72 matches found
aiohttp - Directory Traversal
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'followsymlinks' can be used to determine whether to follow symboli...
CVE-2026-42598
CVE-2026-42598 affects Pode, a cross‑platform PowerShell web framework. From version 2.4.0 up to, but not including, 2.13.0, the Static Route content fetch could be abused to perform a directory traversal (e.g., requesting http://localhost:8080/c:/Windows/System32/drivers/etc/hosts) and return lo...
CVE-2026-42598 Pode: Directory Traversal is possible on Static Routes
Pode is a Cross-Platform PowerShell web framework for creating REST APIs, Web Sites, and TCP/SMTP servers. From 2.4.0, to before 2.13.0, when requesting content from a Static Route, it was possible to request paths such as http://localhost:8080/c:/Windows/System32/drivers/etc/hosts and have the...
CVE-2026-42598 Pode: Directory Traversal is possible on Static Routes
Pode is a Cross-Platform PowerShell web framework for creating REST APIs, Web Sites, and TCP/SMTP servers. From 2.4.0, to before 2.13.0, when requesting content from a Static Route, it was possible to request paths such as http://localhost:8080/c:/Windows/System32/drivers/etc/hosts and have the...
PT-2026-41011
Pode is a Cross-Platform PowerShell web framework for creating REST APIs, Web Sites, and TCP/SMTP servers. From 2.4.0, to before 2.13.0, when requesting content from a Static Route, it was possible to request paths such as http://localhost:8080/c:/Windows/System32/drivers/etc/hosts and have the...
CVE-2026-34523
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in the static file route handler allows any unauthenticate...
GHSA-525J-2HRJ-M8FP SillyTavern: Path Traversal allows file existence oracle
Summary A path traversal vulnerability in the static file route handler allows any unauthenticated user to determine whether files exist anywhere on the server's filesystem. By sending percent-encoded ../ sequences %2E%2E%2F in requests to static file routes, an attacker can check for the existen...
SillyTavern: Path Traversal allows file existence oracle
Summary A path traversal vulnerability in the static file route handler allows any unauthenticated user to determine whether files exist anywhere on the server's filesystem. By sending percent-encoded ../ sequences %2E%2E%2F in requests to static file routes, an attacker can check for the existen...
CVE-2026-23494
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined vi...
GHSA-M3R2-724C-PWGF Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing
Summary The application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details lik...
Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing
Summary The application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details lik...
Insufficient Granularity of Access Control
Overview pimcore/pimcore is a content & product management framework CMS/PIM/E-Commerce. Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the API endpoint responsible for reading or listing static routes. An attacker can access sensitive route...
CVE-2026-23494
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined vi...
CVE-2026-23494
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined vi...
CVE-2026-23494 Pimcore is Missing Function Level Authorization on "Static Routes" Listing
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined vi...
CVE-2026-23494 Pimcore is Missing Function Level Authorization on "Static Routes" Listing
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined vi...
CVE-2026-23494
Pimcore is vulnerable to insufficient function-level access control on the API that lists static routes. Prior to versions 12.3.1 and 11.5.14, an authenticated backend user lacking explicit permissions could call the endpoint (e.g., GET /api/static-routes) and retrieve internal static-route confi...
CVE-2026-23494 Pimcore is Missing Function Level Authorization on "Static Routes" Listing
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined vi...
EUVD-2026-2728
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined vi...
PT-2026-3077
Name of the Vulnerable Software and Affected Versions Pimcore versions prior to 12.3.1 Pimcore versions prior to 11.5.14 Description The application does not properly enforce server-side authorization checks on the API endpoint responsible for reading or listing static routes. Static routes are...