640 matches found
Active Debug Code
Overview Affected versions of this package are vulnerable to Active Debug Code via improper handler registration on the shared http.DefaultServeMux. An attacker can gain unauthorized access to sensitive debug and metrics endpoints by sending crafted requests, potentially exposing process command...
Active Debug Code
Overview Affected versions of this package are vulnerable to Active Debug Code via improper handler registration on the shared http.DefaultServeMux. An attacker can gain unauthorized access to sensitive debug and metrics endpoints by sending crafted requests, potentially exposing process command...
Active Debug Code
Overview Affected versions of this package are vulnerable to Active Debug Code via improper handler registration on the shared http.DefaultServeMux. An attacker can gain unauthorized access to sensitive debug and metrics endpoints by sending crafted requests, potentially exposing process command...
CVE-2026-59092
JuiceFS through 1.3.1, fixed in commit a46979c, contains an authentication bypass vulnerability that allows unauthenticated remote attackers to access sensitive debug and metrics endpoints by exploiting improper handler registration on the shared http.DefaultServeMux. Attackers can request the...
FreeBSD : rclone -- Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation (0f3342e3-73ba-11f1-910d-3c7c3fba4204)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 0f3342e3-73ba-11f1-910d-3c7c3fba4204 advisory. https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv reports: Rclone is a...
PYSEC-2026-427 Modular Max Serve has Unsafe Deserialization vulnerability
Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code...
CVE-2026-49980
A flaw was found in Rclone, a command-line program for cloud storage synchronization. When the rcd --rc-serve option is enabled, an unauthenticated remote attacker can send specially crafted GET or HEAD requests to execute arbitrary commands as the Rclone process user. This vulnerability allows f...
CVE-2026-49980
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /remote:path/object. The remote value is parsed from the URL and passed...
CVE-2026-49980 Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /remote:path/object. The remote value is parsed from the URL and passed...
CVE-2026-49980
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /remote:path/object. The remote value is parsed from the URL and passed...
CVE-2026-49980 Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /remote:path/object. The remote value is parsed from the URL and passed...
rclone -- Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation
https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv reports: Rclone is a command-line program to sync files and directories to and from different cloud storage providers.From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of...
CVE-2026-55447
Langflow’s BaseFileComponent family (including Read File, DoclingInlineComponent, DoclingServe, DoclingRemoteComponent, NvidiaIngestComponent, VideoFileComponent, UnstructuredComponent) is affected by CVE-2026-55447. The underlying issue is in base_file.py: _unpack_bundle TAR extraction does not ...
CVE-2026-54286
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as...
CVE-2026-54286
CVE-2026-54286 concerns Hono’s path traversal in the Windows environment via encoded backslash (%5C) in the request path. A prior issue (pre-4.12.25) causes %5C to decode to a backslash, which Windows path resolution treats as a separator, allowing a crafted URL segment (e.g., admin\secret.txt) t...
Rclone 1.46.x < 1.74.3 Unauthenticated Command Execution
The version of Rclone installed on the remote host is 1.46.x prior to 1.74.3. It is, therefore, affected by an unauthenticated command execution vulnerability: - rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form /remote:path/object. The remote value is parse...
GHSA-QW24-GH76-8RVV Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
Summary rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: text /remote:path/object The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during...
NPM: hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
NPM: hono: Path traversal in serve-static on Windows via encoded backslash %5C vulnerability discovered by ? in WordPress Npm hono versions 4.12.25...
Directory Traversal
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal via the serve-static method on Windows hosts when an encoded backslash %5C in the request path is decoded to , which is treated as a separator by the Windows path...
hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
Summary On Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static file...