PT-2026-36089

Name of the Vulnerable Software and Affected Versions JetBrains IntelliJ IDEA versions prior to 2024.3.7.1 JetBrains IntelliJ IDEA versions prior to 2025.1.7.1 JetBrains IntelliJ IDEA versions prior to 2025.2.6.2 JetBrains IntelliJ IDEA versions prior to 2025.3.4.1 JetBrains IntelliJ IDEA version...

Repetier-Server 1.4.10 - Path Traversal

Exploit Title: Repetier-Server 1.4.10 - Path Traversal Exploit Author: Mohammed Idrees Banyamer Vendor Homepage: https://www.repetier.com/ Version: str: return "..%5c" depth def attemptreadtargeturl: str, filepath: str, traversaldepth: int = 15, timeout: int = 10 - bool: traversal =...

CVE-2026-41911

OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit uploadfile and uploadimage endpoints to access files beyond the intended workspace-only filesystem policy...

CVE-2026-41911

OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit uploadfile and uploadimage endpoints to access files beyond the intended workspace-only filesystem policy...

CVE-2026-41911 OpenClaw < 2026.4.8 - Workspace-Only Filesystem Policy Bypass via docx upload_file/upload_image

OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit uploadfile and uploadimage endpoints to access files beyond the intended workspace-only filesystem policy...

CVE-2026-41911 OpenClaw < 2026.4.8 - Workspace-Only Filesystem Policy Bypass via docx upload_file/upload_image

OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit uploadfile and uploadimage endpoints to access files beyond the intended workspace-only filesystem policy...

Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)

Summary Flarum's patch for CVE-2023-27577 restricted the @import and data-uri LESS features in the customless setting, but the same restriction was never applied to other settings registered as LESS config variables for example themeprimarycolor and themesecondarycolor, as well as any key...

CVE-2026-41062 WWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in ReceiveImage downloadURL parameters

WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for objects/aVideoEncoderReceiveImage.json.php only checks the URL path component via parseurl$url, PHPURLPATH for .. sequences. However, the downstream function...

CVE-2026-39378

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when HTMLExporter.embedimages=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook...

CVE-2026-41389 OpenClaw 2026.4.7 < 2026.4.15 - Arbitrary File Read via Unvalidated Tool-Result Media Paths

OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result media references to trigger host-side file reads or Windows network path access, potentially...

CVE-2026-34428

Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read...

Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository

Impact The translation memory API exposed unintended endpoints, which in turn didn't do proper access control. Patches https://github.com/WeblateOrg/weblate/pull/18516 Workarounds The CDN add-on is not enabled by default. References Thanks to @spbavarva for reporting this responsibly via GitHub...

CVE-2026-35032

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint POST /LiveTv/TunerHosts, where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery SSRF via HTTP...

CVE-2026-33220

Summary: CVE-2026-33220 affects Weblate; prior to version 5.17 the translation memory API exposed unintended endpoints, which did not enforce proper access control. Affected software: Weblate (web-based localization tool); vulnerable when using the translation memory API with the CDN add-on enabl...

CVE-2026-33220 Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this featur...

WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters

Summary The directory traversal fix introduced in commit 2375eb5e0 for objects/aVideoEncoderReceiveImage.json.php only checks the URL path component via parseurl$url, PHPURLPATH for .. sequences. However, the downstream function trygetcontentsfromlocal in objects/functionsFile.php uses...

CVE-2026-35032

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint POST /LiveTv/TunerHosts, where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery SSRF via HTTP...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /LiveTv/TunerHosts endpoint when the tuner URL is not properly validated. An attacker can read arbitrary local files and perform unauthorized requests to internal or external systems by...

Server-side Request Forgery (SSRF)

Overview Jellyfin.Common is an a Free Software Media System that puts you in control of managing and streaming your media. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /LiveTv/TunerHosts endpoint when the tuner URL is not properly validated. An...

CVE-2026-35032 Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint POST /LiveTv/TunerHosts, where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery SSRF via HTTP...