PT-2026-41390

Name of the Vulnerable Software and Affected Versions Pipecat versions 0.0.90 through 1.1.x Description A path traversal issue exists in the development runner within the src/pipecat/runner/run.py file. When the runner is started using the --folder flag, it enables a download endpoint 'GET...

CVE-2026-5337

During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference IDOR attack. This vulnerability exists because the Frontend File Manager Plugin WordPress plugin through 23.6 does not properly valida...

PT-2026-36684

During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference IDOR attack. This vulnerability exists because the Frontend File Manager Plugin WordPress plugin through 23.6 does not properly valida...

CVE-2025-34331 AudioCodes Fax/IVR Appliance <= 2.6.23 Unauthenticated File Read via download.php

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 contain an unauthenticated file read vulnerability via the download.php script. The endpoint exposes a file download mechanism that lacks access control, allowing remote, unauthenticated users to request...

CVE-2024-13991

Huijietong Cloud Video Platform exposes a path traversal vulnerability in /fileDownload?action=downloadBackupFile that can be exploited by an unauthenticated attacker via the fullPath parameter to read arbitrary files from the server filesystem. The issue is confirmed across multiple feeds (NVD, ...

EUVD-2024-55036

Huijietong Cloud Video Platform contains a path traversal vulnerability that allows an unauthenticated attacker can supply arbitrary file paths to the fullPath parameter of the /fileDownload?action=downloadBackupFile endpoint and retrieve files from the server filesystem. VulnCheck has observed...

EUVD-2025-29750

Malicious code in bioql PyPI...

CVE-2025-58431 ZimaOS reads arbitrary files using localhost calls to File API Download

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and earlier, the /v21/files/file/download endpoint allows file read from ANY USER who has access to localhost. File reads are performed AS ROOT...

PT-2025-38236

Name of the Vulnerable Software and Affected Versions: ZimaOS versions prior to 1.4.2 Description: ZimaOS, a fork of CasaOS, is susceptible to a file read issue. The /v2 1/files/file/download API endpoint allows unauthorized file access from any user with localhost access. File reads are executed...

PT-2023-30247 · Unknown · Peppermint Ticket Management

Name of the Vulnerable Software and Affected Versions: Peppermint Ticket Management versions prior to 0.2.4 Description: The issue allows remote attackers to read arbitrary files via a "/api/v1/users/file/download?filepath=./../" POST request. This is a significant security concern as it...