105 matches found
CVE-2025-68143 mcp-server-git's unrestricted git_init tool allows repository creation at arbitrary filesystem locations
Model Context Protocol Servers is a collection of reference implementations for the model context protocol MCP. In mcp-server-git versions prior to 2025.9.25, the gitinit tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other too...
Directory Traversal
Overview mcp-server-git is an A Model Context Protocol server providing tools to read, search, and manipulate Git repositories programmatically via LLMs Affected versions of this package are vulnerable to Directory Traversal via the gitinit tool. An attacker can create repositories at arbitrary...
mcp-server-git's unrestricted git_init tool allows repository creation at arbitrary filesystem locations
In mcp-server-git versions prior to 2025.9.25, the gitinit tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other tools which required an existing repository, gitinit could operate on any directory accessible to the server proces...
PT-2025-51936
Name of the Vulnerable Software and Affected Versions mcp-server-git versions prior to 2025.9.25 mcp-server-git versions prior to 2025.12.18 Description The Model Context Protocol Servers, specifically the mcp-server-git component, contains a flaw in the git init tool. Prior to version 2025.9.25,...
CVE-2025-65346
The CVE affects alexusmai laravel-file-manager up to version 3.3.1, where the unzip/extraction feature lacks proper path validation, enabling directory traversal and potentially writing archive contents to arbitrary filesystem locations. No public fix version is indicated in the provided document...
CVE-2025-65346
alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The unzip/extraction functionality improperly allows archive contents to be written to arbitrary locations on the filesystem due to insufficient validation of extraction paths...
Git Lfs 后置链接漏洞
Git Lfs is a command line tool from the Git Lfs team for working with large files in git projects. A backlink vulnerability exists in Git Lfs versions 0.5.2 through 3.7.0, which stems from an unchecked symbolic link that could result in writing to an arbitrary file system location...
CLSA-2025-1759864577 Fix CVE(s): CVE-2025-6020
SECURITY UPDATE: fix privilege escalation in pamnamespace - debian/patches-applied/CVE-2025-6020-pre.patch: prerequisite changes - debian/patches-applied/CVE-2025-6020.patch: enforce proper handling of instance directory symlinks to prevent mounting arbitrary paths - CVE-2025-6020...
EUVD-2020-24698
Malware in sbrugna...
PT-2025-40296
Name of the Vulnerable Software and Affected Versions auth0-PHP versions 3.3.0 through 8.16.0 Description The Bulk User Import endpoint does not validate file path wrappers or values, potentially allowing acceptance of arbitrary file paths or URLs. This affects applications directly using the...
CVE-2025-49222
Mattermost CVE-2025-49222 affects Mattermost Server versions 9.11.x, 10.5.x, 10.8.x, 10.9.x, and 10.10.x, where upload type validation in remote cluster upload sessions can be bypassed, allowing a system admin to upload non‑attachment file types that may be placed in arbitrary filesystem director...
CVE-2025-49222 Mattermost Shared Channel Upload Type Validation Bypass
Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 9.11.x = 9.11.17, 10.9.x = 10.9.2, 10.10.x = 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in...
Linux Distros Unpatched Vulnerability : CVE-2020-26954
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp...
CVE-2025-48783
CVE-2025-48783 describes an external control of file name or path in the delete file function of Soar Cloud HRD Human Resource Management System, affected up to version 7.3.2025.0408. The vulnerability allows remote attackers to delete partial files by specifying arbitrary file paths. Exploitatio...
CVE-2024-6583
A path traversal vulnerability exists in the latest version of stangirard/quivr. This vulnerability allows an attacker to upload files to arbitrary paths in an S3 bucket by manipulating the file path in the upload request...
CVE-2024-49411
Path Traversal in ThemeCenter prior to SMR Dec-2024 Release 1 allows physical attackers to copy apk files to arbitrary path with ThemeCenter privilege...
SAMSUNG mobile 安全漏洞
SAMSUNG mobile is a cell phone from the South Korean company Samsung SAMSUNG. A security vulnerability exists in SAMSUNG mobile before SMR-Dec-2024 Release 1, which stems from a path traversal that allows a physical attacker to copy apk files to an arbitrary path using ThemeCenter privileges...
CVE-2024-28806
An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. Remote unauthenticated attackers can upload files at an arbitrary path...
CVE-2024-3322
The CVE-2024-3322 path-traversal vulnerability affects parisneo/lollms-webui “cyber_security/codeguard” native personality up to version 9.5. The root cause is improper sanitization of user-supplied code_folder_path in lollms-webui/zoos/personalities_zoo/cyber_security/codeguard/scripts/processor...
CVE-2024-3322 Path Traversal in parisneo/lollms-webui
A path traversal vulnerability exists in the 'cybersecurity/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. The vulnerability arises from the improper limitation of a pathname to a restricted directory in the 'processfolder' function within...