CVE-2026-49290

Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC CDLC. Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith's archive extractors allows an attacker to write arbitrary files outside the extraction directory by supplying a...

CVE-2026-49290

Slopsmith (CVE-2026-49290) contains a path-traversal vulnerability in archive extractors prior to version 0.2.9-alpha.5 that allows writing arbitrary files outside the extraction directory by crafted PSARC or sloppak archives. The issue affects three extractors: lib/psarc.py::unpack_psarc (PSARC ...

CVE-2026-49290 Slopsmith has path traversal in archive extractors that allows arbitrary file write → potential RCE

Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC CDLC. Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith's archive extractors allows an attacker to write arbitrary files outside the extraction directory by supplying a...

PT-2026-49066

Summary filebrowser builds the download-as-zip / download-as-tar archive entry names with filepath.ToSlash, which on a Linux host is a no-op for backslashes is only a path separator on Windows. A file whose name contains Windows-style traversal ......evil.txt is accepted by the resource handlers,...

poc-studio-public

Nuclei Offline GUI This is a pure offline desktop prototype,...

CVE-2026-26831

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

EUVD-2026-15459

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

PT-2026-27800

Name of the Vulnerable Software and Affected Versions textract versions through 2.5.0 Description The software is susceptible to an OS Command Injection issue through the file path parameter in multiple extractors. Processing files with malicious filenames allows the filePath to be directly passe...

CVE-2026-26831

CVE-2026-26831 affects textract up to version 2.5.0, where filePath is passed directly to child_process.exec() in multiple extractors (lib/extractors/doc.js, lib/extractors/rtf.js, lib/extractors/dxf.js, lib/extractors/images.js, and lib/util.js) without sufficient sanitization, enabling OS comma...

[SECURITY] Fedora 43 Update: localsearch-3.10.2-2.fc43

Tinysparql is a powerful desktop-neutral first class object database, tag/metadata database and search tool. This package contains various miners and metadata extractors for tinysparql...

An Efficient Secret Communication Scheme for the Bosonic Wiretap Channel

We propose a new secret communication scheme over the bosonic wiretap channel. It uses readily available hardware such as lasers and direct photodetectors. The scheme is based on randomness extractors, pulse-position modulation, and Reed-Solomon codes and is therefore computationally efficient. I...

nuclei2xray

Nuclei2Xray A tool written in Go language, used to convert Nu...

Model Inversion Attacks Meet Cryptographic Fuzzy Extractors

Model inversion attacks pose an open challenge to privacy-sensitive applications that use machine learning ML models. For example, face authentication systems use modern ML models to compute embedding vectors from face images of the enrolled users and store them. If leaked, inversion attacks can...

EUVD-2022-6873

Malicious code in bioql PyPI...

Leakage-Resilient Extractors against Number-On-Forehead Protocols

Given a sequence of $N$ independent sources $\mathbfX1,\mathbfX2,\dots,\mathbfXN\sim\0,1^n$, how many of them must be good i.e., contain some min-entropy in order to extract a uniformly random string? This question was first raised by Chattopadhyay, Goodman, Goyal and Li STOC '20, motivated by...

FL-PLAS: Federated Learning with Partial Layer Aggregation for Backdoor Defense against High-Ratio Malicious Clients

Federated learning FL is gaining increasing attention as an emerging collaborative machine learning approach, particularly in the context of large-scale computing and data systems. However, the fundamental algorithm of FL, Federated Averaging FedAvg, is susceptible to backdoor attacks. Although...

Litestar allows unbounded resource consumption (DoS vulnerability)

Summary Litestar offers multiple methods to return a parsed representation of the request body, as well as extractors that rely on those parsers to map request content to structured data types. Multiple of those parsers do not have size limits when reading the request body into memory, which allo...

PT-2024-40055 · Phantomjs +2 · Phantomjs +2

Name of the Vulnerable Software and Affected Versions: yt-dlp versions prior to 2024.07.07 Description: The issue arises from yt-dlp's DouyuTV and DouyuShow extractors using a URL from cdn.bootcdn.net as a fallback for fetching a component of the crypto-js JavaScript library. This URL is owned by...

RLSA-2023:7732 Important: tracker-miners security update

Tracker is a powerful desktop-neutral first class object database, tag/metadata database and search tool. This package contains various miners and metadata extractors for tracker. Security Fixes: tracker-miners: sandbox escape CVE-2023-5557 For more details about the security issues, including th...

Important: Red Hat Security Advisory: tracker-miners security update

An update for tracker-miners is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Red Hat Product Security has rated this upda...