CVE-2026-32885

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

PT-2026-34524

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

CVE-2026-34607 Emlog: Path Traversal in emUnZip() allows arbitrary file write leading to RCE

Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip function include/lib/common.php:793. When extracting ZIP archives plugin/template uploads, backup imports, the function calls $zip-extractTo$path without sanitizing Z...

CVE-2019-25471 FileThingie 2.5.7 Arbitrary File Upload via ft2.php

FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, an...

SUSE CVE-2025-14009

A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The unzipiter function in nltk/downloader.py uses zipfile.extractall without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the UnZip function. An attacker can write files to arbitrary locations on the filesystem by crafting archive files with malicious extraction paths. Details A Directory Traversal attack also known as path traversa...

CVE-2025-13816

A security vulnerability has been detected in moxi159753 Mogu Blog v2 up to 5.2. The impacted element is the function FileOperation.unzip of the file /networkDisk/unzipFile of the component ZIP File Handler. Such manipulation of the argument fileUrl leads to path traversal. The attack may be...

Mogu blog 路径遍历漏洞

Mogu blog is a micro-architecture based front-end and back-end shared blog system by individual developers in Streamlet, China. A path traversal vulnerability exists in Mogu blog v2 5.2 and earlier versions, which stems from the improper handling of the fileUrl parameter in the FileOperation.unzi...

Linux Distros Unpatched Vulnerability : CVE-2024-25978

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality. CVE-2024-25978 Note that Nessus relies on the...

Erlang - Absolute Path in Zip Module

https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc reports: Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Erlang OTP stdlib modules allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program...

PT-2024-31904 · Unknown · Scriptcase

Name of the Vulnerable Software and Affected Versions: Scriptcase versions 9.10.023 and earlier Description: The issue is a Remote Code Execution RCE vulnerability via the nm unzip function. This allows for remote code execution, potentially leading to unauthorized access and control of the syste...

PT-2024-38816 · D Link · Dns-320L +18

Name of the Vulnerable Software and Affected Versions: D-Link DNS-120 up to 20240814 D-Link DNR-202L up to 20240814 D-Link DNS-315L up to 20240814 D-Link DNS-320 up to 20240814 D-Link DNS-320L up to 20240814 D-Link DNS-320LW up to 20240814 D-Link DNS-321 up to 20240814 D-Link DNR-322L up to...

UBUNTU-CVE-2024-25978

Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality...

PT-2023-32816 · Unknown · Dfirkuiper Kuiper

Name of the Vulnerable Software and Affected Versions: DFIRKuiper Kuiper version 2.3.4 Description: A problematic issue was found in the TAR Archive Handler component, specifically affecting the unzip file function of the case management.py file. The manipulation of the dst path argument leads to...

PT-2023-21563 · Unknown · Go-Used-Util

Name of the Vulnerable Software and Affected Versions: go-used-util versions prior to 0.0.34 Description: The issue is a ZipSlip problem that occurs when using the fsutil package to unzip files. This can lead to path traversal when users use zip.Unzip to unzip zip files from a malicious attacker...

Path Traversal

github.com/gookit/goutil is vulnerable to Path Traversal Zip Slip. The vulnerability exists because the Unzip function in operate.go does not properly sanitize the relative file paths, allowing an attacker to access files outside the expected directory...

Path Traversal

The fileutil subpackage in github.com/duke-git/lancet is vulnerable to path traversal. The vulnerability exists in the UnZip function in file.go due to a ZipSlip vulnerability which allows an attacker to create files outside the designated target directory using malicious zip file names...

Arbitrary File Upload

github.com/mindoc-org/mindoc is vulnerable to arbitrary file upload. The vulnerability exists in Unzip function in ziptil.go due to file upload permissions and validations are not properly handled which allows an attacker to upload malicious files...

Command Injection in cocos-utils

All versions of cocos-utils are vulnerable to Remote Code Execution. The unzip function concatenates user input to exec which may allow attackers to execute arbitrary commands on the server. Recommendation No fix is currently available. Consider using an alternative module until a fix is made...

CVE-2020-11536

An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit the unzip function to rewrite a binary and remotely execute code on a victim's server...