CVE-2026-40610

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento...

rsync: rsync server leaks arbitrary client files

A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare wi...

CVE-2026-40610

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento...

CVE-2026-40610

CVE-2026-40610 affects BentoML prior to 1.4.39, where bentoml build traverses attacker-controlled symlinks in the build context and copies the target file contents into the generated Bento artifact. This leads to potential local-file disclosure (e.g., secrets, credentials, environment files) when...

CVE-2026-40610 BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento...

Astra Linux - уязвимость в glib2.0

A flaw was discovered in glib before version 2.63.6. Due to random charset aliases, pkexec can leak content from files owned by privileged users to unprivileged users under certain conditions...

RHEL 9 : rsync (RHSA-2026:19368)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:19368 advisory. The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because...

Important: rsync security update

The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool. Security Fixes:...

ALSA-2026:19368 Important: rsync security update

The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool. Security Fixes:...

Open WebUI 安全漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.9.5 contained security vulnerabilities. These vulnerabilities stemmed from multiple endpoints accepting file IDs provided by users without verifying ownership,...

CVE-2026-42196 django-s3file: Relative path traversal

django-s3file is a lightweight file upload input for Django and Amazon S3. Prior to 7.0.2, S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random...

BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context

Summary BentoML's bentoml build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact. If a victim builds an untrusted repository or other attacker-supplied build context, the attacker can place a...

PT-2026-38613

Name of the Vulnerable Software and Affected Versions BentoML versions prior to 1.4.39 Description The bentoml build packaging workflow follows attacker-controlled symlinks within the build context and copies the referenced file contents into the generated Bento artifact. This occurs because the...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.10 contained security vulnerabilities. These vulnerabilities stemmed from arbitrary file reading in the QQBot media tag, allowing attackers to reference local paths on hosts...

Apache Tomcat 10.1.22 < 10.1.54 multiple vulnerabilities

The version of Tomcat installed on the remote host is prior to 10.1.54. It is, therefore, affected by multiple vulnerabilities as referenced in the fixedinapachetomcat10.1.54security-10 advisory. - Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clusteri...

Code-Projects Online Library Management System 访问控制错误漏洞

The Code-Projects Online Library Management System is an open-source online library management system developed by Code-Projects. Version 1.0 of the Code-Projects Online Library Management System contains a vulnerability related to access control. This vulnerability stems from incorrect operation...

Inkscape 代码问题漏洞

Inkscape is an open-source graphic editor developed by Inkscape itself. Prior to Inkscape 1.3, there were code-related vulnerabilities. These vulnerabilities stemmed from issues with the XInclude processing component, which allowed local file leaks. This could enable remote attackers to access...

CVE-2025-70040

CVE-2025-70040 affects the npm package jimeng-web-mcp (v2.1.2) from LupinLin1. The issue is described as CWE-532: Insertion of Sensitive Information into Log File, allowing an attacker to obtain sensitive information via poorly sanitized log output. Connected sources confirm the affected componen...

CVE-2026-30852 Caddy: vars_regexp double-expands user input, leaking env vars and files

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the varsregexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When varsregexp matches against a placeholder like http.request.header.X-Input, the...

CVE-2025-69430

An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 version equal to or prior to V1.9.12, DM3 version equal to or prior to V1.9.12, and DM200 version equal to or prior to V1.2.23 that could be exploited by attackers to leak or tamper with the intern...