traversal vulnerability

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.11, a path traversal vulnerability "Zip Slip" exists in bit7z's archive extraction functionality. The library does not adequately validate file paths contained in archive...

CVE-2026-27117

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.11, a path traversal vulnerability "Zip Slip" exists in bit7z's archive extraction functionality. The library does not adequately validate file paths contained in archive...

CVE-2026-27117

CVE-2026-27117 concerns bit7z, a cross-platform C++ static library used for archive compression/extraction. Prior to 4.0.11, its archive extraction lacks proper validation of entry paths, enabling Zip Slip path traversal via relative paths, absolute paths, or symbolic links. This can allow writin...

Dagu: Path traversal in DAG creation allows arbitrary YAML file write outside DAGs directory

The CreateNewDAG API endpoint POST /api/v1/dags does not validate the DAG name before passing it to the file store. While RenameDAG calls core.ValidateDAGName to reject names containing path separators line 273 in dags.go, CreateNewDAG skips this validation entirely and passes user input directly...

GHSA-6V48-FCQ6-FF23 Dagu: Path traversal in DAG creation allows arbitrary YAML file write outside DAGs directory

The CreateNewDAG API endpoint POST /api/v1/dags does not validate the DAG name before passing it to the file store. While RenameDAG calls core.ValidateDAGName to reject names containing path separators line 273 in dags.go, CreateNewDAG skips this validation entirely and passes user input directly...

CVE-2026-26222

Altec DocLink now maintained by Beyond Limits Inc. version 4.0.336.0 exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP via Altec.RDCHostService.exe using the ObjectURI "doclinkServer.soap". The service does not require authentication and is vulnerable to unsafe object unmarshalling,...

CVE-2026-26222 DocLink .NET Remoting Unauthenticated Arbitrary File Read/Write RCE

Altec DocLink now maintained by Beyond Limits Inc. version 4.0.336.0 exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP via Altec.RDCHostService.exe using the ObjectURI "doclinkServer.soap". The service does not require authentication and is vulnerable to unsafe object unmarshalling,...

CVE-2026-26222 DocLink .NET Remoting Unauthenticated Arbitrary File Read/Write RCE

Altec DocLink now maintained by Beyond Limits Inc. version 4.0.336.0 exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP via Altec.RDCHostService.exe using the ObjectURI "doclinkServer.soap". The service does not require authentication and is vulnerable to unsafe object unmarshalling,...

CVE-2026-26222

The CVE-2026-26222 entry concerns Altec DocLink (now Beyond Limits Inc.) 4.0.336.0, where insecure .NET Remoting endpoints exposed over TCP and HTTP/SOAP via ObjectURI “doclinkServer.soap” allow unauthenticated access. The vulnerability arises from unsafe object unmarshalling, enabling remote att...

Directory Traversal

Overview Magick.NET-Q16-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Directory Traversal

Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

Directory Traversal

Overview Magick.NET-Q16-HDRI-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Directory Traversal

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

PT-2026-21780

Name of the Vulnerable Software and Affected Versions Altec DocLink version 4.0.336.0 Description The software has insecure .NET Remoting endpoints exposed over TCP and HTTP/SOAP via Altec.RDCHostService.exe using the ObjectURI "doclinkServer.soap". The service does not require authentication and...

PT-2026-21808

Name of the Vulnerable Software and Affected Versions bit7z versions prior to 4.0.11 Description bit7z is a cross-platform C++ static library used for archive compression and extraction. A path traversal flaw "Zip Slip" exists in the archive extraction functionality prior to version 4.0.11. The...

📄 Microsoft Event Log Remote Protocol Arbitrary File Write

This Python script demonstrates the abuse of the Microsoft Event Log Remote Protocol MS-EVEN to achieve an arbitrary file write over SMB using low-privileged credentials. By interacting with the Windows \pipe\eventlog named pipe through DCERPC, the script leverages the ElfrOpenBELW and...

CVE-2026-23521 Traccar vulnerable to Path Traversal and External Control of File Name or Path

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device uniqueId to an absolute path. When uploading a device image, Traccar uses that uniqueId to build the filesystem path...

PT-2026-21834

Name of the Vulnerable Software and Affected Versions Rollup versions prior to 2.80.0 Rollup versions prior to 3.30.0 Rollup versions prior to 4.59.0 Description Rollup, a JavaScript module bundler, contains a flaw due to insecure file name sanitization in its core engine. This allows an attacker...