144 matches found
MAL-2026-10214 Malicious code in babel-preset-lib-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4274de0136aa69f8b0f4eba03412c7809a1b8c2446bb3ed7f6de1333475aa4c4 index.js, the package main, runs a load-time IIFE that collects OS platform and architecture, hostname, username, private and public IP via...
DEBIAN-CVE-2026-59996
scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations...
CVE-2026-59996
scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations...
CVE-2026-59996
scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations...
CVE-2026-59996
scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations...
CVE-2026-59996
scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations...
EUVD-2026-42138
scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations...
CVE-2026-59996
scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations...
CVE-2026-34153 Coolify LocalFileVolume fs_path command injection enables RCE
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped fspath and parentdir values before validation, and submitFileStorage does not validate the...
CVE-2026-34153
CVE-2026-34153 affects Coolify before 4.0.0-beta.471, where LocalFileVolume::saveStorageOnServer builds shell commands from unescaped fs_path and parent_dir values prior to validation, and submitFileStorage does not validate the user-controlled file-mount path before creating a volume. An authent...
CVE-2026-53244
A flaw was found in the Linux kernel's Network File System Daemon NFSD component. When NFSD exports a filesystem utilizing atomiccreate, an error during atomiccreate processing can result in nfsd4createfile failing to unlock the parent directory. This resource management issue may lead to resourc...
GHSA-JC3J-X6PG-4HMV Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir
Summary When algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join wit...
CVE-2026-48126
Algernon, a small self-contained pure-Go web server, is vulnerable prior to version 1.17.8 when started with --domain (or --letsencrypt). The request handler resolves the served directory by joining the configured --dir with the client-supplied Host header using filepath.Join without validation, ...
CVE-2026-48126 Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...
CVE-2026-48126 Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...
PT-2026-43308
Name of the Vulnerable Software and Affected Versions Algernon versions prior to 1.17.8 Description When started with the --domain flag or the --letsencrypt flag which enables --domain automatically, the request handler resolves the served directory by joining the configured --dir with the value ...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: libcap (UTSA-2026-016785)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016785 advisory. A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use TOCTOU race condition in the capsetfile function. This allows an...
MGASA-2026-0116 Updated opam packages fix security vulnerability
In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory. CVE-2026-41082...
Updated opam packages fix security vulnerability
In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory. CVE-2026-41082...
CVE-2026-31706
A flaw was found in ksmbd, a Linux kernel module that provides an in-kernel SMB server. An authenticated client can exploit this vulnerability by manipulating the numaces value within the parent directory's security.NTACL extended attribute. This manipulation causes ksmbd to attempt an excessivel...