CVE-2026-40076

OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST /openmrs/ws/rest/v1/module is vulnerable to a Zip Slip path traversal attack. During automatic extraction of uploaded .omod...

CVE-2026-40076

OpenMRS Core (CVE-2026-40076) is vulnerable to Zip Slip via the module upload REST endpoint (POST /openmrs/ws/rest/v1/module). The flaw is in WebModuleUtil.startModule(): ZIP entries under web/module/ are written without normalizing paths, allowing traversal like web/module/foo/../../../../evil.j...

EUVD-2017-0149

Malware in sbrugna...

CVE-2024-40407

A full path disclosure in Cybele Software Thinfinity Workspace before v7.0.2.113 allows attackers to obtain the root path of the application via unspecified vectors...

CVE-2023-48247

The vulnerability allows an unauthenticated remote attacker to read arbitrary files under the context of the application OS user “root” via a crafted HTTP request...

Exploit for Path Traversal in Std42 Elfinder

CVE-2023-35840 elFinder 2.1.62 - Path Traversal vulnerabilit...

Malwarebytes: Rails Debug Mode Enabled On ( https://44.208.145.207/testrail/files.md5 )

Summary: A Ruby on Rails web application running in development mode was identified on a Malwarebytes server. The application exposed sensitive system information, including details about middleware components and application root paths, which should not be accessible in a production environment...

GHSA-RMCX-FG5W-X8J9 FusionAuth vulnerable to directory traversal attack

FusionAuth before 1.41.3 allows a file outside of the application root to be viewed or retrieved using an HTTP request. To be specific, an attacker may be able to view or retrieve any file readable by the user running the FusionAuth process...

GHSA-Q388-J7CW-FF7W Path Traversal in Eclipse Mojarra

Multiple path traversal flaws where found in Mojarra JSF2 implementation for identifying resources by name or from libraries. An unauthenticated remote attacker can use these flaws to gather otherwise undisclosed information from within an application's root...

WordPress Plugin Post-Duplicator Plugin Cross-Site Scripting Vulnerability

WordPress is a set of blogging platforms developed by the Wordpress Foundation using the PHP language. WordPress plugin is a WordPress application plugin. WordPress Plugin Post-Duplicator Plugin 2.23 is vulnerable to a cross-site scripting vulnerability, which stems from an XSS payload given in t...

CVE-2021-33852

A cross-site scripting XSS attack can cause arbitrary code JavaScript to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Duplicate Title" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or th...

Cross site scripting

A cross-site scripting XSS attack can cause arbitrary code JavaScript to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Duplicate Title" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or th...

WordPress Plugin Post-Duplicator Plugin 跨站脚本漏洞

WordPress is a set of blogging platforms developed by the Wordpress Foundation using the PHP language. WordPress plugin is a WordPress application plugin. WordPress Plugin Post-Duplicator Plugin 2.23 is vulnerable to a cross-site scripting vulnerability, which stems from an XSS payload given in t...

CVE-2021-33852

A cross-site scripting XSS attack can cause arbitrary code JavaScript to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Duplicate Title" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or th...

Directory Traversal

ftp-srv is vulnerable to directory traversal. The vulnerability exists as it does not perform checks on the relative path to see if it resolves to a path outside of the application root directory...

Directory Traversal

xmpphttpupload is vulnerable to directory traversal. The vulnerability exists through the unsafe implementation of sanitizedjoin, where the .. input can be used to bypass the application root directory...

GSA Bounty: Limited LFI

Summary: Due to improper parameter sensitization local file inclusion is possible. LFI is limited as we were not able to truncate the end of string. Description: Application root is located at /var/www/dashboard/new/public Due to URL Manipulation we are able to raed file from...

actionpack vulnerable to Path Traversal

Directory traversal vulnerability in actionpack/lib/actiondispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when servestaticassets is enabled, allows remote attackers to determine the existence o...

GHSA-H56M-VWXC-3QPW Directory traversal vulnerability in actionpack

Directory traversal vulnerability in actionpack/lib/actiondispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when servestaticassets is enabled, allows remote attackers to determine the existence o...

MGASA-2015-0074 Updated ruby-sprockets packages fix CVE-2014-7819

Updated ruby-sprockets packages fix security vulnerabilities: Multiple directory traversal vulnerabilities in server.rb in Sprockets 2.12.x before 2.12.3, allow remote attackers to determine the existence of files outside the application root via a ../ dot dot slash sequence with double slashes o...