Gradio - Absolute Path Traversal

Gradio 6.7 on Windows with Python 3.13+ contains an absolute path traversal caused by incorrect path validation in path joining logic, letting unauthenticated attackers read arbitrary files from the server. id: CVE-2026-28414 info: name: Gradio - Absolute Path Traversal author: 0xAkoko severity:...

CVE-2026-49144 BrowserStack Runner 0.9.5 Path Traversal via _default HTTP Handler

BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files. Attackers can exploit the unauthenticated HTTP server bound on all interfaces to traverse outside...

CVE-2026-49144

BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files. Attackers can exploit the unauthenticated HTTP server bound on all interfaces to traverse outside...

VulnCheck KEV: CVE-2026-28414

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ change...

SUSE CVE-2026-49128

Music Player Daemon MPD before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without...

RLSA-2026:19568 Important: kernel security update

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fixes: kernel: net/sched: Make cakeenqueue return NETXMITCN when past bufferlimit CVE-2025-39766 kernel: scsi: qla2xxx: Fix improper freeing of purex item CVE-2025-68741 kernel: libceph: make decodepool...

CVE-2025-13167

Improper neutralization of input during web page generation 'Cross-site Scripting' vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via unspecified vectors...

CVE-2025-10466

Improper neutralization of input during web page generation 'Cross-site Scripting' vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information or conduct...

Synology Active Backup for Business SQL注入漏洞

Synology Active Backup for Business is an enterprise data backup and recovery management platform provided by the Chinese company Synology. Synology Active Backup for Business has a SQL injection vulnerability, which allows unauthorized remote attackers to read arbitrary files...

dalfox 安全漏洞

Dalfox is an automated cross-site script scanning tool developed by HAHWUL. Versions of Dalfox prior to 2.13.0 contained security vulnerabilities. These vulnerabilities stemmed from the REST API server mode, where the custom-payload-file field directly deserialized from the attacker’s request bod...

PT-2026-43584

Name of the Vulnerable Software and Affected Versions Synology Contacts versions prior to 1.0.10-20659 Description Improper neutralization of input during web page generation leads to a Cross-site Scripting XSS issue in the contact functionality. This allows remote authenticated users to read or...

CVE-2026-7766

CVE-2026-7766 affects Kenik Camera management Panel with a Path Traversal vulnerability. An unauthenticated attacker can issue a GET request with an arbitrary file path and read files on the server. The issue is fixed in version 2026-04-23 for KG-5260xxxx-IL-(G)2 cameras; other products were fixe...

Linux Distros Unpatched Vulnerability : CVE-2026-33380

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the...

Astra Linux - уязвимость в linux, linux-5.10

The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling ‘file’ pointer...

Astra Linux - уязвимость в thunderbird, firefox

An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages. This bug only affects Thunderbird for Linux. Other operating systems are unaffected.. This vulnerability affects Firefox 108, Firefox ESR 102.6, and...

Astra Linux - уязвимость в python-django

Django versions prior to 2.2.24, 3.x prior to 3.1.12, and 3.2.x prior to 3.2.4 have a potential issue with directory traversal through django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if and only if the default...

CVE-2018-25326 Google Drive for WordPress 2.2 Path Traversal RCE via gdrive-ajaxs.php

Google Drive for WordPress 2.2 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by injecting directory traversal sequences in the filename parameter. Attackers can send POST requests to gdrive-ajaxs.php with the ajaxstype parameter set to...

CVE-2021-47978 ProcessMaker 3.5.4 Local File Inclusion via Path Traversal

ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences to access sensitive system files like /etc/passwd without...

CVE-2020-37246

The CVE affects the WordPress plugin Supsystic Backup 2.3.9 . A local file inclusion (LFI) flaw arises from manipulating the download parameter in admin.php with directory traversal sequences, enabling unauthenticated attackers to read arbitrary files (e.g., /etc/passwd) and to delete files via t...

EUVD-2020-31246

Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access...