CVE-2026-25559 OpenBullet2 0.3.2 Path Traversal via Wordlist Endpoint

OpenBullet2 through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that allows authenticated attackers to perform arbitrary file read, write, and delete operations by supplying unsanitized absolute paths to the upload handler and wordlist functions. Attackers can...

CVE-2026-40281

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate...

CVE-2026-42590 Gotenberg: ExifTool group-prefix syntax bypasses dangerous-tag blocklist

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix...

EUVD-2026-30316

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix...

CVE-2026-42590 Gotenberg: ExifTool group-prefix syntax bypasses dangerous-tag blocklist

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix...

CVE-2026-40281

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate...

CVE-2026-33733 EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled name and scope values and pass them into template path construction without normalization or traversal filtering. As a result, an...

Mesop 安全漏洞

Mesop is a fast-building Python web application UI framework developed by Mesop OpenSource. Versions of Mesop 1.2.2 and earlier contained security vulnerabilities. These vulnerabilities were caused by a path traversal issue with the statetoken parameter, which could lead to denial-of-service...

StudioCMS 安全漏洞

StudioCMS is StudioCMS open source a content management system . A security vulnerability exists in StudioCMS that can be exploited by an attacker to cause an authenticated user to perform arbitrary file operations on S3 storage buckets...

CVE-2016-10847

cPanel before 11.54.0.4 allows arbitrary file-read and file-write operations via scripts/fixmailboxpath SEC-80...

CVE-2017-18648

An issue was discovered on Samsung mobile devices with KK4.4.x, L5.x, M6.x, and N7.x software. Arbitrary file read/write operations can occur in the locked state via a crafted MTP command. The Samsung ID is SVE-2017-10086 November 2017...

CVE-2025-7719

GE Vernova Smallworld (SWMFS) CVE-2025-7719 describes an improper limitation of a pathname to a restricted directory (path traversal) that could allow file manipulation. Affected versions are Smallworld 5.3.5 and earlier. Reported impact is file operations that could be manipulated locally on Win...

EUVD-2025-33763

e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the install.php script. The script processes user-controlled input in the previoussteps POST parameter using unserializebase64decode without validation, allowing attackers to craft malicious serialized data. This could lead to remo...

PT-2025-41591

Name of the Vulnerable Software and Affected Versions e107 CMS versions through 2.3.3 Description The software contains a flaw due to insecure deserialization in the install.php script. The script processes user-controlled input received in the previous steps POST parameter using unserializebase6...

EUVD-2016-1769

Malware in sbrugna...

EUVD-2017-9739

Malware in sbrugna...

EUVD-2025-18867

Malicious code in bioql PyPI...

Bluebird 安全漏洞

Bluebird is an application from Bluebird South Korea that is used to lock a device into a dedicated mode, restricting a user's access to only specified features or applications. A security vulnerability exists in Bluebird version 1.4.4, which stems from the File Manager application exposing an...

Exploit for Link Following in Microsoft

Diffing cleanmgr.exe The new version of cleanmgr.exe inclu...

CVE-2022-30264

The Emerson ROC and FloBoss RTU product lines through 2022-05-02 perform insecure filesystem operations. They utilize the ROC protocol 4000/TCP, 5000/TCP for communications between a master terminal and RTUs. Opcode 203 of this protocol allows a master terminal to transfer files to and from the...