CVE-2026-13218

A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causin...

GHSA-MWR2-WMGP-CRJ6 OpenBao's System Backend allows Unauthorized Management of the containing Namespace

Summary A user that is granted namespace management /sys/namespaces capabilities within a non-root namespace "the victim namespace" can abuse special handling of the literal path "root" in namespace path canonicalization to manage the victim namespace itself. Details Several endpoints under...

CVE-2016-20087

Fortitude HTTP 1.0.4.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated privileges by exploiting the service binary path. Attackers can insert malicious executables in the system root path that execute with SYSTEM privileges during...

EUVD-2016-10907

AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation. Attackers can insert malicious executables in the system root path that execute with elevated privileges during applicatio...

EUVD-2016-10905

NetDrive 2.6.12 contains an unquoted service path vulnerability in the Netdrive2ServiceNetdrive2 service that allows local users to execute arbitrary code with SYSTEM privileges. Attackers can insert malicious executables in the system root path that will be executed during service startup or...

EUVD-2016-10900

Fortitude HTTP 1.0.4.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated privileges by exploiting the service binary path. Attackers can insert malicious executables in the system root path that execute with SYSTEM privileges during...

PT-2026-51110

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.5 Description Users granted namespace management capabilities within a non-root namespace can abuse the canonicalization of the literal path "root" to manage the containing namespace itself. Several endpoints unde...

PT-2026-50921

Name of the Vulnerable Software and Affected Versions Malwarebytes version 4.5 Description An unquoted service path issue exists in the MBAMService executable. This allows local attackers to escalate privileges by injecting malicious code into the system root path. Attackers can place executable...

GHSA-G8MR-85JM-7XHM Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE

Summary Vitest Browser Mode exposes a cdp API that forwards raw Chrome DevTools Protocol CDP methods over the Vitest browser WebSocket RPC. CDP is not gated by browser.api.allowWrite, browser.api.allowExec, api.allowWrite, or api.allowExec. As a result, disabling Browser Mode write and exec...

EUVD-2026-35704

Hermes WebUI before version 0.51.269 contains a workspace boundary bypass vulnerability that allows authenticated attackers to circumvent blocked-root path checks by exploiting an early return in the SSH/remote terminal profile workspace resolution logic within remoteterminalworkspacecandidate...

CVE-2026-43998

A flaw was found in vm2 3.10.5. NodeVM require.root path checks use path.resolve without dereferencing symlinks, while Node require follows symlinks, allowing sandboxed code to load host modules outside the allowed root and achieve remote code execution. Fixed in 3.11.0...

CVE-2025-52608

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

EUVD-2025-210061

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

CVE-2025-52608 HCL iControl was affected by Missing Cookie Attributes vulnerability.

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

CVE-2025-52608

The CVE-2025-52608 entry concerns HCL iControl with Missing Cookie Attributes: cookies lack Secure and SameSite flags and have root path. Affected component is the web application’s session cookies; root path configuration and missing security attributes are cited as the underlying issue. The pro...

CVE-2025-52608 HCL iControl was affected by Missing Cookie Attributes vulnerability.

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

HCL iControl 安全漏洞

HCL iControl is an IT infrastructure monitoring and automation platform developed by the Indian company HCL. HCL iControl has a security vulnerability, which stems from the lack of Cookie attributes, including Secure and SameSite, and the path is set to the root directory...

PT-2026-46184

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

RLSA-2026:19353 Important: opentelemetry-collector security update

Collector with the supported components for a Rocky Enterprise Software Foundation build of OpenTelemetry Security Fixes: net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25679 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to...

PT-2026-43449

TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. This vulnerability is of high severity for affected sites and has a high real-world impact. ---- Introduction Arbitrary method call is a type of arbitrary code execution...