EUVD-2025-24859

Malicious code in bioql PyPI...

CVE-2025-51056

An unrestricted file upload vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to write to arbitrary filesystem paths by exploiting the insecure 'uploadPreviews' custom function in '/apivedo/colorwayspreview', ultimately resulting in remote code execution RCE...

CVE-2025-51056

CVE-2025-51056 describes an Unrestricted File Upload in Bottinelli Informatical Vedo Suite 2024.17, exploitable via the insecure uploadPreviews() function at /api_vedo/colorways_preview. The vulnerability allows remote authenticated attackers to write to arbitrary filesystem paths and can lead to...

Astra Linux – Vulnerability in Apache2

Improper escaping of output in modrewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL. This enables the attacker to execute code or disclose...

Karmada Tar Slips in CRDs archive extraction

Impact What kind of vulnerability is it? Who is impacted? Both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTPs URL to retrieve the custom resource definitionsCRDs needed by karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a...

httpd: Improper escaping of output in mod_rewrite

A flaw was found in the modrewrite module of httpd. Improper escaping of output allows an attacker to map URLs to filesystem locations permitted to be served by the server but are not intentionally or directly reachable by any URL. This issue results in code execution or source code disclosure...

httpd: Improper escaping of output in mod_rewrite

A flaw was found in the modrewrite module of httpd. Improper escaping of output allows an attacker to map URLs to filesystem locations permitted to be served by the server but are not intentionally or directly reachable by any URL. This issue results in code execution or source code disclosure...

DEBIAN-CVE-2024-38475

Improper escaping of output in modrewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure...

h2o Information Disclosure Vulnerability

h2o is a new generation of HTTP server. Not only is it very fast compared to older generation HTTP servers, but it also provides faster response to the end user. An information disclosure vulnerability exists in h2o-3 version 3.40.0.4, which stems from the presence of a sensitive information...

CVE-2024-23331

Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area...

GHSA-VCVG-XGR8-P5GQ Arbitrary file read using percent-encoded relative paths in FileMiddleware

Impact Attackers can access data at arbitrary filesystem paths on the same host as an application using FileMiddleware. Patches Version 4.29.4 Workarounds Upgrade to 4.24.4 or later, or disable FileMiddleware. References Introduced in https://github.com/vapor/vapor/pull/2223 Fixed by...

Arbitrary file read using percent-encoded relative paths in FileMiddleware

Attackers can access data at arbitrary filesystem paths on the same host as an application using FileMiddleware...

XML External Entity (XXE)

php-dompdf is vulnerable to XML External Entity XXE attacks. SVG images are not processed through Dompdf's resource validation logic, allowing attackers to use remote resources, local filesystem paths, and vulnerable protocols without restriction...

GHSA-9JJW-HF72-3MXW TensorFlow vulnerable to heap out of bounds read in filesystem glob matching

Impact The general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories: cc if !fs-Matchchildpath, dirsdirindex ... Since dirindex is unconditionaly incremented outside of the lambda function where the...

CVE-2020-13696

An issue was discovered in LinuxTV xawtv before 3.107. The function devopen in v4l-conf.c does not perform sufficient checks to prevent an unprivileged caller of the program from opening unintended filesystem paths. This allows a local attacker with access to the v4l-conf setuid-root program to...

PT-2022-16134 · Unknown · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions prior to 13.6-rc-1 Description: The issue arises from the AbstractSxExportURLFactoryActionHandlerprocessSx function not properly escaping SSX document references when serializing them on the filesystem. This allows the...

CVE-2020-15230

Vapor is a web framework for Swift. In Vapor before version 4.29.4, Attackers can access data at arbitrary filesystem paths on the same host as an application. Only applications using FileMiddleware are affected. This is fixed in version 4.29.4...

Design/Logic Flaw

Vapor is a web framework for Swift. In Vapor before version 4.29.4, Attackers can access data at arbitrary filesystem paths on the same host as an application. Only applications using FileMiddleware are affected. This is fixed in version 4.29.4...

CVE-2020-14057

Monsta FTP 2.10.1 or below allows external control of paths used in filesystem operations. This allows attackers to read and write arbitrary local files, allowing an attacker to gain remote code execution in common deployments...

Remote code execution

Monsta FTP 2.10.1 or below allows external control of paths used in filesystem operations. This allows attackers to read and write arbitrary local files, allowing an attacker to gain remote code execution in common deployments...