PT-2026-5829

i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from...

PT-2026-6424

A Path Traversal vulnerability in the partition msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. Impact An attacker can craft a malicious .msg file with attachment filenames containing path traversal...

CVE-2026-25059 OpenList affected by Path Traversal in file copy and remove handlers

OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. Thi...

CVE-2025-66480

Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint /fs that handles...

CLSA-2026-1770025166 glib2: Fix of CVE-2025-13601

CVE-2025-13601: fix incorrect buffer size calculation in gescapeuristring - add fuzz tests for gfilenameto,fromuri...

CVE-2024-54263

CVE-2024-54263 affects the WordPress Spirit Framework plugin up to version 1.2.13, with a Local File Inclusion vulnerability caused by improper control of the filename for include/require statements in PHP. The issue enables PHP Local File Inclusion and is described across multiple sources as aff...

CVE-2024-54263 WordPress Spirit Framework plugin <= 1.2.13 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion.This issue affects Spirit Framework: from n/a through 1.2.13...

im-server 代码问题漏洞

im-server is an open-source instant messaging system developed by Wildfire. Versions of im-server prior to 1.4.3 contained code vulnerabilities. These vulnerabilities stemmed from improper handling of file upload functions within the im-server components, which led to improper filename processing...

PT-2026-5702

Name of the Vulnerable Software and Affected Versions Wildfire IM versions prior to 1.4.3 Description Wildfire IM’s im-server component contains a critical issue in the file upload functionality within com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an API endpoint ''/fs''...

CVE-2026-25069

SunFounder Pironman Dashboard pmdashboard version 1.3.13 and prior contain a path traversal vulnerability in the log file API endpoints. An unauthenticated remote attacker can supply traversal sequences via the filename parameter to read and delete arbitrary files. Successful exploitation can...

CVE-2026-22625

Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files...

PT-2026-5550

SunFounder Pironman Dashboard pm dashboard version 1.3.13 and prior contain a path traversal vulnerability in the log file API endpoints. An unauthenticated remote attacker can supply traversal sequences via the filename parameter to read and delete arbitrary files. Successful exploitation can...

CVE-2020-37034

HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system file...

CVE-2026-25154 LocalSend has Stored XSS in Web Share Interface via Filename

LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a loca...

CVE-2026-25154 LocalSend has Stored XSS in Web Share Interface via Filename

LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a loca...

CVE-2026-25154

CVE-2026-25154 affects LocalSend (versions up to and including 1.17.0). The Red Hat/NVD/OSV/CVE list entries describe a Stored XSS vulnerability in the Web Share Interface via the filename, with the client-side logic in app/assets/web/main.js and a patch in commit 8f3cec85aa29b2b13fed9b2f8e499e1a...

CVE-2026-25154 LocalSend has Stored XSS in Web Share Interface via Filename

LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a loca...

CVE-2026-1623

A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and...

CVE-2026-22625

Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files...

CVE-2026-22625

Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files...