CVE-2026-53825

OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file...

EUVD-2026-30478

OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account...

CVE-2026-7551 HKUDS OpenHarness Remote Command Execution via /bridge Slash Command

HKUDS OpenHarness contains a remote code execution vulnerability in the /bridge slash command that allows remote senders accepted by configuration to execute arbitrary operating system commands. Attackers can invoke the /bridge spawn command with attacker-controlled command text that is forwarded...

CVE-2026-34428 Vvveb < 1.0.8.1 SSRF via oEmbedProxy

Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read...

External Control of File Name or Path

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to External Control of File Name or Path via the chunkFile parameter in the aVideoEncoder.json.php endpoint. An attacker can access arbitrary local files by specifyin...

EUVD-2026-11152

OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversa...

GHSA-RW8P-C6HF-Q3PG PinchTab has SSRF with Full Response Exfiltration via Download Handler

SSRF with Full Response Exfiltration via Download Handler Summary A Server-Side Request Forgery SSRF vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files...

Autodesk Fusion security vulnerabilities

Autodesk Fusion is a data management software platform developed by Autodesk, Inc. in the United States. There is a security vulnerability in Autodesk Fusion, which stems from the malicious HTML payload stored in the design name. This vulnerability may lead to storage-side cross-site scripting...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through Kyuubi frontend protocols. An attacker can obtain server credentials, including keytabs, and impersonate other users by accessing local files outside the configured kyuubi.session.local.dir.allow.list. The...

Apache Kyuubi 安全漏洞

Apache Kyuubi is a distributed SQL gateway from the Apache Foundation. Apache Kyuubi suffers from a directory traversal vulnerability that originates from a client-side bypass of server-side configuration, which can be exploited by an attacker to cause access to unauthorized local files...

XML External Entity (XXE) Injection

Jenkins TestComplete support Plugin is vulnerable to XML External Entity XXE Injection. The vulnerability is due to the XML parser not being securely configured to disable external entity processing, allowing attackers to supply crafted XML that can access local files or trigger external network...

Mozilla Firefox < 68.10.1

The version of Firefox installed on the remote macOS or Mac OS X host is prior to 68.10.1. It is, therefore, affected by a vulnerability as referenced in the mfsa2020-27 advisory. - A Content Provider in Firefox for Android allowed local files accessible by the browser to be read by a remote...

EUVD-2020-27955

Malware in sbrugna...

EUVD-2008-4582

Malware in sbrugna...

EUVD-2010-0644

Malware in sbrugna...

EUVD-2023-33631

Malicious code in bioql PyPI...

CVE-2023-2316

Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious...

CVE-2020-14160

An SSRF vulnerability in Gotenberg through 6.2.1 exists in the remote URL to PDF conversion, which results in a remote attacker being able to read local files or fetch intranet resources...

CVE-2025-1781

There is a XXE in W3CSS Validator versions before cssval-20250226 that allows an attacker to use specially-crafted XML objects to coerce server-side request forgery SSRF. This could be exploited to read arbitrary local files if an attacker has access to exception messages...

Uptime Kuma 路径遍历漏洞

Uptime Kuma is an easy-to-use, self-hosted monitoring tool from the individual developer Louis Lam. A path traversal vulnerability exists in Uptime Kuma versions 1.23.0 through 1.23.15 and 2.0.0-beta.0, which stems from a lack of server-side validation and cleanup stemming from a URL field in the...