123 matches found
Docling: Potential Path Traversal via LaTeX \includegraphics and \input Commands
Impact The LaTeX backend's handling of \includegraphics, \input, and \include commands lacked path containment validation. Attackers could craft malicious LaTeX documents with path traversal sequences e.g., ../../../etc/passwd to: - Read arbitrary files from the file system accessible to the...
GHSA-2J5P-7P5M-CVQR Docling: Potential Path Traversal via LaTeX \includegraphics and \input Commands
Impact The LaTeX backend's handling of \includegraphics, \input, and \include commands lacked path containment validation. Attackers could craft malicious LaTeX documents with path traversal sequences e.g., ../../../etc/passwd to: - Read arbitrary files from the file system accessible to the...
PT-2026-46122
Name of the Vulnerable Software and Affected Versions Docling versions prior to 2.91.0 Description The LaTeX backend fails to validate path containment when handling the includegraphics, input, and include commands. This allows attackers to use path traversal sequences, such as ../../../etc/passw...
EUVD-2026-33744
F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files by passing unsanitized user-supplied project names directly to os.path.join without validating the resulting path stays within the...
CVE-2026-43624
F5-TTS up to v1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files by passing unsanitized project names to os.path.join() without validating the resulting path. An attacker can supply absolute paths (e.g., /t...
CVE-2026-43624 F5-TTS 1.1.20 Path Traversal via finetune_gradio.py create_data_project()
F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files by passing unsanitized user-supplied project names directly to os.path.join without validating the resulting path stays within the...
UBUNTU-CVE-2026-44973
Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths e.g., using .. to escape intended base directories. While go-billy was...
CVE-2026-44973
Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths e.g., using .. to escape intended base directories. While go-billy was...
PT-2026-42595
Impact A maliciously crafted .onetoc2 table-of-contents file can cause Parser::parse notebook to open arbitrary files on the host filesystem outside the notebook's directory. The parser reads entry names listed inside the .onetoc2 and joins them against the notebook's base directory without...
Race Condition
Spring Cloud Config Server is vulnerable to Race Condition. The vulnerability is due to a Time-of-Check Time-of-Use TOCTOU issue in handling the Git repository base directory spring.cloud.config.server.git.basedir, where attackers may manipulate filesystem state between validation and use,...
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape
Summary The system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. Severity: Medium; test-rou...
GHSA-HG3H-G7XC-F7VP view_component: System Test Entry Point Path Check Allows Sibling Directory Escape
Summary The system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. Severity: Medium; test-rou...
PT-2026-39303
Name of the Vulnerable Software and Affected Versions view component versions 3.0.0 through 4.8.9 Description The system test entrypoint canonicalizes a user-controlled file path using File.realpath and verifies if the resolved path starts with the temporary directory path. This containment check...
Spring Cloud Config Server Susceptible To TOCTOU Attack
The base directory spring.cloud.config.server.git.basedir used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use TOCTOU attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterpris...
GHSA-86WQ-234Q-R6WG Spring Cloud Config Server Susceptible To TOCTOU Attack
The base directory spring.cloud.config.server.git.basedir used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use TOCTOU attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterpris...
CVE-2026-41002
The base directory spring.cloud.config.server.git.basedir used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use TOCTOU attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterpris...
CVE-2026-41002
The base directory spring.cloud.config.server.git.basedir used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use TOCTOU attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterpris...
EUVD-2026-28248
The base directory spring.cloud.config.server.git.basedir used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use TOCTOU attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterpris...
CVE-2026-41002
The base directory spring.cloud.config.server.git.basedir used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use TOCTOU attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterpris...
CVE-2026-41002
The base directory spring.cloud.config.server.git.basedir used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use TOCTOU attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterpris...