CVE-2026-41211

Summary of CVE-2026-41211 (vite-plus/binding) : The vulnerability affects Vite+ before version 0.1.17, where downloadPackageManager() uses an untrusted version string directly in filesystem paths. An attacker can supply traversal segments (e.g., ../) or absolute paths to escape VP_HOME/package_ma...

CVE-2026-41211 `vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...

CVE-2026-24047

Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is...

CVE-2026-24047 @backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass

Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is...

CVE-2026-24047 @backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass

Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is...

@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass

Impact The resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by: 1. Symlink chains: Creating link1 → link2 → /outsi...

PT-2026-3876

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 0.1.17 Description The resolveSafeChildPath utility function in @backstage/backend-plugin-api did not properly validate symlink chains and dangling symlinks, leading to a path traversal issue. An attacker could bypa...

SQL Injection

Overview smoosense is a Smoothly make sense of your large multi-modal datasets Affected versions of this package are vulnerable to SQL Injection via improper handling of user-supplied filter values. The parseFilters.ts and helpers.ts utility functions fail to escape single quotes before...

CVE-2025-11504 Quickcreator – AI Blog Writer 0.0.9 - 0.1.17 - Unauthenticated API Key Exposure

The Quickcreator – AI Blog Writer plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 0.0.9 to 0.1.17 through the /wp-content/plugins/quickcreator/dupasrala.txt file. This makes it possible for unauthenticated attackers to view the plugin's API key and subsequently us...

Sim Studio 安全漏洞

Sim Studio is an AI agent workflow builder for Sim Studio open source. A security vulnerability exists in Sim Studio 0.1.17 and earlier versions, which stems from improper handling of the parameter filePath in the file apps/sim/app/api/files/parse/route.ts, which could lead to path traversal...

CVE-2024-46946

langchainexperimental aka LangChain Experimental 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify which uses eval in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 2023-10-05...

PT-2024-38864 · WordPress · Wp Multitasking

Name of the Vulnerable Software and Affected Versions: WP MultiTasking – WP Utilities plugin for WordPress versions up to, and including, 0.1.17 Description: The issue is related to Stored Cross-Site Scripting via the wpmt menu name parameter due to insufficient input sanitization and output...

WordPress plugin WP MultiTasking – WP Utilities 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...