28533 matches found
CVE-2026-42549
CVE-2026-42549 affects Flight PHP core prior to 3.18.1. The make:controller CLI calls mkdir(..., recursive: true) on a user-supplied controller path before Nette class-name validation, allowing creation of directories outside the project root via ../ traversal. The directory creation side effect ...
CVE-2026-42549 Flight: Path traversal in `make:controller` CLI creates arbitrary directories outside project root
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir..., recursive: true on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name...
OPENSUSE-SU-2026:20723-1 Security update for kdenlive
This update for kdenlive fixes the following issues: Changes in kdenlive: - CVE-2026-45184: Fixed a remote code execution through opening a malicious project file boo1264711...
CVE-2026-31225
The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The parseoppart function in query.py uses the unsafe eval function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although...
Malicious code in web3-common (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 2e42f568897d9af194eb75275059455c99b369456b0c8e0ffe13e7f32be839e6 The OpenSSF Package Analysis project identified 'web3-common' @ 1.0.0 npm as malicious. It is considered malicious because: - The package execut...
DVWA-Web-Vulnerability-Project
...
EUVD-2026-29831
PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups...
ArduPilot Project 安全漏洞
The ArduPilot Project is an open-source autopilot software developed by ArduPilot, supporting control of various unmanned vehicles. The ArduPilot Project has security vulnerabilities, which stem from buffer overflows in the APInertialSensorADIS1647x.cpp and ArduRover, as well as the ADIS1647x...
ArduPilot Project 安全漏洞
The ArduPilot Project is an open-source autopilot software developed by ArduPilot, supporting control of various unmanned vehicles. The ArduPilot Project has security vulnerabilities, which stem from buffer overflows in components such as APSmartAudio::loop, APSmartAudio, and APSmartAudio.cpp...
Flight 路径遍历漏洞
Flight is a PHP microframework developed by Mike Cao. Versions of Flight prior to 3.18.1 contained a path traversal vulnerability. This vulnerability stemmed from the make:controller CLI command, which created directories based on the controller names provided by users before class name validatio...
ArduPilot Project 缓冲区错误漏洞
The ArduPilot Project is an open-source autopilot software developed by ArduPilot, supporting control of various unmanned vehicles. The ArduPilot Project has a buffer overflow vulnerability, which stems from buffer overflows in the APMSP::loop, APMSP, and APMSP.cpp components. This vulnerability...
Linux Distros Unpatched Vulnerability : CVE-2026-44301
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node- based asset pipelines PostCSS, Babel, TailwindCSS, Hugo...
Gitlab -- vulnerabilities
Gitlab reports: Cross-site Scripting issue in Analytics dashboard chart rendering impacts GitLab EE Cross-site Scripting issue in global search impacts GitLab CE/EE Cross-site Scripting issue in Duo Agent output rendering impacts GitLab EE Cross-site Scripting issue in Analytics Dashboard impacts...
CVE-2026-35555
PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups...
CVE-2026-44301
Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines PostCSS, Babel, TailwindCSS, Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could...
CVE-2026-44301
Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines PostCSS, Babel, TailwindCSS, Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could...
CVE-2026-44301
Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines PostCSS, Babel, TailwindCSS, Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could...
CVE-2026-44301
Hugo (static site generator) versions 0.43 through 0.160.x are vulnerable when building a site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS). The vulnerability arises because Hugo invoked the configured Node tools without restrictions on file system access, potentially allowi...
CVE-2026-44301 Hugo: Node tool execution allows file system access outside the project directory
Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines PostCSS, Babel, TailwindCSS, Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could...
CVE-2026-44262
CVE-2026-44262 affects dedoc/scramble (Laravel API documentation generator) versions 0.13.2–0.13.21. The vulnerability arises when publicly accessible docs endpoints evaluate user-controlled input via NodeRulesEvaluator::doEvaluateExpression(), which may evaluate request data and execute arbitrar...