GHSA-MCFX-4VC6-QGXV BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context

Summary BentoML's bentoml build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact. If a victim builds an untrusted repository or other attacker-supplied build context, the attacker can place a...

Apache OpenNLP 代码问题漏洞

Apache OpenNLP is a natural language processing toolkit developed by the Apache Foundation. Versions of Apache OpenNLP prior to 2.5.9 and 3.0.0-M3 contained code vulnerabilities. These vulnerabilities stemmed from the lack of enabling FEATURESECUREPROCESSING or disabling DTD processing during the...

OpenClaw path traversal vulnerability (CNVD-2026-13427)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a path traversal vulnerability. The vulnerability stems from the Feishu extension that allows sendMediaFeishu to treat an attacker-controlled mediaUrl value as a local file system path and read it...

Asterisk 代码问题漏洞

Asterisk is a software for PBX systems developed by Asterisk OpenSource. It runs on Linux systems and supports IP calls using SIP, IAX, and H323 protocols. There were code vulnerabilities in versions prior to 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. These vulnerabilities stemmed from...

UBUNTU-CVE-2025-62611

aiomysql is a library for accessing a MySQL database from the asyncio. Prior to version 0.3.0, the client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. It is possible to create a rogue MySQL...

CVE-2025-58051 Nextcloud Tables app allowed to include local file via PhpSpreadsheet when importing a table

Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leake...

EUVD-2020-1475

Malware in sbrugna...

EUVD-2019-11392

Malware in sbrugna...

EUVD-2022-5764

Malicious code in bioql PyPI...

CVE-2025-50202

Lychee is a free photo-management tool. In versions starting from 6.6.6 to before 6.6.10, an attacker can leak local files including environment variables, nginx logs, other user's uploaded images, and configuration secrets due to a path traversal exploit in SecurePathController.php. This issue h...

Grafana 输入验证错误漏洞

Grafana is a set of open source monitoring tools from Grafana Labs that provide a visual monitoring interface. The tool is primarily used to monitor and analyze Graphite, InfluxDB, and Prometheus, among others. A security vulnerability exists in Grafana Enterprise Metrics versions prior to 1.2.1...

phpMyAdmin 4.x < 4.8.4 Multiple Vulnerabilities (PMASA-2018-6, PMASA-2018-8) - Linux

phpMyAdmin is prone to multiple security vulnerabilities. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Code injection

An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has...

DEBIAN-CVE-2018-19968

An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has...

CVE-2018-19968

CVE-2018-19968 affects phpMyAdmin prior to 4.8.4. An attacker can leak the contents of a local file due to an error in the transformation feature. Exploitation requires access to the phpMyAdmin Configuration Storage tables (which can be created by the attacker in any database they can access) and...

Elastic Stack 6.5.2 security update

Elasticsearch information disclosure ESA-2018-19 Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning’s findfilestructure API. If a policy allowing external network access has been added to Elasticsearch’s Java Security Manager then an attacker could send a...

Internet Bug Bounty: User credentials leak and arbitrary local file read/leak due to same-origin-policy violation

Vulnerability details ===================== A vulnerability exists in Flash Player that allows violating the same-origin-policy. An attacker can read sensitive local files and communicate with remote servers. As a result, this allows uploading the content of these local files to an...