7148 matches found
CVE-2026-40024 Sleuth Kit tsk_recover Path Traversal
The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tskrecover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can...
CVE-2026-40024 Sleuth Kit tsk_recover Path Traversal
The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tskrecover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can...
CVE-2026-40024
The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tskrecover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can...
CVE-2026-40024
The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tskrecover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can...
CVE-2026-39844
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload filename. Applications that construct file paths using file.name a pattern...
CVE-2026-39844 NiceGUI has a Path Traversal in NiceGUI Upload Filename on Windows via Backslash Bypass of PurePosixPath Sanitization
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload filename. Applications that construct file paths using file.name a pattern...
CVE-2026-39844 NiceGUI has a Path Traversal in NiceGUI Upload Filename on Windows via Backslash Bypass of PurePosixPath Sanitization
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload filename. Applications that construct file paths using file.name a pattern...
CVE-2026-35492
Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a...
CVE-2026-33466
Improper Limitation of a Pathname to a Restricted Directory CWE-22 in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal CAPEC-139. The archive extraction utilities used by Logstash do not properly validate file paths within compressed...
CVE-2026-33466 Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write
Improper Limitation of a Pathname to a Restricted Directory CWE-22 in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal CAPEC-139. The archive extraction utilities used by Logstash do not properly validate file paths within compressed...
CVE-2026-33466
CVE-2026-33466 affects Logstash by improper limitation of a pathname to a restricted directory (CWE-22). The archive extraction utilities do not validate file paths inside archives, allowing a crafted archive served via an attacker-controlled update endpoint to write arbitrary files with Logstash...
CVE-2026-33466 Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write
Improper Limitation of a Pathname to a Restricted Directory CWE-22 in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal CAPEC-139. The archive extraction utilities used by Logstash do not properly validate file paths within compressed...
Logstash 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-29)
Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write Improper Limitation of a Pathname to a Restricted Directory CWE-22 in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal CAPEC-139. The...
SUSE-SU-2026:1220-1 Security update for python-poetry
This update for python-poetry fixes the following issue: - CVE-2026-34591: From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write bsc1261383...
JLSEC-2026-61
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name for example, a crafted file name, this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation...
Directory Traversal
Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Directory Traversal via the renderFile or parseFile functions that fail to enforce root boundry. An attacker can access arbitrary files...
NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
Summary The upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses PurePosixPathfilename.name to strip path components. Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload...
go-toolset:rhel8 security update
An update is available for module.delve, module.golang, delve, golang. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Go Toolset provides the Go programming...
RLSA-2026:6949 Important: go-toolset:rhel8 security update
Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fixes: cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive CVE-2025-61731 net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25679 For more...
cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive
A flaw was found in cmd/go. An attacker can exploit this by building a malicious Go source file that uses the 'cgo pkg-config:' directive. This allows the attacker to write to an arbitrary file with partial control over its content, by providing a '--log-file' argument to the pkg-config command...