7232 matches found
CVE-2026-33309 Langflow has an Arbitrary File Write (RCE) via v2 API
Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 External Control of File Name, leading to the root architectural issue within LocalStorageService remaining unresolved. Because the underlying...
CVE-2026-33309
Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 External Control of File Name, leading to the root architectural issue within LocalStorageService remaining unresolved. Because the underlying...
CVE-2026-33309
Summary (concrete details): CVE-2026-33309 affects Langflow 1.2.0–1.8.1 where a bypass of the CVE-2025-68478 patch enables an Arbitrary File Write via the v2 API endpoint /api/v2/files/. The root issue lies in the storage layer’s LocalStorageService, which lacks proper boundary containment checks...
CVE-2026-28483
OpenClaw before 2026.3.2 is affected by a race condition in ZIP extraction. The vulnerability arises from a gap between path validation and file write operations in src/infra/archive.ts, allowing a local attacker to write files outside the intended extraction root by abusing parent-directory syml...
EUVD-2026-14476
An arbitrary file-write vulnerability in Pega Browser Extension PBE affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes...
CVE-2026-23481
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4...
CVE-2026-23481 Blinko: Authenticated Arbitrary File Write - saveAdditionalDevFile
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4...
CVE-2026-23481 Blinko: Authenticated Arbitrary File Write - saveAdditionalDevFile
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4...
CVE-2026-23481
CVE-2026-23481 affects Blinko, an AI-powered card note‑taking project. Before version 1.8.4, an authenticated user could perform an arbitrary file write via the saveAdditionalDevFile path, enabling potential tampering on the device hosting Blinko. The vulnerability is classified with CVSS v4.0 ba...
CVE-2026-23481
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4...
EUVD-2026-14531
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4...
CVE-2026-23481 Blinko: Authenticated Arbitrary File Write - saveAdditionalDevFile
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4...
CVE-2026-23484 Blinko: Authenticated Arbitrary File Write - saveDevPlugin
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure normal user, not superAdminAuthMiddleware. At time o...
CVE-2026-23484
Blinko (AI-powered card note-taking project) is affected in versions up to 1.8.3 where the fileName parameter is not filtered, enabling path traversal to write files anywhere on the file system. The vulnerability is exploitable by authenticated users (normal user) because the interface only requi...
CVE-2026-0898
An arbitrary file-write vulnerability in Pega Browser Extension PBE affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes...
CVE-2026-0898 An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25.
An arbitrary file-write vulnerability in Pega Browser Extension PBE affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes...
CVE-2026-0898 An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25.
An arbitrary file-write vulnerability in Pega Browser Extension PBE affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes...
CVE-2026-0898
An arbitrary file-write vulnerability in Pega Browser Extension PBE affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes...
CVE-2026-0898
An arbitrary file-write vulnerability exists in the Pega Browser Extension (PBE) affecting Pega Robot Studio developers automating Google Chrome or Microsoft Edge on versions 22.1 or R25. Robot Runtime is not affected. The issue arises from a malicious website that could be loaded by a developer ...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the locateDAG process. An attacker can access arbitrary files by submitting specially crafted requests containing %2F-encoded slashes. Details A Directory Traversal attack also known as path traversal aims to...