EUVD-2026-28549

Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can...

rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability

A flaw was found in Rollup, a JavaScript module bundler. Insecure file name sanitization in the core engine allows an attacker to control output filenames, potentially through command-line interface CLI inputs, manual chunk aliases, or malicious plugins. By using directory traversal sequences ../...

EUVD-2025-209593

All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of file...

CVE-2026-5364

The CVE-2026-5364 case affects the WordPress plugin Drag and Drop File Upload for Contact Form 7 (versions up to 1.1.3). The root cause is that the plugin validates the file using the unsanitized extension while saving uses a sanitized one, and the file type parameter can be controlled by the att...

CVE-2026-27606

Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler specifically v4.x and present in current source is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker t...

EUVD-2021-34715

Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the...

USN-7812-1 imagemagick vulnerabilities

Woojin Park, Hojun Lee, Yougin Won and Siyeon Han discovered that ImageMagick did not properly sanitize image file names. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information, or execute arbitrary code. CVE-2025-55298 Lumina Mescuwa discovered that...

USN-7812-1: ImageMagick vulnerabilities

Woojin Park, Hojun Lee, Yougin Won and Siyeon Han discovered that ImageMagick did not properly sanitize image file names. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information, or execute arbitrary code. CVE-2025-55298 Lumina Mescuwa discovered that...

EUVD-2025-25460

Malicious code in bioql PyPI...

EUVD-2023-29981

Malicious code in bioql PyPI...

EUVD-2024-35236

Malicious code in bioql PyPI...

Mattermost Server 10.5.x < 10.5.9 / 10.8.x < 10.8.4 / 10.9.x < 10.9.4 / 10.10.x < 10.10.1 / 10.11.0 Path Traversal (MMSA-2025-00501)

The version of Mattermost Server installed on the remote host is affected by a vulnerability as referenced in the MMSA-2025-00501 advisory. - Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 10.10.x = 10.10.0, 10.9.x = 10.9.3 fail to sanitize file names which allows users with file upload...

GHSA-PJ6F-RC94-GW53 Mattermost Fails to Sanitize File Names

Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 10.10.x = 10.10.0, 10.9.x = 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs...

Mattermost Fails to Sanitize File Names

Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 10.10.x = 10.10.0, 10.9.x = 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs...

CVE-2025-6465

Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 10.10.x = 10.10.0, 10.9.x = 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs...

PT-2025-34258 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.8.x through 10.8.3 Mattermost versions 10.5.x through 10.5.8 Mattermost versions 10.10.x through 10.10.0 Mattermost versions 10.9.x through 10.9.3 Description: The application fails to sanitize file names, potentially...

CVE-2024-52286

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In affected versions the Merge functionality takes untrusted user input file name and uses it directly in the creation of HTML pages allowing any unauthenticated to execute JavaScript code...

CVE-2024-54462

The file names constructed within imagepicker are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select an image file from that provider while using your app and could...

CVE-2024-54462

The file names constructed within imagepicker are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select an image file from that provider while using your app and could...

CVE-2024-37403

Ivanti Docs@Work for Android, before 2.26.0 is affected by the 'Dirty Stream' vulnerability. The application fails to properly sanitize file names, resulting in a path traversal-affiliated vulnerability. This potentially enables other malicious apps on the device to read sensitive information...