848 matches found
LOLLMS WebUI - Absolute Path Traversal
An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the openfile endpoint of lollmsadvanced.py. The sanitizepath function with allowabsolutepath=True allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can...
Incorrect Default Permissions
Overview Affected versions of this package are vulnerable to Incorrect Default Permissions due to insecure default permissions that grant regular users elevated privileges. An attacker can gain unauthorized access to host files and execute code with root-level privileges by leveraging authenticat...
EUVD-2026-31846
Files or Directories Accessible to External Parties, Server-Side Request Forgery SSRF vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses. This lets a user with CR create permissions read files...
EUVD-2026-31833
OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers c...
PT-2026-43265
Name of the Vulnerable Software and Affected Versions Apache Flink Kubernetes Operator versions 1.3.0 through 1.14.x Description A Server-Side Request Forgery SSRF and local file access issue exists where the jarURI in FlinkSessionJob is not validated. This allows a user with CR create permission...
Apache Flink Kubernetes Operator 安全漏洞
Apache Flink Kubernetes Operator is an operations component for Flink clusters developed by the Apache Foundation. Versions of Apache Flink Kubernetes Operator from 1.3.0 to 1.15.0 contained security vulnerabilities. These vulnerabilities stemmed from the lack of validation of the jarURI in...
CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations
Summary The Fileeditor module enforces an extension allowlist 'css','js','html','txt','json','sql','md' on content-write operations saveFile, createFile, but two destructive endpoints — deleteFileOrFolder and renameFile — never validate the extension of the source path. A backend user with...
Path Traversal
Hugo is vulnerable to Path Traversal. The vulnerability is due to unrestricted execution of Node-based asset pipeline tools such as PostCSS, Babel, and TailwindCSS during site builds, allowing code from untrusted sites to read or write files outside the project's working directory when processed ...
EUVD-2026-30562
Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but...
EUVD-2026-30478
OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account...
Arbitrary Argument Injection
Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Arbitrary Argument Injection in a push operation. A user with permission to create or modify workflows can read arbitrary files on the server by injecting CLI flags during workflow creation or...
CVE-2026-42137
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...
HPE Aruba Networking Wireless Operating System 安全漏洞
HPE Aruba Networking Wireless Operating System is a wireless network operating system developed by the American company HPE. There are security vulnerabilities in the HPE Aruba Networking Wireless Operating System. These vulnerabilities stem from vulnerabilities in the web-based management...
CVE-2026-42137
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...
CVE-2026-42137 Kirby: `pages.access/list` and `files.access/list` permissions are not consistently checked in the REST API and changes dialog
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...
CVE-2026-42137
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...
CVE-2026-42137 Kirby: `pages.access/list` and `files.access/list` permissions are not consistently checked in the REST API and changes dialog
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...
CVE-2026-42137
Kirby CVE-2026-42137 affects the open-source Kirby CMS. Prior to versions 4.9.0 and 5.4.0, the Panel and REST API did not consistently enforce pages.access/list and files.access/list permissions, enabling missing authorization in some collections and related models. The issue has been fixed in Ki...
EUVD-2026-28889
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...
Kirby 安全漏洞
Kirby is a set of open-source content management systems based on files. Versions of Kirby prior to 4.9.0 and 5.4.0 have security vulnerabilities. These vulnerabilities stem from insufficient checks for consistency in permissions for functions like Panel and REST API’s pages.access/list and...