Lucene search
K

334 matches found

Positive Technologies
Positive Technologies
added 6 days ago5 views

PT-2026-56963

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes Tonda tonda allows PHP Local File Inclusion.This issue affects Tonda: from n/a through = 2.5...

7.5CVSS6.1AI score0.00496EPSS
Exploits0References3
NVD
NVD
added 2026/07/02 4:16 p.m.8 views

CVE-2026-44941

A relative path traversal in the "keyhint" option in repomd.xml parsing of libzypp before 17.38.12 can be used by attackers able to supply a malicious repository to inject or overwrite files in the target system as root...

8.8CVSS0.00533EPSS
Exploits1References2
RedHat Linux
RedHat Linux
added 2026/06/30 10:38 a.m.15 views

Important: Red Hat Security Advisory: vim security update

An update for vim is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability...

8.2CVSS6.4AI score0.00552EPSS
Exploits0References5
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-472 PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection

Summary PraisonAI's MCP Model Context Protocol server praisonai mcp serve registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joi...

9.6CVSS6.4AI score0.00619EPSS
Exploits1References5
OSV
OSV
added 2026/06/26 9:13 a.m.3 views

OPENSUSE-SU-2026:21070-1 Security update for tar

This update for tar fixes the following issues - CVE-2026-5704: crafted archives can be used to to hide file injection bsc1261900. - Fix --dereference/-h not working properly after CVE-2025-45582 fix bsc1265450...

5.5CVSS6.2AI score0.00433EPSS
Exploits2References5
OSV
OSV
added 2026/06/26 8:50 a.m.3 views

SUSE-SU-2026:22377-1 Security update for tar

This update for tar fixes the following issues - CVE-2026-5704: crafted archives can be used to to hide file injection bsc1261900. - Fix --dereference/-h not working properly after CVE-2025-45582 fix bsc1265450...

5.5CVSS5.8AI score0.00433EPSS
Exploits2References6
EUVD
EUVD
added 2026/06/22 12:31 p.m.9 views

EUVD-2026-38229

MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a...

8.7CVSS6.6AI score0.00383EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.22 views

PT-2026-48500

In Splunk SOAR Security Orchestration, Automation, and Response versions below 8.5.0, an unauthenticated attacker could inject American National Standards Institute ANSI escape codes into SOAR application log files through specially crafted HTTP request paths, which a terminal emulator might...

4.3CVSS5.5AI score0.00199EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.10 views

CVE-2026-41234

Froxlor is open source server administration software. Prior to version 2.3.7, the DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record...

7.6CVSS5.5AI score0.0027EPSS
Exploits0References1
OSV
OSV
added 2026/06/03 9:2 p.m.7 views

GHSA-37M5-M4Q3-FC6X Froxlor: BIND Zone File Injection via TXT Record Content

Summary The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitra...

7.6CVSS6AI score0.0027EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/03 9:2 p.m.14 views

Froxlor: BIND Zone File Injection via TXT Record Content

Summary The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitra...

8.8CVSS6AI score0.00544EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/06/02 5:23 a.m.9 views

MGASA-2026-0168 Updated tar packages fix security vulnerability

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files...

5.5CVSS5.8AI score0.0043EPSS
Exploits1References5
Mageia
Mageia
added 2026/06/02 5:23 a.m.20 views

Updated tar packages fix security vulnerability

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files...

5.5CVSS5.7AI score0.0043EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/02 12:0 a.m.10 views

PT-2026-48838

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files...

5.4AI score
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/05/29 3:45 p.m.15 views

Froxlor has an incomplete fix for CVE-2026-30932

Summary The LOC record regex uses \s+ which matches newlines allowing embedded newlines to pass, TLSA matchingType=0 has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Affected Package - Ecosystem: Other - Package: froxlor - Affected versions: a...

8.8CVSS5.9AI score0.00544EPSS
Exploits1References6Affected Software1
EUVD
EUVD
added 2026/05/28 5:0 a.m.12 views

EUVD-2026-32721

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications...

7CVSS5.9AI score0.00166EPSS
Exploits0References4
NVD
NVD
added 2026/05/27 8:16 p.m.29 views

CVE-2026-44888

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile endpoint writes user-supplied numeric config values e.g., SMTPPORT directly into pialert.conf without validation. Since pialert.conf is loaded via Python's exec every 3–5 minutes...

9.8CVSS0.00314EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 7:15 p.m.52 views

CVE-2026-44887 Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Path)

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads this file via Python's exec, injected code executes as the...

9.8CVSS0.00545EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 7:14 p.m.50 views

CVE-2026-44888 Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Interger)

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile endpoint writes user-supplied numeric config values e.g., SMTPPORT directly into pialert.conf without validation. Since pialert.conf is loaded via Python's exec every 3–5 minutes...

9.8CVSS0.00314EPSS
Exploits0References1
GithubExploit
GithubExploit
added 2026/05/24 11:10 a.m.109 views

Exploit for Missing Authentication for Critical Function in Cpanel

CPANEL CVE EXPLOIT English | فارسی PersianREADME...

9.8CVSS6.2AI score0.981EPSS
Exploits64
Rows per page
Query Builder