CVE-2026-43891

Summary: CVE-2026-43891 and related advisories describe an arbitrary local file read in changedetection.io caused by trusting attacker-controlled history.txt entries restored via crafted backups. Prior to 0.55.1, history values containing path separators are treated as filesystem paths and can re...

JetBrains IntelliJ IDEA Arbitrary Local File Read (CVE-2026-41882)

The version of JetBrains IntelliJ IDEA installed on the remote host is prior to 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, or 2026.1.1. It is, therefore, affected by an arbitrary local file read vulnerability: - In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1...

GHSA-8757-69J2-HX56 changedetection.io has an Arbitrary Local File Read via a crafted backup restore

Details The vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into th...

CVE-2026-33354 AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`

WWBN AVideo is an open source video platform. In versions up to and including 26.0, POST /objects/aVideoEncoder.json.php accepts a requester-controlled chunkFile parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint...

Astro Development Server has Arbitrary Local File Read

Summary A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to t...

EUVD-2025-198185

Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote...

CVE-2025-12058

The Keras.Model.loadmodel method, including when executed with the intended security mitigation safemode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery SSRF. This vulnerability stems from the way the StringLookup layer is handled during model loading from a...

EUVD-2025-5321

Malicious code in bioql PyPI...

Pebble has Arbitrary Local File Inclusion (LFI) Vulnerability via `include` macro

Summary If untrusted user input is used to dynamically create a PebbleTemplate with the method PebbleEnginegetLiteralTemplate, then an attacker can include arbitrary local files from the file system into the generated template, leaking potentially sensitive information into the output of...

CVE-2024-1561 Arbitrary Local File Read via Component Method Invocation in gradio-app/gradio

An issue was discovered in gradio-app/gradio, where the /componentserver endpoint improperly allows the invocation of any method on a Component class with attacker-controlled arguments. Specifically, by exploiting the moveresourcetoblockcache method of the Block class, an attacker can copy any fi...

PHPMailer Local file inclusion

Impact Arbitrary local file inclusion via the $lang property, remotely exploitable if host application passes unfiltered user data into that property. The 3 CVEs listed are applications that used PHPMailer that were vulnerable to this problem. Patches It's not known exactly when this was fixed in...

GHSA-RRP4-2XX3-MV29 Command injection in gh-ost

Gh-ost version = 1.1.2 allows users to inject DSN strings via the -database parameter. This is a low severity vulnerability as the attacker must have access to the target host or trick an administrator into executing a malicious gh-ost command on a host running gh-ost, plus network access from ho...

CentOS 8 : thunderbird (CESA-2020:2046)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2020:2046 advisory. - Mozilla: Use-after-free during worker shutdown CVE-2020-12387 - Mozilla: Arbitrary local file access with 'Copy as cURL' CVE-2020-12392 - Mozilla:...

CVE-2020-14490

OpenClinic GA versions 5.09.02 and 5.89.05b contain a path traversal vulnerability (CWE-22) that allows arbitrary local files to be specified via parameters and may execute uploaded files, risking disclosure of sensitive data and code execution. The issue corresponds to CVE-2020-14490; root cause...

Design/Logic Flaw

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault on all new-window events where the url or options is not...

Information Builders WebFOCUS Business Intelligence XML External Entity Injection Vulnerability

Information Builders WebFOCUS Business Intelligence BI is a suite of business intelligence and analytics platforms from Information Builders, Inc. in the United States. The platform provides data analysis tools, applications, reporting and document generation. Information Builders WebFOCUS Busine...

CentOS: Security Advisory for firefox (CESA-2020:2037)

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

CentOS 6 : firefox (RHSA-2020:2036)

The remote CentOS Linux 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:2036 advisory. - A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash...

Scientific Linux Security Update : thunderbird on SL7.x x86_64 (20200511)

Security Fixes : - Mozilla: Use-after-free during worker shutdown CVE-2020-12387 - Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 CVE-2020-12395 - usrsctp: Buffer overflow in AUTH chunk input validation CVE-2020-6831 - Mozilla: Arbitrary local file access with 'Copy as cURL'...

Critical: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available...