CVE-2026-39544

CVE-2026-39544 affects WordPress LabtechCO theme

PT-2026-31239

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Creatives Planet Emphires emphires allows PHP Local File Inclusion.This issue affects Emphires: from n/a through = 3.9...

PT-2026-31353

Summary The upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses PurePosixPathfilename.name to strip path components. Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes in the upload...

CVE-2026-35399

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup filename. This could lead to unauthorized execution of malicious code in the victim's browser, compromising session data or executing...

CVE-2026-34371 LibreChat Affected by Arbitrary File Write via `execute_code` Artifact Filename Traversal

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the executecode sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences f...

CVE-2026-34371 LibreChat Affected by Arbitrary File Write via `execute_code` Artifact Filename Traversal

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the executecode sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences f...

CVE-2026-34371

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the executecode sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences f...

EUVD-2024-55537

Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by...

CVE-2026-35585

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook system in File Browser — which executes administrator-defined shell commands on file events such as upload, rename, and dele...

CVE-2026-5640

A vulnerability has been found in PHPGurukul Online Shopping Portal Project 2.1. The affected element is an unknown function of the file /admin/update-image2.php of the component Parameter Handler. The manipulation of the argument filename leads to sql injection. The attack is possible to be...

CVE-2026-5641

A vulnerability was found in PHPGurukul Online Shopping Portal Project 2.1. The impacted element is an unknown function of the file /admin/update-image1.php of the component Parameter Handler. The manipulation of the argument filename results in sql injection. The attack may be performed from...

CVE-2026-5639

A flaw has been found in PHPGurukul Online Shopping Portal Project 2.1. Impacted is an unknown function of the file /admin/update-image3.php of the component Parameter Handler. Executing a manipulation of the argument filename can lead to sql injection. The attack can be executed remotely. The...

CVE-2026-31062

UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow in the filename parameter of the formFtpServerDirConfig function. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted input...

CVE-2024-36057

Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by...

CVE-2024-36057

Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by...

CVE-2024-36057

CVE-2024-36057 affects Koha Library prior to 23.05.10. The vulnerability stems from insufficient sanitization of user-controlled filenames before unzipping, allowing command injection via the shell in the unzip invocation within upload-cover-image.pl (example: the code executes qx/unzip $filename...

CVE-2026-5597

A flaw has been found in griptape-ai griptape 0.19.4. This affects an unknown part of the file griptape\tools\computer\tool.py of the component ComputerTool. Executing a manipulation of the argument filename can lead to path traversal. It is possible to launch the attack remotely. The exploit has...

CVE-2026-35399

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup filename. This could lead to unauthorized execution of malicious code in the victim's browser, compromising session data or executing...

CVE-2026-34975

The CVE describes a CRLF header injection vulnerability in Plunk’s SESService.ts prior to version 0.8.0. An authenticated API user could inject arbitrary email headers (e.g., Bcc, Reply-To) by embedding CRLF characters in from.name, subject, custom header keys/values, or attachment filenames, bec...

EUVD-2026-19259

UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow in the filename parameter of the formFtpServerDirConfig function. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted input...