Lucene search
K

669 matches found

AlpineLinux
AlpineLinux
added 2026/04/23 8:26 p.m.11 views

CVE-2026-6940

radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files...

7.1CVSS5.5AI score0.00218EPSS
Exploits1References3
CVE
CVE
added 2026/04/23 8:26 p.m.14 views

CVE-2026-6940

CVE-2026-6940 : radare2 versions before 6.1.4 contain a path traversal vulnerability in the project deletion feature. A local attacker can supply absolute paths that escape the dir.projects root to recursively delete arbitrary directories, by targeting project marker files outside the project sto...

7.1CVSS5.9AI score0.00218EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/04/22 6:31 p.m.11 views

GHSA-V762-X3CF-5MFG Duplicate Advisory: uutils coreutils has a Link Following Issue Via rm Utility

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7cr3-h577-g38j. This link is maintained to preserve external references. Original Description A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The...

6.7CVSS5.9AI score0.00184EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.11 views

uutils coreutils 路径遍历漏洞

uutils coreutils is a cross-platform core command-line toolset developed by Uutils. uutils coreutils has a path traversal vulnerability. This vulnerability stems from the chmod utility, which allows users to bypass the --preserve-root security mechanism. As a result, it only verifies whether the...

7.3CVSS5.8AI score0.00175EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/04/21 12:0 a.m.4 views

Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-010872)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-010872 advisory. In the Linux kernel, the following vulnerability has been resolved: bfs: Reconstruct file type when loading from disk syzbot is reporting that SIFMT bits of...

5.6AI score0.00161EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/21 12:0 a.m.10 views

goshs 路径遍历漏洞

Goshs is a simple HTTP server developed by Patrick Hener using Go language. Versions of Goshs prior to 2.0.0-beta.6 contained a path traversal vulnerability. This vulnerability stemmed from the SFTP subsystem’s sanitizePath function, which used prefix-based path validation. As a result,...

8.8CVSS5.8AI score0.00439EPSS
Exploits1References1
OSV
OSV
added 2026/04/18 1:9 a.m.9 views

GHSA-XJVP-7243-RG9H Wish has SCP Path Traversal that allows arbitrary file read/write

Summary The SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../...

9.6CVSS6.6AI score0.00393EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/18 12:0 a.m.20 views

PT-2026-37134

Name of the Vulnerable Software and Affected Versions Wish versions 2.0.0 through 2.0.0 Description The SCP middleware in charm.land/wish/v2 is subject to path traversal. A malicious SCP client can read and write arbitrary files, as well as create directories outside the configured root directory...

9.6CVSS5.9AI score0.00393EPSS
Exploits1References8
RedhatCVE
RedhatCVE
added 2026/04/13 7:23 p.m.5 views

CVE-2026-40188

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4...

7.7CVSS5.8AI score0.00318EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/11 1:21 a.m.4 views

CVE-2026-39859

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile and parseFile, but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty...

7.5CVSS5.9AI score0.00447EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/10 9:10 p.m.5 views

Missing Write Protection for Parametric Data Values

Overview Affected versions of this package are vulnerable to Missing Write Protection for Parametric Data Values through improper sanitization of the destination path in the rename process. An attacker can overwrite files outside the intended root directory by supplying crafted destination paths...

7.7CVSS5.8AI score0.00318EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/10 9:10 p.m.4 views

Missing Write Protection for Parametric Data Values

Overview Affected versions of this package are vulnerable to Missing Write Protection for Parametric Data Values through improper sanitization of the destination path in the rename process. An attacker can overwrite files outside the intended root directory by supplying crafted destination paths...

7.7CVSS8.4AI score0.00318EPSS
Exploits1References2
NVD
NVD
added 2026/04/10 8:16 p.m.13 views

CVE-2026-40188

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4...

7.7CVSS0.00318EPSS
Exploits1References3
OSV
OSV
added 2026/04/10 8:0 p.m.3 views

GHSA-2943-CRP8-38XX goshs is Missing Write Protection for Parametric Data Values

Summary The SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. Details Here is the issue: go // helper.go:155-215 func cmdFileroot string, r sftp.Request, ip string, sftpServer SFTPServer error fullPath...

7.7CVSS5.8AI score0.00318EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/04/10 8:0 p.m.7 views

goshs is Missing Write Protection for Parametric Data Values

Summary The SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. Details Here is the issue: go // helper.go:155-215 func cmdFileroot string, r sftp.Request, ip string, sftpServer SFTPServer error fullPath...

7.7CVSS5.8AI score0.00318EPSS
Exploits1References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/10 7:43 p.m.5 views

CVE-2026-40188

goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4...

7.7CVSS5.8AI score0.00318EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.6 views

PT-2026-32038

Name of the Vulnerable Software and Affected Versions: goshs versions 1.0.7 through 2.0.0-beta.4 Description: goshs is a SimpleHTTPServer written in Go. The SFTP command rename sanitizes only the source path and not the destination, allowing a write outside of the root directory of the SFTP. This...

7.7CVSS6.4AI score0.00318EPSS
Exploits1References14
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.6 views

goshs 安全漏洞

Goshs is a simple HTTP server developed by Patrick Hener using Go language. Versions of Goshs from 1.0.7 to 2.0.0-beta.4 contained security vulnerabilities. These vulnerabilities stemmed from the SFTP command rename, which only cleaned up the source path but did not clean up the target path,...

7.7CVSS7.3AI score0.00318EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.11 views

Google Go 安全漏洞

Google Go is a static, strongly typed, compiled, concurrent programming language with garbage collection features from the American company Google. There is a security vulnerability in Google Go, which arises when the target is replaced by a symbolic link during the Root.Chmod operation,...

6.4CVSS7.3AI score0.00292EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.9 views

liquidjs 路径遍历漏洞

LiquidJS is a simple, expressive, secure, and compatible JavaScript template engine developed by Jun Yang. Versions of LiquidJS prior to 10.25.3 had a path traversal vulnerability, which stemmed from the lack of enforcement of root directory restrictions, potentially allowing access to arbitrary...

7.5CVSS5.9AI score0.00447EPSS
Exploits0References2
Rows per page
Query Builder