Incomplete List of Disallowed Inputs

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in scanner.py, which does not include ssl or other modules that can be leveraged for remote operations. An...

Mitel MiCollab <= 9.8 SP2 (9.8.2.12) Multiple Vulnerabilities (MISA-2024-0029)

According to its self-reported version, the instance of Mitel MiCollab running on the remote web server is prior to 9.8 SP2 9.8.2.12 and is, therefore, affected by multiple vulnerabilities: - A vulnerability in the NuPoint Unified Messaging NPM component of Mitel MiCollab through 9.8 SP1 FP2...

CVE-2025-1781

There is a XXE in W3CSS Validator versions before cssval-20250226 that allows an attacker to use specially-crafted XML objects to coerce server-side request forgery SSRF. This could be exploited to read arbitrary local files if an attacker has access to exception messages...

CVE-2024-45480

An improper control of generation of code 'Code Injection' vulnerability in the AprolCreateReport component of B APROL 4.4-00P5 may allow an unauthenticated network-based attacker to read files from the local system...

CVE-2024-10986

GPT Academic version 3.83 is vulnerable to a Local File Read LFI vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks...

MLflow has a Local File Read/Path Traversal in dbfs

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

CVE-2024-10986

GPT Academic version 3.83 is vulnerable to a Local File Read LFI vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks...

CVE-2024-10986

GPT Academic version 3.83 is vulnerable to a Local File Read LFI vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks...

CVE-2024-10986 Local File Read (LFI) by Tarslip Symlink via arxiv_download() API in binary-husky/gpt_academic

GPT Academic version 3.83 is vulnerable to a Local File Read LFI vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks...

CVE-2024-10986 Local File Read (LFI) by Tarslip Symlink via arxiv_download() API in binary-husky/gpt_academic

GPT Academic version 3.83 is vulnerable to a Local File Read LFI vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks...

CVE-2024-10986

GPT Academic version 3.83 exposes a Local File Read (LFI) through HotReload, which downloads and extracts tar.gz files from arxiv.org. Although path traversal protections exist, the Tarslip caused by symlinks is not mitigated, enabling an attacker to read arbitrary local files on the victim serve...

CVE-2024-8055 Local File Read (LFI) by Prompt Injection via SnowFlake SQL in vanna-ai/vanna

Vanna v0.6.3 is vulnerable to SQL injection via Snowflake database in its file staging operations using the PUT and COPY commands. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, such as /etc/passwd, by exploiting the exposed SQL queries...

CVE-2024-8055 Local File Read (LFI) by Prompt Injection via SnowFlake SQL in vanna-ai/vanna

Vanna v0.6.3 is vulnerable to SQL injection via Snowflake database in its file staging operations using the PUT and COPY commands. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, such as /etc/passwd, by exploiting the exposed SQL queries...

PT-2025-12087 · Unknown · Gpt Academic

Name of the Vulnerable Software and Affected Versions: GPT Academic version 3.83 Description: The issue concerns a Local File Read LFI vulnerability through the HotReload function, which can download and extract tar.gz files from arxiv.org. Despite protections against path traversal, the...

CVE-2025-25284 Path Traversal and Local File Read via VRT (Virtual Format) in ZOO-Project WPS Implementation

The ZOO-Project is an open source processing platform, released under MIT/X11 Licence. A vulnerability in ZOO-Project's WPS Web Processing Service implementation allows unauthorized access to files outside the intended directory through path traversal. Specifically, the GdalTranslate service, whe...

CVE-2025-25284 Path Traversal and Local File Read via VRT (Virtual Format) in ZOO-Project WPS Implementation

The ZOO-Project is an open source processing platform, released under MIT/X11 Licence. A vulnerability in ZOO-Project's WPS Web Processing Service implementation allows unauthorized access to files outside the intended directory through path traversal. Specifically, the GdalTranslate service, whe...

SUSE CVE-2025-24787

WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on. The application uses string concatenation to build...

WhoDB 安全漏洞

WhoDB is a data browser from clidey open source. A security vulnerability exists in WhoDB 0.45.0 and earlier versions, which stems from not escaping or encoding user input, allowing an attacker to read local files via injected parameters such as &allowAllFiles=true...

CVE-2024-56509

changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Improper input validation in the application can allow attackers to perform local file read LFR or path traversal attacks. These vulnerabilities occur when user input is...

CVE-2024-5334

A local file read vulnerability exists in the stitionai/devika repository, affecting the latest version. The vulnerability is due to improper handling of the 'snapshotpath' parameter in the '/api/get-browser-snapshot' endpoint. An attacker can exploit this vulnerability by crafting a request with...