PT-2026-28729

Name of the Vulnerable Software and Affected Versions elecV2 versions up to 3.8.3 Description A flaw exists in elecV2, specifically within the Endpoint component. Manipulation of the filename argument in a function related to the /logs file can lead to cross-site scripting. This issue is...

elecV2P 代码注入漏洞

elecV2P is a network request modification and scheduled task tool developed by the elecV2 individual developer. Versions of elecV2P 3.8.3 and earlier have a code injection vulnerability. This vulnerability stems from improper handling of the parameter filename by unknown functions in the...

CVE-2026-5027

CVE-2026-5027: Langflow narrow path traversal in POST /api/v2/files where the filename field from multipart form data is not sanitized, enabling writing files to arbitrary filesystem locations via ../ sequences. CVSS 3.1 base score 8.8 (HIGH): Network attack, low attack complexity, requires low p...

PT-2026-28741

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.10.0 Description A path traversal flaw exists in the 'POST /api/v2/files' endpoint due to inadequate sanitization of the filename parameter within multipart form data. This allows an attacker to use traversal...

Langflow 安全漏洞

Langflow is an open-source visualization framework developed by Langflow for building multi-agent and RAG applications. Langflow has a security vulnerability that stems from the lack of cleanup of the filename parameter in the multipart form data when the endpoint POST /api/v2/files is used. This...

CVE-2026-33528

GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Joincommon.ConfigBasePath, filename where ConfigBasePath =...

CVE-2026-33528

GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Joincommon.ConfigBasePath, filename where ConfigBasePath =...

CVE-2026-23484

Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure normal user, not superAdminAuthMiddleware. At time o...

CVE-2026-33171

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's...

CVE-2026-33344 Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG

Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...

CVE-2019-25632

phpFileManager 1.7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the action, fmcurrentdir, and filename parameters. Attackers can send GET requests to index.php with crafted parameter values to access sensitive files...

PT-2026-27624

Name of the Vulnerable Software and Affected Versions GoDoxy versions prior to 0.27.5 Description GoDoxy, a reverse proxy and container orchestrator, contains a path traversal flaw in the file content API endpoint at /api/v1/file/content. The filename query parameter is directly used in...

CVE-2026-23484

Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure normal user, not superAdminAuthMiddleware. At time o...

EUVD-2026-14538

Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure normal user, not superAdminAuthMiddleware. At time o...

CVE-2026-33171

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's...

CVE-2026-33171

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the filename configuration parameter in the file dictionary fieldtype endpoint. An attacker can access arbitrary .json, .yaml, and .csv files from the server by manipulating this parameter. Details A Directory...

Statamic has a path traversal in file dictionary fieldtype

Impact Authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's endpoint. Patches This has been fixed in 5.73.14 and 6.7.0...

PT-2026-26065

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's...

CVE-2015-20116

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users'...