56 matches found
CVE-2026-7214
A vulnerability was identified in eghuzefa engineer-your-data up to 0.1.3. This vulnerability affects the function readfile/writefile/listfiles/fileinf of the file src/server.py. The manipulation of the argument WORKSPACEPATH leads to path traversal. The attack may be initiated remotely. The...
CVE-2026-45224
Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or crabbox.yaml file with...
CVE-2026-45224
Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or crabbox.yaml file with...
CVE-2026-7214
A vulnerability was identified in eghuzefa engineer-your-data up to 0.1.3. This vulnerability affects the function readfile/writefile/listfiles/fileinf of the file src/server.py. The manipulation of the argument WORKSPACEPATH leads to path traversal. The attack may be initiated remotely. The...
CVE-2026-7214 eghuzefa engineer-your-data server.py file_inf path traversal
A vulnerability was identified in eghuzefa engineer-your-data up to 0.1.3. This vulnerability affects the function readfile/writefile/listfiles/fileinf of the file src/server.py. The manipulation of the argument WORKSPACEPATH leads to path traversal. The attack may be initiated remotely. The...
CVE-2026-7214 eghuzefa engineer-your-data server.py file_inf path traversal
A vulnerability was identified in eghuzefa engineer-your-data up to 0.1.3. This vulnerability affects the function readfile/writefile/listfiles/fileinf of the file src/server.py. The manipulation of the argument WORKSPACEPATH leads to path traversal. The attack may be initiated remotely. The...
CVE-2026-7214
CVE-2026-7214 affects the eghuzefa engineer-your-data project up to version 0.1.3. The vulnerability targets functions read_file, write_file, list_files, and file_inf in src/server.py and stems from manipulating WORKSPACE_PATH to cause path traversal. The issue can be exploited remotely, and a pu...
Engineer Your Data 路径遍历漏洞
Engineer Your Data is a data engineering and BI workflow assistance tool developed by Mohammad Huzefa Shaikh. Versions of Engineer Your Data prior to 0.1.3 have a path traversal vulnerability. This vulnerability stems from incorrect handling of the WORKSPACEPATH parameter in the functions readfil...
PT-2026-35587
A vulnerability was identified in eghuzefa engineer-your-data up to 0.1.3. This vulnerability affects the function read file/write file/list files/file inf of the file src/server.py. The manipulation of the argument WORKSPACE PATH leads to path traversal. The attack may be initiated remotely. The...
CVE-2026-6829
CVE-2026-6829 affects the open-source project nesquena Hermes-webUI. The connected documents describe a trust-boundary failure in Hermes-webUI that allows an authenticated attacker to repoint a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters ...
CVE-2026-6829 nesquena hermes-webui Arbitrary Workspace Directory Access
nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update,...
PT-2026-34193
nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update,...
Hermes Web UI 路径遍历漏洞
Hermes Web UI is a lightweight, dark-themed web interface developed by Nathan Esquenazi. Hermes Web UI has a path traversal vulnerability, which stems from a failure in trust boundaries. This vulnerability allows authenticated attackers to manipulate the workspace path parameters in endpoints suc...
OpenClaw: TOCTOU read in exec script preflight
Summary OpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check...
PT-2026-27145
A security vulnerability has been detected in kalcaddle kodbox 1.64. This impacts the function loginAfter/tfaVerify of the file /workspace/source-code/plugins/client/controller/tfa/index.class.php of the component Password Login. The manipulation leads to improper authentication. The attack is...
CVE-2026-3954
A weakness has been identified in OpenBMB XAgent 1.0.0. Affected by this vulnerability is the function workspace of the file XAgentServer/application/routers/workspace.py. This manipulation of the argument filename causes path traversal. The attack may be initiated remotely. The exploit has been...
CVE-2026-3954 OpenBMB XAgent workspace.py workspace path traversal
A weakness has been identified in OpenBMB XAgent 1.0.0. Affected by this vulnerability is the function workspace of the file XAgentServer/application/routers/workspace.py. This manipulation of the argument filename causes path traversal. The attack may be initiated remotely. The exploit has been...
CVE-2026-3954
OpenBMB XAgent 1.0.0 is affected by CVE-2026-3954 due to a path traversal in the XAgentServer/application/routers/workspace.py workspace function where manipulating the file_name argument enables traversal. The vulnerability can be triggered remotely and a public exploit is available. Project was...
CVE-2026-27001
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory workspace path into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters for example...
CVE-2026-27001
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory workspace path into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters for example...