Security Bulletin:DevOps Test Embedded for Eclipse IDE is vulnerable to XXE injection & RCE due to use of JGit and EGit ( CVE-2023-4759 and CVE-2025-4949)

Summary Due to the use of JGit and EGit, DevOps Test Embedded for Eclipse contains vulnerabilities that could lead to unauthorized file access via XML External Entity XXE injection, and arbitrary file overwrites on case-insensitive filesystems that can lead to Remote Code Execution RCE. This only...

CVE-2026-23903

Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, such ...

GHSA-F72R-2H5J-7639 SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal

File Read Interface Case Bypass Vulnerability Vulnerability Name File Read Interface Case Bypass Vulnerability Overview The /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems such as Windows, attackers can...

CVE-2026-23950

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the path-reservations system. On case-insensitive or normalization-insensitive filesystems such as macOS APFS, In which it has...

EUVD-2006-0766

Malware in sbrugna...

EUVD-2021-1513

Malware in sbrugna...

Unity Linux 20.1070e Security Update: nodejs (UTSA-2025-680628)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-680628 advisory. @npmcli/arborist, the library that calculates dependency trees and manages the nodemodules folder hierarchy for the npm command line interface, aims to guarantee tha...

CVE-2025-59944

Cursor IDE versions 1.6.23 and earlier are affected by a vulnerability in how sensitive files are protected (notably /.cursor/mcp.json). The issue arises from case-sensitive checks that can be bypassed, allowing an attacker to modify sensitive files via prompt injection and achieve remote code ex...

CVE-2025-61593 Cursor CLI Agent: Sensitive File Overwrite Bypass

Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI Agent protects its sensitive files i.e. /.cursor/cli.json allows attackers to modify the content of the files through prompt injection, thus achieving remote code execution. A...

PT-2025-40600

Name of the Vulnerable Software and Affected Versions Cursor versions 1.6.23 and below Description Cursor IDE has case-sensitive checks when protecting sensitive files, such as /.cursor/mcp.json. This allows attackers to modify these files through prompt injection, potentially leading to remote...

tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation

The fix for CVE-2024-50379 in Apache Tomcat was insufficient to mitigate the issue fully. A Time-of-check Time-of-use TOCTOU race condition occurs during JSP compilation on case-insensitive file systems when the default servlet is enabled for writing. This vulnerability allows an uploaded file to...

tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation

The fix for CVE-2024-50379 in Apache Tomcat was insufficient to mitigate the issue fully. A Time-of-check Time-of-use TOCTOU race condition occurs during JSP compilation on case-insensitive file systems when the default servlet is enabled for writing. This vulnerability allows an uploaded file to...

Exploit for Unrestricted Upload of File with Dangerous Type in Git

CVE-2024-32002: Exploiting Git RCE via git clone This repos...

Linux Distros Unpatched Vulnerability : CVE-2023-4759

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Arbitrary File Overwrite in Eclipse JGit = 6.6.0 In Eclipse JGit, all versions = 6.6.0.202305301015-r, a symbolic link present in a specially crafted git...

SUSE CVE-2023-4759

Arbitrary File Overwrite in Eclipse JGit = 6.6.0 In Eclipse JGit, all versions = 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive...

SUSE CVE-2024-10389

There exists a Path Traversal vulnerability in Safearchive on Platforms with Case-Insensitive Filesystems e.g., NTFS. This allows Attackers to Write Arbitrary Files via Archive Extraction containing symbolic links. We recommend upgrading past commit f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc...

CVE-2024-23331

Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area...

tomcat: RCE due to TOCTOU issue in JSP compilation

A flaw was found in Tomcat. A Time-of-check Time-of-use TOCTOU race condition occurs during JSP compilation on case-insensitive file systems when the default servlet is enabled for writing. This vulnerability allows an uploaded file to be treated as a JSP and executed, resulting in remote code...

GHSA-27HP-XHWR-WR2M Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

Time-of-check Time-of-use TOCTOU Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensiti...

DEBIAN-CVE-2024-56337

Time-of-check Time-of-use TOCTOU Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be...