PT-2025-33206 · WordPress · Acato Wp Rest Cache

Name of the Vulnerable Software and Affected Versions: Acato WP REST Cache versions n/a through 2025.1.0 Description: Acato WP REST Cache is susceptible to a PHP Local File Inclusion due to an Improper Control of Filename for Include/Require Statement. This allows for the inclusion of local files...

PT-2025-33241 · Thembay · Urna

Name of the Vulnerable Software and Affected Versions: thembay Urna versions through 2.5.7 Description: The software contains an Improper Control of Filename for Include/Require Statement, also known as a PHP Remote File Inclusion issue. This allows for PHP Local File Inclusion. Recommendations:...

PT-2025-33306

Name of the Vulnerable Software and Affected Versions: AIDE versions prior to 0.19.2 Description: AIDE is susceptible to an improper output neutralization issue. An attacker can create a malicious filename containing terminal escape sequences to conceal file additions or removals from reports and...

PT-2025-33253

Name of the Vulnerable Software and Affected Versions: ThemeMove Unicamp versions through 2.6.3 Description: This issue involves an improper control of filename for include/require statements in a PHP program, leading to a PHP Local File Inclusion. Recommendations: Update ThemeMove Unicamp to a...

CVE-2025-8081

The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the ImportImages::import function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access an...

PT-2025-32628 · WordPress · Uicore Elements

Name of the Vulnerable Software and Affected Versions: UiCore Elements – Free Elementor widgets and templates for WordPress versions up to and including 1.3.0 Description: The plugin is susceptible to arbitrary file reading via the prepare template function. This is due to a missing capability...

CLSA-2025-1754940449 Fix CVE(s): CVE-2024-46901

SECURITY UPDATE: Insufficient validation of filenames against control characters in repositories served via moddavsvn - debian/patches/CVE-2024-46901.patch: fix moddavsvn denial-of-service via control characters in paths...

BIT-LIBPHP-2021-21707 Special characters break path parsing in XML functions

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexmlloadfile, URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the...

BIT-LIBPYTHON-2023-41105

An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath, the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python...

SUSE-SU-2025:02751-1 Security update for ImageMagick

This update for ImageMagick fixes the following issues: - CVE-2025-53014: Fixed an off-by-one error may cause an out-of-bounds memory access bsc1246530 - CVE-2025-53019: Fixed format specifiers in a filename template may cause a memory leak bsc1246534...

CVE-2025-55013

The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client taskhandler.py accepts a SHA-256 value returned by the service server and uses it directly as a local...

Linux Distros Unpatched Vulnerability : CVE-2023-29542

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnk with .download...

Linux Distros Unpatched Vulnerability : CVE-2023-29539

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could...

CVE-2025-55013 Assemblyline 4 Service Client: Arbitrary Write through path traversal in Client code

The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client taskhandler.py accepts a SHA-256 value returned by the service server and uses it directly as a local...

CVE-2025-55013 Assemblyline 4 Service Client: Arbitrary Write through path traversal in Client code

The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client taskhandler.py accepts a SHA-256 value returned by the service server and uses it directly as a local...

Linux Distros Unpatched Vulnerability : CVE-2025-27614

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has...

Elastic Beats Filebeat Installed (Windows)

Binary data elasticbeatsfilebeatwininstalled.nbin...

Medium: ImageMagick

Issue Overview: ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-0 and 6.9.13-26 have a heap buffer overflow in the InterpretImageFilename function. The issue stems from an off-by-one error that causes out-of-bounds memory acce...

Linux Distros Unpatched Vulnerability : CVE-2022-45415

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that...

Linux Distros Unpatched Vulnerability : CVE-2022-46874

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could...