compressing 后置链接漏洞

Compressing is a compression and decompression tool library open source from nodemodules. Compressing versions 1.10.3 and earlier, as well as version 2.0.0, have a backlink vulnerability. This vulnerability arises from not verifying the symbolic link targets when extracting TAR archives, which ma...

Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 : The Internet Archive Python Library vulnerability (USN-7989-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by a vulnerability as referenced in the USN-7989-1 advisory. Pengo Wray discovered that The Internet Archive Python Library incorrectly handled certain file paths when downloading files. An...

Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write

A Path Traversal vulnerability in the partitionmsg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. Impact An attacker can craft a malicious .msg file with attachment filenames containing path traversal...

Symlink Attack

Overview compressing is an Everything you need for compressing and uncompressing Affected versions of this package are vulnerable to Symlink Attack via the compressing.tar.uncompress' function, which sanitizes the destination paths of archive entries. An attacker can overwrite or create files in...

Compressing Vulnerable to Arbitrary File Write via Symlink Extraction

Arbitrary File Write via Symlink Extraction in github.com/node-modules/compressing Brief Introduction The compressing npm package extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an...

GHSA-CC8F-XG8V-72M3 Compressing Vulnerable to Arbitrary File Write via Symlink Extraction

Arbitrary File Write via Symlink Extraction in github.com/node-modules/compressing Brief Introduction The compressing npm package extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an...

CVE-2024-5986

A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the /3/Parse endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the...

CVE-2026-24936

When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can...

CVE-2026-24936

CVE-2026-24936 affects ASUSTOR ADM: an improper input parameter validation flaw in a CGI program when a specific function is enabled during AD Domain join allows an unauthenticated remote attacker to write arbitrary data to any file, potentially leading to complete system compromise. Affected: AD...

CVE-2026-24936 An improper input validation vulnerability was found in ADM while joining a AD Domain.

When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can...

PT-2026-6424

A Path Traversal vulnerability in the partition msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. Impact An attacker can craft a malicious .msg file with attachment filenames containing path traversal...

PT-2026-6407

Arbitrary File Write via Symlink Extraction in github.com/node-modules/compressing Brief Introduction The compressing npm package extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an...

PT-2026-5771

Name of the Vulnerable Software and Affected Versions ASUSTOR ADM versions 4.1.0 through 4.3.3.ROF1 ASUSTOR ADM versions 5.0.0 through 5.1.1.RCI1 Description An improper input parameters validation issue exists in a specific CGI program when a particular function is enabled during Active Director...

ASUSTOR ADM 安全漏洞

ASUSTOR ADM is a dedicated operating system developed by ASUSTOR Technology ASUSTOR for all ASUSTOR NAS devices. Vulnerabilities exist in versions 4.1.0 to 4.3.3.ROF1, and from version 5.0.0 to 5.1.1.RCI1 of ASUSTOR ADM. These vulnerabilities stem from improper validation of input parameters...

Security update for python-FontTools (moderate)

openSUSE security update: security update for python-fonttools ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20119-1 Rating: moderate References: bsc1254366 Cross-References: CVE-2025-66034 CVSS scores: CVE-2025-66034 SUSE : 6.3...

CVE-2025-66480

Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint /fs that handles...

GO-2026-4387 SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE in github.com/siyuan-note/siyuan/kernel

SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE in github.com/siyuan-note/siyuan/kernel...

GO-2026-4377 Path traversal in TAP 4 multirepo client allows arbitrary file write via repo names in github.com/theupdateframework/go-tuf

Path traversal in TAP 4 multirepo client allows arbitrary file write via repo names in github.com/theupdateframework/go-tuf...

GHSA-WJ3H-WX8G-X699 H2O has an External Control of File Name or Path vulnerability

A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the /3/Parse endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the...

CVE-2024-5986

A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the /3/Parse endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the...