CVE-2024-13171

Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required...

jinja2: Jinja has a sandbox breakout through malicious filenames

A flaw was found in the Jinja2 package. A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of Jinja's sandbox being used. An attacker needs to be able to control both the filename and the contents o...

CVE-2024-12274

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionality exports data to a public folder, with an easily guessable file name, allowing unauthenticated attackers to access the exported files if they exist...

OESA-2025-1030 python-jinja2 security update

Jinja2 is one of the most used template engines for Python. It is inspired by Django's templating system but extends it with an expressive language that gives template authors a more powerful set of tools. On top of that it adds sandboxed execution and optional automatic escaping for applications...

Viwis LMS 代码注入漏洞

Viwis LMS is a Learning Management System from Viwis Corporation, USA. A code injection vulnerability exists in Viwis LMS version 9.11, which stems from a cross-site scripting attack caused by manipulation of the filename parameter in the file upload component...

CVE-2024-49649

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through = 1.0.23...

PT-2025-4476 · Service Shogun · Ach Invoice App

Name of the Vulnerable Software and Affected Versions: Ach Invoice App versions 1.0.1 and earlier Description: The issue is related to improper control of filenames for Include/Require statements in PHP, allowing PHP Local File Inclusion. This problem affects the Service Shogun Ach Invoice App,...

PT-2025-2983 · Rezgo · Rezgo

Name of the Vulnerable Software and Affected Versions: Rezgo versions n/a through 4.15 Description: The issue is related to improper control of filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion' or 'PHP Local File Inclusion'. This problem allows the...

OESA-2025-1008 python-jinja2 security update

Jinja2 is one of the most used template engines for Python. It is inspired by Django's templating system but extends it with an expressive language that gives template authors a more powerful set of tools. On top of that it adds sandboxed execution and optional automatic escaping for applications...

OESA-2025-1007 python-jinja2 security update

Jinja2 is one of the most used template engines for Python. It is inspired by Django's templating system but extends it with an expressive language that gives template authors a more powerful set of tools. On top of that it adds sandboxed execution and optional automatic escaping for applications...

OESA-2025-1006 python-jinja2 security update

Jinja2 is one of the most used template engines for Python. It is inspired by Django's templating system but extends it with an expressive language that gives template authors a more powerful set of tools. On top of that it adds sandboxed execution and optional automatic escaping for applications...

PT-2026-4366

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A memory leak exists in the get file all info function within the ksmbd module. If the vfs getattr function fails, the allocated filename is not freed before the function returns,...

CVE-2024-56216

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Themify Themify Builder allows PHP Local File Inclusion.This issue affects Themify Builder: from n/a through 7.6.3...

PT-2024-36766 · Woocommerce · Dynamic Product Category Grid

Name of the Vulnerable Software and Affected Versions: Dynamic Product Category Grid, Slider for WooCommerce versions 1.1.3 and earlier Description: The issue is related to improper control of filename for Include/Require Statement in PHP Program, allowing PHP Local File Inclusion. This problem c...

CVE-2024-11605

The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-11605

The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-11605 WP Publications <= 1.2 - Admin+ Stored XSS

The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

SUSE CVE-2024-56201

Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability...

GHSA-GMJ6-6F8F-6699 Jinja has a sandbox breakout through malicious filenames

A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether...

Improper Neutralization

Overview Affected versions of this package are vulnerable to Improper Neutralization when importing a macro in a template whose filename is also a template. This will result in a SyntaxError: f-string: invalid syntax error message because the filename is not properly escaped, indicating that it i...