EUVD-2026-39536

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default. Before a Write, the agent canonicalizes the target path to confirm it stays inside the workspace, but when canonicalization fails it falls back to the original path an...

CVE-2026-50016

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...

EUVD-2026-39494

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...

CVE-2026-50016 pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...

CVE-2026-50016

pnpm (the package manager) is affected by CVE-2026-50016. Before versions 10.34.0 and 11.4.0, a transitive dependency alias from registry metadata could include path traversal segments. During install, pnpm may treat that alias as a filesystem path when linking dependency nodes, allowing a regist...

CVE-2026-53765

Chrome DevTools for agents chrome-devtools-mcp lets your coding agent control and inspect a live Chrome browser. From 0.20.0 until 1.1.0, The chrome-devtools-mcp daemon writes its PID file with fs.writeFileSync to a deterministic runtime path. On typical macOS environments, and on Linux sessions...

CVE-2026-53765

CVE-2026-53765 / GHSA-3PVJ-JV98-QHJQ affects chrome-devtools-mcp (Chrome DevTools for agents). The vulnerability occurs when the daemon writes its PID file to a deterministic runtime path under /tmp on POSIX systems (macOS or Linux with XDG_RUNTIME_DIR unset). The code uses fs.writeFileSync() wit...

Symlink Attack

Overview py7zr is a Pure python 7-zip library Affected versions of this package are vulnerable to Symlink Attack in the extractall method. An attacker can overwrite arbitrary files on the host system by crafting malicious archives containing symbolic link chains that escape the intended extractio...

CVE-2026-12567 Symlink-following arbitrary write via github_workflows module

The githubworkflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location...

Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory

Summary The chrome-devtools-mcp daemon writes its PID file with fs.writeFileSync to a deterministic runtime path. On typical macOS environments, and on Linux sessions where $XDGRUNTIMEDIR is unset, that runtime path falls back to /tmp/chrome-devtools-mcp-/daemon.pid. Because the write does not us...

Symlink Attack

Overview chrome-devtools-mcp is a MCP server for Chrome DevTools Affected versions of this package are vulnerable to Symlink Attack in the fs.writeFileSync process when writing the PID file to a runtime directory under /tmp if $XDGRUNTIMEDIR is unset. An attacker can overwrite or truncate arbitra...

PT-2026-50562

Name of the Vulnerable Software and Affected Versions github workflows affected versions not specified Description The github workflows module constructs local directory paths using repository names provided by the user without validating for symlinks. A local attacker with access to the scan...

Symlink Attack

Overview langchain-anthropic is an Integration package connecting Claude Anthropic APIs and LangChain Affected versions of this package are vulnerable to Symlink Attack via the file-search middleware and loaders that resolve filesystem paths and search patterns without confining the resolved path...

Security update for python-python-dotenv (moderate)

openSUSE security update: security update for python-python-dotenv ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20952-1 Rating: moderate References: bsc1262423 Cross-References: CVE-2026-28684 CVSS scores: CVE-2026-28684 SUSE : 6.6...

Linux Distros Unpatched Vulnerability : CVE-2026-54230

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirection...

CVE-2026-54056

Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, kitten dnd can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote text/uri-list drops are staged in a temporary directory, but on case-sensitiv...

DEBIAN-CVE-2026-54056

Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, kitten dnd can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote text/uri-list drops are staged in a temporary directory, but on case-sensitiv...

DEBIAN-CVE-2026-54055

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU...

CVE-2026-54056 Kitty has an arbitrary file overwrite via symlink following in `kitten dnd` remote drop staging

Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, kitten dnd can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote text/uri-list drops are staged in a temporary directory, but on case-sensitiv...

CVE-2026-41001

CVE-2026-41001 affects Spring Boot’s ArtemisEmbeddedConfigurationFactory, which uses a fixed, static path for the embedded Artemis broker data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before appli...