539 matches found
CVE-2026-28442
ZimaOS 1.5.2-beta3 (a CasaOS fork) exposes an improper input validation and broken access control in filesystem operations. By altering the path parameter in the delete API, restricted system files/directories can be removed, bypassing UI protections. Backend lacks validation to ensure the path i...
CVE-2026-28442 ZimaOS: Arbitrary Deletion of Internal System Files via API Path Manipulation
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be...
CVE-2026-22416 WordPress FixTeam theme <= 1.5.0 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in AncoraThemes FixTeam fixteam allows PHP Local File Inclusion.This issue affects FixTeam: from n/a through = 1.5.0...
PT-2026-23517
Name of the Vulnerable Software and Affected Versions ZimaOS version 1.5.2-beta3 Description ZimaOS, a fork of CasaOS, exhibits a security issue where restrictions on deleting internal system files and folders can be bypassed through manipulation of the API. Specifically, altering the path...
OpenClaw 代码问题漏洞
OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.14 had code vulnerabilities related to command hijacking. Attackers could execute unintended binary files by manipulating the PATH environment variable, potentially leading to arbitrary command...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the tools.exec.safeBins process. An attacker can execute unauthorized binaries by manipulating the process PATH environment to introduce trojan executables wit...
Untrusted Search Path
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Untrusted Search Path via the system.run execution. An attacker can execute an unintended or malicious executable by altering the PATH resolution after approval, causing a different binar...
CVE-2025-11563
A flaw was found in wcurl. This vulnerability allows a remote attacker to manipulate the location where output files are saved. By crafting a malicious URL with percent-encoded slashes, the attacker can trick the wcurl command-line tool into writing files outside of the intended directory. This...
CVE-2026-2985
A security flaw has been discovered in Tiandy Video Surveillance System 视频监控平台 7.17.0. This impacts the function downloadImage of the file /com/tiandy/easy7/core/bo/CLSBODownLoad.java. Performing a manipulation of the argument urlPath results in server-side request forgery. The attack is possible...
CVE-2026-2985
A security flaw has been discovered in Tiandy Video Surveillance System 视频监控平台 7.17.0. This impacts the function downloadImage of the file /com/tiandy/easy7/core/bo/CLSBODownLoad.java. Performing a manipulation of the argument urlPath results in server-side request forgery. The attack is possible...
CVE-2026-2976
A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function downloadcontroller of the file /backend/app/api/v1/modulecommon/file/controller.py of the component Download Endpoint. This manipulation of the argument filepath causes information disclosure. It is...
CVE-2026-2976 FastApiAdmin Download Endpoint controller.py download_controller information disclosure
A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function downloadcontroller of the file /backend/app/api/v1/modulecommon/file/controller.py of the component Download Endpoint. This manipulation of the argument filepath causes information disclosure. It is...
CVE-2026-2976
A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function downloadcontroller of the file /backend/app/api/v1/modulecommon/file/controller.py of the component Download Endpoint. This manipulation of the argument filepath causes information disclosure. It is...
CVE-2026-2976 FastApiAdmin Download Endpoint controller.py download_controller information disclosure
A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function downloadcontroller of the file /backend/app/api/v1/modulecommon/file/controller.py of the component Download Endpoint. This manipulation of the argument filepath causes information disclosure. It is...
CVE-2026-2976
CVE-2026-2976 affects FastApiAdmin up to 2.2.0. The vulnerability resides in the Download Endpoint, specifically the download_controller in /backend/app/api/v1/module_common/file/controller.py, where manipulation of the file_path argument leads to information disclosure. The issue can be triggere...
PT-2026-21514
A security flaw has been discovered in Tiandy Video Surveillance System 视频监控平台 7.17.0. This impacts the function downloadImage of the file /com/tiandy/easy7/core/bo/CLSBODownLoad.java. Performing a manipulation of the argument urlPath results in server-side request forgery. The attack is possible...
PT-2026-21501
A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function download controller of the file /backend/app/api/v1/module common/file/controller.py of the component Download Endpoint. This manipulation of the argument file path causes information disclosure. It...
CVE-2026-26098
Uncontrolled Search Path Element in Owl opds 2.2.0.4 allows Leveraging/Manipulating Configuration File Search Paths via a crafted network request...
CVE-2026-26098
The CVE-2026-26098 entry concerns Owl opds version 2.2.0.4 and is caused by an Uncontrolled Search Path Element. The issue permits manipulation of configuration file search paths via a crafted network request, indicating local attack vector with high impact on confidentiality and integrity, and h...
PT-2026-21264
Uncontrolled Search Path Element in Owl opds 2.2.0.4 allows Leveraging/Manipulating Configuration File Search Paths via a crafted network request...