1629 matches found
DEBIAN-CVE-2026-54572
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, with -l/--links, rclone serializes symlinks as .rclonelink text objects and recreates them on a local destination without validating the target, allowing an...
CVE-2026-54572
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, with -l/--links, rclone serializes symlinks as .rclonelink text objects and recreates them on a local destination without validating the target, allowing an...
CVE-2026-53486 decompress: Archive extraction can create files and links outside the target directory
The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink...
CVE-2026-39246
A flaw was found in the decompress package for Node.js. The package creates symlinks from archive entries during extraction without validating the link target against the output directory, because the existing containment check only applies to regular file entries. An attacker who can supply a...
CVE-2026-14361
The CVE-2026-14361 issue affects consul-template prior to 0.42.1, where the writeToFile helper opens the destination path directly and follows links in the path. This can allow template output to be written outside the intended directory or overwrite an existing file. The root cause is path redir...
PYSEC-2026-1568 LlamaIndex is vulnerable to Path Traversal attack through its ObsidianReader class
A vulnerability in the ObsidianReader class in LlamaIndex Readers Integration: Obsidian before version 0.5.1 from the run-llama/llamaindex repository versions 0.12.23 to 0.12.28 allows for arbitrary file read through symbolic links. The ObsidianReader fails to resolve symlinks to their real paths...
Decompress: Archive extraction can create files and links outside of the target directory
Impact When extracting an archive to a directory, a crafted archive can read or write files outside that directory. The flaw is in the code that writes the parsed entries, so it affects every format decompress handles: tar, tar.gz, tar.bz2, and zip by default, plus any others added through the...
GHSA-MP2F-45PM-3CG9 Decompress: Archive extraction can create files and links outside of the target directory
Impact When extracting an archive to a directory, a crafted archive can read or write files outside that directory. The flaw is in the code that writes the parsed entries, so it affects every format decompress handles: tar, tar.gz, tar.bz2, and zip by default, plus any others added through the...
CVE-2026-58403
Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile...
CVE-2026-59195 pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under nodemodules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml who...
EUVD-2026-41878
pydantic-settings provides settings management using Pydantic. From 2.12.0 until 2.14.2, NestedSecretsSettingsSource reads secret values from files in a configured secretsdir. When secretsnestedsubdir=True, a directory entry inside secretsdir that is a symbolic link pointing outside secretsdir is...
CVE-2026-50016
A flaw was found in pnpm, a package manager. This vulnerability allows a malicious registry package to include specially crafted dependency aliases that contain path traversal segments. During the installation process, pnpm incorrectly processes these aliases, which can lead to the replacement of...
USN-8510-1: tar vulnerability
It was discovered that tar incorrectly handled symlinks when extracting archives. An attacker could possibly use this issue to overwrite arbitrary files...
flatpak: Flatpak: Arbitrary code execution via crafted symlinks in sandbox-expose options
A flaw was found in Flatpak, a Linux application sandboxing and distribution framework. A malicious application could exploit this by using specially crafted symlinks within the sandbox-expose options of the Flatpak portal. This allows the application to access arbitrary host files and potentiall...
PT-2026-55947
Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.4 pnpm versions prior to 11.8.0 Description pnpm accepts package names from the configDependencies section of the env lockfile and uses them directly when creating config dependency symlinks under node...
perl-Archive-Tar security update
An update is available for perl-Archive-Tar. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Archive::Tar provides an object oriented mechanism for handling tar...
RLSA-2026:30857 Important: perl-Archive-Tar security update
Archive::Tar provides an object oriented mechanism for handling tar files. It provides class methods for quick and easy files handling while also allowing for the creation of tar file objects for custom manipulation. If you have the IO::Zlib module installed, Archive::Tar will also support...
CVE-2026-25718
Gitea prior to version 1.25.5 is affected by a symlink-based path resolution issue during template repository generation, allowing template processing to read or write via symlinked/non-regular paths. The vulnerability affects Gitea core components used for template repository generation (e.g., m...
CVE-2026-25718 Gitea template repository generation mishandles symlinked paths
Gitea versions before 1.25.5 mishandle path resolution during template repository generation, allowing template processing to read or write through symlinked or otherwise non-regular paths...
PT-2026-55594
Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.25.5 Description Improper path resolution occurs during the generation of template repositories. This allows template processing to read or write data through symlinks or other non-regular paths, potentially leading t...