changedetection.io <= 0.52.9 - Unauthenticated Path Traversal

changedetection.io / route, letting unauthenticated attackers read local application source files. id: CVE-2026-25527 info: name: changedetection.io / route, letting unauthenticated attackers read local application source files. impact: | Unauthenticated attackers can read local application sourc...

Perry 路径遍历漏洞

Perry is a tool developed by Perry OpenSource that compiles TypeScript into native executable files. Versions of Perry prior to 0.5.1159 contained a path traversal vulnerability. This vulnerability allows malicious attackers to write arbitrary content to any writable location within the running...

XML External Entity (XXE) Injection

Overview changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to XML External Entity XXE Injection via the xpathfilter process. An attacker can access sensitive local files by supplying crafted XML or RSS content containing...

EUVD-2026-19883

WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs...

CVE-2026-39369 WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs

WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storag...

CVE-2026-39369

WWBN AVideo (versions 26.0 and earlier) contains a vulnerability in objects/aVideoEncoderReceiveImage.json.php that allows an authenticated uploader to fetch attacker-controlled same-origin /videos/ URLs and bypass traversal scrubbing. This can expose server-local files (e.g., /etc/passwd or appl...

CVE-2026-4270

Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions = 0.2.14 and 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To...

CVE-2026-3912 TIBCO ActiveMatrix BusinessWorks Injection Vulnerability

Injection vulnerabilities due to validation/sanitisation of user-supplied input in ActiveMatrix BusinessWorks and Enterprise Administrator allows information disclosure, including exposure of accessible local files and host system details, and may allow manipulation of application behaviour...

CVE-2026-3912 TIBCO ActiveMatrix BusinessWorks Injection Vulnerability

Injection vulnerabilities due to validation/sanitisation of user-supplied input in ActiveMatrix BusinessWorks and Enterprise Administrator allows information disclosure, including exposure of accessible local files and host system details, and may allow manipulation of application behaviour...

EUVD-2026-12474

AWS API MCP File Access Restriction Bypass...

CVE-2026-4270

Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions = 0.2.14 and 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To...

PYSEC-2026-162

Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions = 0.2.14 and 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To...

VulnCheck KEV: CVE-2024-4841

A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'addreferencetolocalmode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulnerability, an attacker can predict the folders,...

GHSA-RX3G-MVC3-QFJF OpenClaw's avatar symlink traversal can expose out-of-workspace local files

Summary OpenClaw avatar handling allowed a symlink traversal path that could expose local files outside an agent workspace through gateway avatar surfaces. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.2.22 so after npm release, the remaining action is to publis...

OpenClaw's avatar symlink traversal can expose out-of-workspace local files

Summary OpenClaw avatar handling allowed a symlink traversal path that could expose local files outside an agent workspace through gateway avatar surfaces. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.2.22 so after npm release, the remaining action is to publis...

ImageMagick 路径遍历漏洞

ImageMagick is a set of open-source image processing software developed by the ImageMagick project. It allows for reading, converting, and writing images in various formats. Versions of ImageMagick prior to 7.1.2-15 and 6.9.13-40 contained a path traversal vulnerability. This vulnerability stemme...

Exploit for CVE-2025-45955

CVE-2025-45955 🕳️ Server-Side Request Forgery in DonWeb Ferozo...

CVE-2025-68280

Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the...

CVE-2025-68280

Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the...

CVE-2025-14896

due to insufficient sanitazation in Vega’s convert function when safeMode is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitiv...