PT-2026-49066

Summary filebrowser builds the download-as-zip / download-as-tar archive entry names with filepath.ToSlash, which on a Linux host is a no-op for backslashes is only a path separator on Windows. A file whose name contains Windows-style traversal ......evil.txt is accepted by the resource handlers,...

EUVD-2026-36011

Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails to validate ZIP entry names during extraction. Attackers can craft malicious extensions with traversal sequences like ../ in filenames to write arbitrary files outside the intended directory, enabli...

Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename

Summary filepath.Base on the Linux container does not strip backslashes , because \ is only a path separator on Windows. A multipart filename like ........\Windows\System32\evil.pdf survives Gotenberg's input sanitisation and lands verbatim as the zip entry name when a multi-output route...

Path Traversal

pf4j is vulnerable to Path Traversal. The vulnerability is due to improper handling of zip entry names, where a lack of proper path normalization and validation can allow directory traversal or Zip Slip attacks...

CVE-2025-70952

pf4j before 20c2f80 has a path traversal vulnerability in the extract function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation...

EUVD-2025-209006

pf4j before 20c2f80 has a path traversal vulnerability in the extract function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation...

pf4j is vulnerable to Path Traversal or Zip Slip attack through improper handling of zip entry names

pf4j before 20c2f80 has a path traversal vulnerability in the extract function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation...

GHSA-7PQ3-326H-F8Q9 Zoraxy: Authenticated Path Traversal in Config Import leads to RCE

Authenticated Path Traversal to RCE via Configuration Import Summary An authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Details The...

CVE-2025-70952

pf4j before 20c2f80 has a path traversal vulnerability in the extract function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation...

EUVD-2011-5243

Malware in sbrugna...

BIT-LIBPYTHON-2024-8088 Infinite loop when iterating over zip archive entry names from zipfile.Path

There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive for example, methods of "zipfile.Path" like "namelist", "iterdir", etc...

Improper Input Validation

org.apache.poi:poi-ooxml is vulnerable to Improper Input validation. The vulnerability is due to improper input validation due to the lack of checks for duplicate ZIP entry names in OOXML files, which can lead to inconsistent parsing behavior across different products...

CVE-2025-31672 Apache POI: parsing OOXML based files (xlsx, docx, etc.), poi-ooxml could read unexpected data if underlying zip has duplicate zip entry names

Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names including the path in the zip. In this cas...

PT-2025-15634 · Apache +1 · Apache Poi +1

Name of the Vulnerable Software and Affected Versions: Apache POI affected versions not specified Description: The issue concerns the parsing of OOXML based files, such as xlsx and docx, by the poi-ooxml component. It can read unexpected data if the underlying zip file has duplicate zip entry...

CVE-2024-8088

...

Apache UIMA path traversal vulnerability

Apache UIMA is a component-based software architecture from the Apache Foundation. A path traversal vulnerability exists in Apache UIMA 3.3.0 and earlier, which stems from relative path traversal and can be exploited to create files outside of a specified destination directory using carefully...

Apache UIMA Path Traversal vulnerability

A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior...

CVE-2022-32287

A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior...

Path traversal

A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior...

CVE-2022-32287

A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior...