CVE-2026-21440

AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease...

CVE-2026-21440

CVE-2026-21440 is a path traversal vulnerability in AdonisJS bodyparser (MultipartFile.move) that allows writing files outside the intended directory when the client-supplied filename is not sanitized. Root cause: move(location, options?) defaults to using clientName and path.join(location, fileN...

CVE-2026-21440 AdonisJS Path Traversal in Multipart File Handling

AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease...

GHSA-GVQ6-HVVP-H34H AdonisJS Path Traversal in Multipart File Handling

Summary Description A Path Traversal CWE-22 vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to...

bodyparser 路径遍历漏洞

bodyparser is an open source BodyParser middleware on AdonisJS from AdonisJS Framework. A path traversal vulnerability exists in bodyparser versions 10.1.1 and earlier and 11.0.0-next.6 and earlier, which stems from the existence of a path traversal in multipart file handling that could result in...

Arbitrary File Write via Archive Extraction (Zip Slip)

Overview raxe is a RAXE Community Edition - AI Security for Everyone. 460+ threat detection rules, L2 CPU-based ML, always free. Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction Zip Slip in the extracttarball function in modeldownloader.py. Details I...

PT-2026-26304

Name of the Vulnerable Software and Affected Versions PyMuPDF version 1.26.5 Description A path traversal and arbitrary file write issue exists in the get function within the ' main .py' file. The issue allows unauthorized access and modification of files. Recommendations At the moment, there is ...

PT-2026-25353

Name of the Vulnerable Software and Affected Versions calibre versions prior to 9.5.0 Description calibre is an e-book manager used for viewing, converting, editing, and cataloging e-books. A path traversal flaw exists in the RocketBook .rb input plugin src/calibre/ebooks/rb/reader.py. This allow...

PT-2026-4295

Name of the Vulnerable Software and Affected Versions Incus versions 6.21.0 and below IncusOS affected versions not specified Description Incus is a system container and virtual machine manager. A flaw exists where a user capable of launching containers with custom images e.g., a member of the...

WordPress Premium Age Verification / Restriction for WordPress plugin <= 3.0.2 - Unauthenticated Arbitrary File Read and Write via remote_tunnel.php vulnerability

Unauthenticated Arbitrary File Read and Write via remotetunnel.php vulnerability discovered by ch4r0n - FPT Software in WordPress Plugin Premium Age Verification / Restriction for WordPress versions = 3.0.2...

PsiTransfer has Zip Slip Path Traversal via TAR Archive Download

Summary A Zip Slip vulnerability in PsiTransfer allows an unauthenticated attacker to upload files with path traversal sequences in the filename e.g. ../../../.ssh/authorizedkeys. When a victim downloads the bucket as a .tar.gz archive and extracts it, malicious files are written outside the...

UBUNTU-CVE-2023-54271

In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix NULL deref caused by blkgpolicydata being installed before init blk-iocost sometimes causes the following crash: BUG: kernel NULL pointer dereference, address: 00000000000000e0 ... RIP: 0010:rawspinlock+0x17/0x30...

SUSE CVE-2025-68937

Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later...

GHSA-M273-6V24-X4M4 Picklescan vulnerable to Arbitrary File Writing

Summary Picklescan has got open and shutil in its default dangerous blocklist to prevent arbitrary file overwrites. However the module distutils isnt blocked and can be used for the same purpose ie to write arbitrary files. Details This is another vulnerability which impacts the downstream user. ...

Picklescan vulnerable to Arbitrary File Writing

Summary Picklescan has got open and shutil in its default dangerous blocklist to prevent arbitrary file overwrites. However the module distutils isnt blocked and can be used for the same purpose ie to write arbitrary files. Details This is another vulnerability which impacts the downstream user. ...

Arbitrary File Write

github.com/git-lfs/git-lfs is vulnerable to arbitrary file write. The vulnerability is due to Git LFS not validating symbolic or hard links before writing files during git lfs checkout or git lfs pull, which allows an attacker to craft a malicious repository that causes Git LFS to write to...

EUVD-2025-205453

Self-hosted n8n has Legacy Code node that enables arbitrary file read/write...

Self-hosted n8n has Legacy Code node that enables arbitrary file read/write

Impact In self-hosted n8n instances where the Code node runs in legacy non-task-runner JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. This allows a workflow editor to perform actions on the n8n host with...

CVE-2025-68937

A flaw was found in Forgejo. This vulnerability allows a remote attacker to write to unintended files and potentially gain server shell access. The flaw occurs due to mishandling of symlink destinations that point outside of the repository when processing template repositories. This could lead to...

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following via the mishandling of symlink destinations while evaluating template repos. An attacker can write to unintended files and potentially gain shell access on the server by creating out-of-repository...