11200 matches found
Vite - Arbitrary File Read
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it...
Malicious code in lab-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9bbde4e4075983db0c5aba255bc29f84fb2536681b13e8289412cce5c3ee7a2e On npm install, the package's postinstall hook runs seccheck.js, which enumerates the host's network interfaces and proceeds only if an IPv4 address...
@babel/core: Arbitrary File Read via sourceMappingURL Comment
Impact Using @babel/core to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true: - the attacker controls the input source code - the attacker can read the output source code - the attacker knows the...
GHSA-4X5R-PXFX-6JF8 @babel/core: Arbitrary File Read via sourceMappingURL Comment
Impact Using @babel/core to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true: - the attacker controls the input source code - the attacker can read the output source code - the attacker knows the...
Exploit for CVE-2026-37066
CVE-2026-37066 Path traversal leading to Arbitrary File Read i...
CVE-2026-9062 Agile Store Locator < 1.6.9 - Admin+ Arbitrary File Read via Path Traversal
The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary .php files from the server, including configuration files that contain database credentials and authentication keys...
CVE-2026-9062
The CVE-2026-9062 entry concerns the Store Locator WordPress plugin (affected versions prior to 1.6.9). The vulnerability arises from insufficient validation of a parameter used in a file path, enabling high-privilege users (e.g., administrators) to read arbitrary PHP files from the server, inclu...
CVE-2026-12089
The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combinecurrentcss function trusting values harvested from page HTML and converting same-site URLs to absolute filesystem...
EUVD-2026-36635
The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combinecurrentcss function trusting values harvested from page HTML and converting same-site URLs to absolute filesystem...
CVE-2026-12089 WS Optimize – All-in-One Speed Booster & Cache Tools <= 3.3.19 - Authenticated (Editor+) Arbitrary File Read
The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combinecurrentcss function trusting values harvested from page HTML and converting same-site URLs to absolute filesystem...
CVE-2026-12089
The vulnerability CVE-2026-12089 affects the WordPress plugin “LWS Optimize – All-in-One Speed Booster & Cache Tools” up to version 3.3.19. The root cause is in the combine_current_css() function, which trusts href values harvested from page HTML and converts same-site URLs to absolute filesyste...
CVE-2026-12089 WS Optimize – All-in-One Speed Booster & Cache Tools <= 3.3.19 - Authenticated (Editor+) Arbitrary File Read
The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combinecurrentcss function trusting values harvested from page HTML and converting same-site URLs to absolute filesystem...
EUVD-2026-36613
OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file...
PT-2026-49072
Name of the Vulnerable Software and Affected Versions LWS Optimize – All-in-One Speed Booster & Cache Tools versions prior to 3.3.20 Description The plugin is subject to an arbitrary file read issue. This occurs because the combine current css function trusts values harvested from page HTML and...
CVE-2026-53825
OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file...
CVE-2026-53831 OpenClaw < 2026.5.18 - Arbitrary File Read via Shell Expansion in system.run Safe-bin Allowlist
OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expansion to modify command interpretation on POSIX nodes. Authenticated operators can exploit shell metacharacters in approved commands to read unintended node-loca...
CVE-2026-53831
OpenClaw
CVE-2026-53831 OpenClaw < 2026.5.18 - Arbitrary File Read via Shell Expansion in system.run Safe-bin Allowlist
OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expansion to modify command interpretation on POSIX nodes. Authenticated operators can exploit shell metacharacters in approved commands to read unintended node-loca...
CVE-2026-53825
OpenClaw prior to 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature. Authenticated Gateway operators with operator.write scope can specify arbitrary local file paths to import content into wiki memory, bypassing access restrictions and reading local files ou...
CVE-2026-53825 OpenClaw < 2026.4.7 - Arbitrary Local File Read via memory-wiki Ingest with operator.write Scope
OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file...