Lucene search
K

21 matches found

NVD
NVD
added 2026/06/13 3:16 a.m.10 views

CVE-2026-12089

The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combinecurrentcss function trusting values harvested from page HTML and converting same-site URLs to absolute filesystem...

4.9CVSS0.00336EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/05/19 12:0 a.m.10 views

SUSE SLED15 / SLES15 Security Update : postgresql17 (SUSE-SU-2026:1943-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1943-1 advisory. This update for postgresql17 fixes the following issues Update to version 17.10. Security issues: -...

8.8CVSS6.1AI score0.00668EPSS
Exploits0References33
Github Security Blog
Github Security Blog
added 2026/05/11 1:59 p.m.13 views

PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`

Summary The safeextractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls...

8.7CVSS6AI score0.00433EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/04/22 6:32 p.m.10 views

CVE-2026-41459

CVE-2026-41459 (Xerte Online Toolkits) affects versions 3.15 and earlier. An information disclosure vulnerability allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root by requesting the /setup page, where the exposed root_path value is rendered ...

6.9CVSS5.8AI score0.00801EPSS
Exploits1References6
EUVD
EUVD
added 2026/03/19 12:30 a.m.4 views

EUVD-2025-208848

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...

8.1CVSS6.3AI score0.00852EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/02/25 7:20 a.m.7 views

CVE-2025-11563

URLs containing percent-encoded slashes / or \ can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool...

4.6CVSS5.3AI score0.00302EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/02/02 8:25 p.m.9 views

terraform-provider-proxmox has insecure sudo recommendation in the documentation

Note: It is uncertain whether this constitutes a vulnerability or should be filed as an issue instead. Summary In the SSH configuration documentation, the sudoer line that was suggested can be escalated to edit any files in the system. Details The following line were suggested for addition in the...

8.7CVSS5.6AI score0.00431EPSS
Exploits1References4Affected Software1
AlpineLinux
AlpineLinux
added 2026/01/08 6:34 p.m.2 views

CVE-2026-21860

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safejoin function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present...

6.3CVSS5.9AI score0.00424EPSS
Exploits0
OSV
OSV
added 2026/01/05 11:15 p.m.6 views

AZL-73503 CVE-2025-69226 affecting package python-aiohttp 3.6.2-3

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses...

6.3CVSS7AI score0.00313EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2025/11/18 3:30 p.m.12 views

Security Bulletin: IBM Integration Bus for z/OS is vulnerable to multiple vulnerabilities due to Apache Tomcat( CVE-2025-55752,CVE-2025-55754 & CVE-2025-61795)

Summary IBM Integration Bus for z/OS is vulnerable to multiple vulnerabilities due to Apache Tomcat. Vulnerability Details CVEID:CVE-2025-55752 DESCRIPTION: Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized...

9.6CVSS8AI score0.66535EPSS
Exploits4Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2025-19117

Malicious code in bioql PyPI...

8.7CVSS6.6AI score0.00414EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2018-0485

Malicious code in bioql PyPI...

7.5CVSS7.6AI score0.06559EPSS
Exploits0References10
IBM Security Bulletins
IBM Security Bulletins
added 2025/09/10 8:14 p.m.5 views

Security Bulletin: Vulnerabilities in tar-fs affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability in tar-fs has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-48387 DESCRIPTION: tar-fs...

8.7CVSS4.7AI score0.00474EPSS
Exploits0Affected Software1
Github Security Blog
Github Security Blog
added 2025/08/20 7:8 p.m.15 views

Directus allows unauthenticated file upload and file modification due to lacking input sanitization

Summary A vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents without changes being applied to the files' database-resident metadata and / or upload new files, with arbitrary content and extensions, which won't...

9.3CVSS7.6AI score0.00438EPSS
Exploits1References4Affected Software2
OSV
OSV
added 2025/08/11 1:53 p.m.2 views

BIT-LIBPHP-2021-21706 ZipArchive::extractTo may extract outside of destination dir

In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS...

6.5CVSS7.1AI score0.01337EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2025/06/16 12:0 a.m.4 views

TencentOS Server 4: rubygem-rack (TSSA-2025:0364)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0364 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

7.5CVSS7.5AI score0.01068EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2025/03/05 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2024-12088

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in rsync. When using the --safe-links option, the rsync client fails to properly verify if a symbolic link destination sent from the server...

7.5CVSS7.4AI score0.04575EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2025/03/05 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2024-47883

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The OpenRefine fork of the MIT Simile Butterfly server is a modular web application framework. The Butterfly framework uses the java.net.URL class to refer to...

9.1CVSS8.4AI score0.01602EPSS
Exploits1References3
OSV
OSV
added 2024/10/17 7:15 p.m.4 views

CVE-2024-10100

A path traversal vulnerability exists in binary-husky/gptacademic version 3.83. The vulnerability is due to improper handling of the file parameter, which is open to path traversal through URL encoding. This allows attackers to view any file on the host system, including sensitive files such as...

7.5CVSS6.7AI score
Exploits0References1
EUVD
EUVD
added 2024/08/09 6:12 p.m.6 views

EUVD-2024-2569

openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Prior to version 4.2.1, CometVisu's file system endpoints don't require authentication and additionally the endpoint to update an existing file is susceptible to path traversal...

9.8CVSS7.3AI score0.01211EPSS
Exploits0References4
Rows per page
Query Builder