CVE-2026-32097 PingPong has improper access control in thread file endpoints allows access outside intended scope

PingPong is a platform for using large language models LLMs for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploade...

CVE-2026-32061

OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversa...

EUVD-2026-11150

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in applypatch that allows attackers to write or delete files outside the configured workspace directory. When applypatch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including...

Directory Traversal

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Directory Traversal. Adobe Vulnerability Report: This vulnerability could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability ...

CVE-2026-29515

MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally...

CVE-2026-29515 MiCode FileExplorer SwiFTP Server Authentication Bypass

MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally...

CVE-2026-29515

MiCode FileExplorer contains an authentication bypass vulnerability in its embedded SwiFTP FTP server. The PASS command handler unconditionally grants access, allowing network attackers to log in with any username/password and to list, read, write, and delete files exposed by the FTP server. Affe...

CVE-2026-21360

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability that could result in a security feature bypass. A high-privileged attacker could...

CVE-2026-21360

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability that could result in a security feature bypass. A high-privileged attacker could...

PingPong 安全漏洞

PingPong is an open-source student assignment and course management assistant developed by the Computational Policy Lab. Versions of PingPong prior to 7.27.2 contained security vulnerabilities. These vulnerabilities were due to improper access control, which could allow authenticated users to...

PT-2026-24573

Name of the Vulnerable Software and Affected Versions MiCode FileExplorer affected versions not specified Description The software contains an authentication bypass in the embedded SwiFTP FTP server component. This allows network attackers to log in without valid credentials by sending arbitrary...

Coppermine Photo Gallery（CPG） 路径遍历漏洞

Coppermine Photo Gallery CPG is a web-based album management system developed by the Coppermine team using PHP. This system offers features such as user management, password-based access to albums, and automatic thumbnail generation. Versions of Coppermine Photo Gallery prior to 1.6.27 had a path...

CVE-2026-30952

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the...

CVE-2026-30952

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the...

EUVD-2026-10873

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the...

EUVD-2026-10660

Improper link resolution before file access 'link following' in Winlogon allows an authorized attacker to elevate privileges locally...

EUVD-2026-10659

Improper link resolution before file access 'link following' in Winlogon allows an authorized attacker to elevate privileges locally...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the PDComplexFileSpecification.getFilename function. An attacker can access arbitrary files on the file system by supplying crafted file names that traverse directories during file extraction. Note: This issue...

EUVD-2026-10404

Multiple i-フィルター products are configured with improper file access permission settings. Files may be created or overwritten in the system directory or backup directory by a non-administrative user...

CVE-2026-30942 Flare has a Path Traversal in /api/avatars/[filename]

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/filename allows any logged-in user to read arbitrary files from within the application container. The filename URL...