11286 matches found
CVE-2026-26321
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed sendMediaFeishu to treat attacker-controlled mediaUrl values as local filesystem paths and read them directly. If an attacker can influence tool calls directly or via prompt injection...
CVE-2026-27202
GetSimple CMS is a content management system. All versions of GetSimple CMS have a flaw in the Uploaded Files feature that allows for arbitrary file reads. This issue has not been fixed at the time of publication...
CVE-2026-27202 GetSimple CMS: Uploaded Files (feature) Arbitrary File Read Vulnerability
GetSimple CMS is a content management system. All versions of GetSimple CMS have a flaw in the Uploaded Files feature that allows for arbitrary file reads. This issue has not been fixed at the time of publication...
CVE-2026-27202 GetSimple CMS: Uploaded Files (feature) Arbitrary File Read Vulnerability
GetSimple CMS is a content management system. All versions of GetSimple CMS have a flaw in the Uploaded Files feature that allows for arbitrary file reads. This issue has not been fixed at the time of publication...
CVE-2026-27202
CVE-2026-27202 concerns GetSimple CMS. All versions are affected by a flaw in the Uploaded Files feature that enables arbitrary file reads. The issue is reported as not fixed at publication. The available documents do not provide exploit details or concrete attack vectors. The CVSS data indicates...
CVE-2026-27202 GetSimple CMS: Uploaded Files (feature) Arbitrary File Read Vulnerability
GetSimple CMS is a content management system. All versions of GetSimple CMS have a flaw in the Uploaded Files feature that allows for arbitrary file reads. This issue has not been fixed at the time of publication...
Metasploit Wrap-Up 02/20/2026
Hacking Churches and Backdooring Emacs This release packs some solid exploit module additions! Two new unauthenticated RCE modules are a major win: the StoryChief WordPress plugin exploit CVE-2025-7441 targets a webhook validation flaw allowing arbitrary file uploads, while the ChurchCRM exploit...
CVE-2026-25527
changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the /static// route accepts group="..", which causes sendfromdirectory"static/..", filename to execute. This moves the base directory up to /app/changedetectionio, enabling unauthenticated local...
CVE-2026-2274
A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster. This vulnerability was patched and no...
CVE-2026-26337
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal...
CVE-2026-26202
Penpot is an open-source design tool for design and code collaboration. Prior to version 2.13.2, an authenticated user can read arbitrary files from the server by supplying a local file path e.g. /etc/passwd as a font data chunk in the create-font-variant RPC endpoint, resulting in the file...
CVE-2026-26746
OpenSourcePOS 3.4.1 contains a Local File Inclusion LFI vulnerability in the Sales.php::getInvoice function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code...
CVE-2026-26746
OpenSourcePOS 3.4.1 contains a Local File Inclusion LFI vulnerability in the Sales.php::getInvoice function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code...
CVE-2026-21627 Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla
The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s comajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction...
CVE-2026-21627
The CVE concerns the Tassos Framework plugin (Joomla) versions 4.10.14 through 6.0.37, where specific AJAX handling via Joomla com_ajax can invoke internal framework functionality without proper restrictions. This leads to a SQL injection and an unauthenticated file read, driven by how the plugin...
CVE-2026-21627 Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla
The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s comajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction...
CVE-2025-59819 Authenticated Arbitrary File Read via filepath parameter
This vulnerability allows authenticated attackers to read an arbitrary file by changing a filepath parameter into an internal system path...
CVE-2025-59819 Authenticated Arbitrary File Read via filepath parameter
This vulnerability allows authenticated attackers to read an arbitrary file by changing a filepath parameter into an internal system path...
CVE-2025-59819
The CVE-2025-59819 entries describe an authenticated arbitrary-file-read vulnerability: an attacker can supply a crafted filepath parameter that is mapped to an internal system path, enabling access to arbitrary files. Multiple sources (NVD, Red Hat, CVE list, Attackerkb, etc.) corroborate the sa...
CVE-2026-26329
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's upload action. The server passed these paths to Playwright's setInputFiles APIs...