CVE-2026-6418

An issue was discovered in the Shared Account Synchronization component of PaperCut MF version 25.0.4. The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an authenticated user with...

EUVD-2026-31138

In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could cause a Denial ...

PT-2026-36983

Name of the Vulnerable Software and Affected Versions PaperCut MF version 25.0.4 Description An issue in the Shared Account Synchronization component allows authenticated administrative users to specify arbitrary file paths on the local file system due to insufficient path validation and...

CVE-2025-60946

Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authenticated attacker could access unintended file directories. Fixed in 8.1.0 alpha...

CVE-2025-60946 Census CSWeb path traversal

Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authenticated attacker could access unintended file directories. Fixed in 8.1.0 alpha...

PT-2026-27209

Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authenticated attacker could access unintended file directories. Fixed in 8.1.0 alpha...

GO-2026-4570 Vitess users with backup storage access can write to arbitrary file paths in vitess.io/vitess

Vitess users with backup storage access can write to arbitrary file paths on restore in vitess.io/vitess...

CVE-2026-24488

OpenEMR

GHSA-R492-HJGH-C9GW Vitess users with backup storage access can write to arbitrary file paths on restore

Impact Anyone with read/write access to the backup storage location e.g. an S3 bucket can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is ...

Vitess users with backup storage access can write to arbitrary file paths on restore

...

CVE-2026-25475 OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction

OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/fil...

CVE-2026-25475

OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/fil...

EUVD-2026-2004

Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the filelocalname field combined with path trust in the delete operation...

Improper Input Validation

auth0/wordpress is vulnerable to Improper Input Validation. The vulnerability is due to the Bulk User Import endpoint not validating the file path wrapper or value, which allows an attacker to supply arbitrary file paths or URLs to manipulate file handling behavior...

EUVD-2018-17288

Malware in sbrugna...

CVE-2025-58769

auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths o...

EUVD-2025-17101

Malicious code in bioql PyPI...

EUVD-2025-17099

Malicious code in bioql PyPI...

EUVD-2025-21750

Malicious code in bioql PyPI...

GHSA-HJFH-5JMM-XR24 laravel-auth0 SDK Does Not Properly Handle File Types in Bulk User Import

Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. Am I affected? You are affected by this vulnerability if you meet the...