CVE-2025-55988

An issue in the component /Controllers/RestController.php of DreamFactory Core v1.0.3 allows attackers to execute a directory traversal via an unsanitized URI path...

Security update for tomcat

This update for tomcat fixes the following issues: Updated to 9.0.108: CVE-2025-52520: Fixed integer overflow can lead to DoS for some unlikely configurations of multipart upload bsc1246388 CVE-2025-53506: Fixed uncontrolled resource HTTP/2 client consumption vulnerability bsc1246318...

BIT-LIBPYTHON-2021-28861

Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple / at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states...

Authentication Bypass

Apache Tomcat is vulnerable to Authentication Bypass. The vulnerability is due to improper handling of resource mounting paths PreResources or PostResources in Apache Tomcat, which allows access to resources via alternate, unprotected paths...

VulnCheck KEV: CVE-2025-34036

An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens on TCP ports 81 and 82. The web interface fails to sanitize input in the URI path passed to the language extraction functionality. When...

SUSE CVE-2025-49125

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by th...

The vulnerability in the function PLT_FileMediaServerDelegate::ExtractResourcePath() of the file PltHttpServer.cpp in the software development library Platinum UPnP SDK allows a malicious actor to gain unauthorized access to protected information.

The vulnerability of the PLTFileMediaServerDelegate::ExtractResourcePath function in the pltHttpServer.cpp file of the software development library, Platinum UPnP SDK, is related to an incorrect limitation on the path name for directories with restricted access. Exploiting this vulnerability coul...

CVE-2024-13158

CVE-2024-13158 affects Ivanti Endpoint Manager (EPM) 2024 and 2022 SU6 prior to the January 2025 security updates, caused by an unbounded resource search path. This allows a remote authenticated attacker with admin privileges to achieve remote code execution. Affected versions include EPM 2024 an...

GPT Academic path traversal vulnerability (CNVD-2025-22744)

GPT Academic is an interface that provides pragmatic interactions for LLM grand language models such as GPT/GLM. GPT Academic suffers from a path traversal vulnerability that stems from the program failing to properly filter special elements in the path of a resource or file. An attacker could...

OpenRapid RapidCMS 安全漏洞

OpenRapid RapidCMS is OpenRapid open source a fast and easy to use CMS system. A security vulnerability exists in OpenRapid RapidCMS v1.3.1, which originates from a SQL injection vulnerability via the password parameter on /resource/runlogin.php...

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation via the resource file handling mechanism. An attacker can use resource API to access and modify all files in the machine even if they are not under resource path. Remediation Upgrade...

CVE-2024-31916

IBM OpenBMC FW1050.00 through FW1050.10 BMCWeb HTTPS server component could disclose sensitive URI content to an unauthorized actor that bypasses authentication channels. IBM X-ForceID: 290026...

The vulnerability of the Dr.Web Anti-Rootkit API in software environments arises from the use of a fixed or uncontrolled search path for resources. This allows attackers to execute arbitrary code.

The vulnerability of the Dr.Web Anti-Rootkit API in software environments lies in the use of a fixed or uncontrolled search path for resources. Exploiting this vulnerability allows an attacker to execute arbitrary code...

PT-2024-1051 · Apktool +1 · Apktool +1

Name of the Vulnerable Software and Affected Versions: Apktool versions 2.9.1 and prior Description: The issue is related to incorrect restriction of the directory path name with limited access. An attacker can exploit this to write or overwrite arbitrary data. Apktool infers resource files' outp...

OpenJDK: improper handling of slash characters in URI-to-path conversion (8305312)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE component: Libraries. Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6,...

OpenJDK: missing check for slash characters in URI-to-path conversion (8298667)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Libraries. Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploi...

GHSA-HHQ3-FF78-JV3G loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)

A regular expression denial of service ReDoS flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the resourcePath variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or ta...

UBUNTU-CVE-2022-37599

A Regular expression denial of service ReDoS flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js...

GHSA-GJFX-9WX3-J6R7 Apache MyFaces Vulnerable to Path Traversal

Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces JSF in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. dot dot in the 1 ln parameter to faces/javax.faces.resource/web.xml or 2 the PATHINFO to...

Atlassian Jira授权问题漏洞

Atlassian Jira is a defect tracking management system from Atlassian Australia. The system is mainly used to track and manage various types of issues and defects in the workplace. An authorization issue vulnerability exists in Atlassian Jira Server and Data Center, which stems from the product's...