node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition

A flaw was found in node-tar, a library for Node.js. This race condition vulnerability occurs due to incomplete handling of Unicode path collisions within the path-reservations system on case-insensitive filesystems, such as macOS APFS. A remote attacker can exploit this by providing a specially...

Unity Linux 20.1060e / 20.1070e Security Update: git (UTSA-2026-017630)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017630 advisory. Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses tar-7.5.2.tgz which is vulnerable to CVE-2026-23950

Summary IBM Maximo Application Suite - Visual Inspection component uses tar-7.5.2.tgz which is vulnerable to CVE-2026-23950. This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2026-23950 DESCRIPTION: node-tar,a Tar for Node.js, has ...

EUVD-2026-3595

Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS...

EUVD-2024-3298

Malicious code in bioql PyPI...

EUVD-2023-2406

Malicious code in bioql PyPI...

CVE-2025-61593

CVE-2025-61593 affects Cursor, specifically Cursor CLI Agent in Cursor editor versions ≤ 1.7. The vulnerability stems from inadequate protection of sensitive files (e.g., /.cursor/cli.json ), allowing an attacker to inject prompts that modify these files, which can lead to remote code execution. ...

tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation

The fix for CVE-2024-50379 in Apache Tomcat was insufficient to mitigate the issue fully. A Time-of-check Time-of-use TOCTOU race condition occurs during JSP compilation on case-insensitive file systems when the default servlet is enabled for writing. This vulnerability allows an uploaded file to...

SUSE CVE-2024-23331

Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area...

DEBIAN-CVE-2024-50379

Time-of-check Time-of-use TOCTOU Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write non-default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from...

Path Traversal

Safearchive is vulnerable to a Path Traversal. The vulnerability is due to the handling of archive extractions on case-insensitive filesystems e.g., NTFS, which allows attackers to write arbitrary files by using symbolic links in the archive...

GHSA-Q3RP-VVM7-J8JG Safearchive Path Traversal vulnerability

There exists a Path Traversal vulnerability in Safearchive on Platforms with Case-Insensitive Filesystems e.g., NTFS. This allows Attackers to Write Arbitrary Files via Archive Extraction containing symbolic links. We recommend upgrading past commit f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc...

Safearchive Path Traversal vulnerability

There exists a Path Traversal vulnerability in Safearchive on Platforms with Case-Insensitive Filesystems e.g., NTFS. This allows Attackers to Write Arbitrary Files via Archive Extraction containing symbolic links. We recommend upgrading past commit f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc...

CVE-2024-10389

There exists a Path Traversal vulnerability in Safearchive on Platforms with Case-Insensitive Filesystems e.g., NTFS. This allows Attackers to Write Arbitrary Files via Archive Extraction containing symbolic links. We recommend upgrading past commit f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc...

CVE-2024-10389 Path Traversal in Safearchive

There exists a Path Traversal vulnerability in Safearchive on Platforms with Case-Insensitive Filesystems e.g., NTFS. This allows Attackers to Write Arbitrary Files via Archive Extraction containing symbolic links. We recommend upgrading past commit f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc...

PT-2024-16238 · Unknown +1 · Safearchive +1

Name of the Vulnerable Software and Affected Versions: Safearchive versions prior to commit f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc Description: The issue is related to a Path Traversal vulnerability in Safearchive on platforms with case-insensitive filesystems, such as NTFS. This vulnerability...

GitHub: CVE-2024-32002 Recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution

...

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Summary Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to host...

Arbitrary File Overwrite in Eclipse JGit

Arbitrary File Overwrite in Eclipse JGit = 6.6.0 In Eclipse JGit, all versions = 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive...

CVE-2023-4759

Arbitrary File Overwrite in Eclipse JGit = 6.6.0 In Eclipse JGit, all versions = 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive...