GHSA-QP9X-WP8F-QGJJ tuf has platform-dependent delegation path matching

DelegatedRole.istargetinpathpattern uses fnmatch.fnmatch to decide whether a given target path is authorized by a delegation's glob pattern. Python's fnmatch.fnmatch calls os.path.normcase on both arguments before matching. On POSIX hosts normcase is the identity function; on Windows hosts os.pat...

CVE-2026-33414 PowerShell Command Injection in Podman HyperV Machine

Podman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in pkg/machine/hyperv/stubber.go, where the VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $...

CVE-2026-22569

The CVE-2026-22569 entry refers to an incorrect startup configuration in Windows deployments of Zscaler Client Connector, affecting limited traffic inspection under rare conditions. Affected software: Zscaler Client Connector for Windows. Vulnerable component/behavior: startup configuration that ...

CVE-2026-0747

Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or scree...

CVE-2025-40549

A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences ...

EUVD-2018-14482

Malware in sbrugna...

Security Bulletin: IBM App Connect Enterprise is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') due to Node.js ( CVE-2025-27210 )

Summary IBM App Connect Enterprise is vulnerable to Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' due to Node.js . Vulnerability Details CVEID:CVE-2025-27210 DESCRIPTION: An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting...

DEBIAN-CVE-2025-58438

internetarchive is a Python and Command-Line Interface to Archive.org In versions 5.5.0 and below, there is a directory traversal path traversal vulnerability in the File.download method of the internetarchive library. The file.download method does not properly sanitize user-supplied filenames or...

UBUNTU-CVE-2025-58438

internetarchive is a Python and Command-Line Interface to Archive.org In versions 5.5.0 and below, there is a directory traversal path traversal vulnerability in the File.download method of the internetarchive library. The file.download method does not properly sanitize user-supplied filenames or...

CVE-2025-58438 internetarchive is vulnerable to Directory Traversal through file downloads

internetarchive is a Python and Command-Line Interface to Archive.org In versions 5.5.0 and below, there is a directory traversal path traversal vulnerability in the File.download method of the internetarchive library. The file.download method does not properly sanitize user-supplied filenames or...

internetarchive Vulnerable to Directory Traversal in File.download()

Impact What kind of vulnerability is it? This is a Critical severity directory traversal path traversal vulnerability in the File.download method of the internetarchive library. Who is impacted? All users of the internetarchive library versions 5.5.1 are impacted. The vulnerability is particularl...

Security Bulletin: Use of Java's default temporary directory for file creation in `FileBackedOutputStream` allows other users and apps to be able to access the files created by the class, which affects IBM watsonx.data

Summary Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the...

Linux Distros Unpatched Vulnerability : CVE-2022-30634

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 32...

Wireshark 3.6.x < 3.6.10, 4.0.x < 4.0.3 Multiple Vulnerabilities (Jul 2025) - Windows

Wireshark is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wireshark:wireshark"; ifdescripti...

Wireshark Security Update (wnpa-sec-2023-28) - Windows

Wireshark is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wireshark:wireshark"...

PT-2024-30655 · Gitoxide · Gitoxide

Name of the Vulnerable Software and Affected Versions: gitoxide affected versions not specified Description: The gix and ein commands write pathnames and other metadata literally to terminals, even if they contain characters terminals treat specially, including ANSI escape sequences. This sometim...

Denial of Service (DoS)

Overview Microsoft.AspNetCore.App.Runtime.win-arm is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Denial of Service DoS when parsing X509 certificates...

CVE-2024-0725 ProSSHD denial of service

A vulnerability was found in ProSSHD 1.2 on Windows. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of thi...

PYSEC-2023-222

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS denial of service attack via certain inputs with a very large number of...

SUSE CVE-2023-29532

A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not...