Lucene search
+L

797 matches found

euvd
euvd
added 9 hours ago4 views

EUVD-2026-44924

HCL DFXAnalytics is affected by an Internal File Path Disclosure vulnerability. The application dashboard inadvertently leaks sensitive information regarding its internal file structure and directory paths through unhandled error messages, system logs, or debugging output, which could allow a...

5.3CVSS6.1AI score
Exploits0References1
nvd
nvd
added 5 days ago6 views

CVE-2026-11426

The UnderConstructionPage PRO plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.76. This is due to the plugin accepting arbitrary local file paths in the templatethumbnail parameter and copying their contents into a publicly accessible uploads file...

6.5CVSS0.00308EPSS
Exploits0References2
attackerkb
attackerkb
added 6 days ago8 views

CVE-2026-41880

R-SOFT DMS is vulnerable to OS Command Injection in the Optical Character Recognition OCR module. Multiple command execution functions accept user-controllable file paths without proper sanitization before passing them to the system shell via SSH. In current infrastructure the URL encoding...

9CVSS6.2AI score0.01331EPSS
Exploits0References2
cvelist
cvelist
added 6 days ago29 views

CVE-2026-41880 OS Command Injection in R-SOFT DMS

R-SOFT DMS is vulnerable to OS Command Injection in the Optical Character Recognition OCR module. Multiple command execution functions accept user-controllable file paths without proper sanitization before passing them to the system shell via SSH. In current infrastructure the URL encoding...

9CVSS0.01331EPSS
Exploits0References1
cvelist
cvelist
added 6 days ago34 views

CVE-2026-41876 OS Command Injection in R-SOFT DMS

R-SOFT DMS is vulnerable to OS Command Injection in konwertujAction function. The document converter executes shell commands using unsanitized file paths and format parameters. This allows an authenticated attacker to execute arbitrary system commands with the privileges of the web server user...

8.7CVSS0.01228EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/07/07 12:48 p.m.6 views

CVE-2026-55798

A flaw was found in Pillow, a Python imaging library. The WindowsViewer.getcommand function constructed a command-line interface CLI shell command by directly embedding a file path without proper escaping. This allowed shell metacharacters within the file path to inject arbitrary commands into...

4.5CVSS6.1AI score0.00136EPSS
Exploits1References8
attackerkb
attackerkb
added 2026/07/06 9:12 p.m.4 views

CVE-2026-34153

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped fspath and parentdir values before validation, and submitFileStorage does not validate the...

8.8CVSS6.1AI score0.00403EPSS
Exploits0References4Affected Software1
ptsecurity
ptsecurity
added 2026/07/06 12:0 a.m.10 views

PT-2026-55966

Name of the Vulnerable Software and Affected Versions Pillow versions prior to 12.3.0 Description The WindowsViewer.get command function constructs a cmd.exe shell command by embedding a file path into an f-string without proper escaping. This result is then passed to subprocess.Popen...,...

4.5CVSS6AI score0.00136EPSS
Exploits1References9
redhatcve
redhatcve
added 2026/07/01 11:6 p.m.7 views

CVE-2026-55628

A flaw was found in ImageMagick. The -concatenate operation, used for combining images, lacks proper security policy checks. This oversight could allow an attacker to read from or write to file paths that should otherwise be restricted by the security policy. This could lead to unauthorized acces...

6.1CVSS5.6AI score0.00098EPSS
Exploits0References4
attackerkb
attackerkb
added 2026/06/27 5:33 a.m.7 views

CVE-2026-12404

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

5.3CVSS5.8AI score0.00281EPSS
Exploits0References9
ptsecurity
ptsecurity
added 2026/06/26 12:0 a.m.18 views

PT-2026-53002

Name of the Vulnerable Software and Affected Versions Fluentd versions prior to 1.19.3 Description Insufficient validation of the $tag placeholder allows for the dynamic construction of file paths that can be manipulated. If an instance is configured to receive logs from untrusted sources and use...

9.8CVSS6.1AI score0.01085EPSS
Exploits0References18
attackerkb
attackerkb
added 2026/06/25 1:51 a.m.7 views

CVE-2026-8662

Path Traversal vulnerability in the createarchive function of Rapid7 InsightConnect Compression Plugin on Linux allows authenticated attackers to write to unintended file paths via crafted filename input. The impact is limited to file corruption as content cannot be controlled by the attacker...

3.3CVSS5.9AI score0.00216EPSS
Exploits0References2
cvelist
cvelist
added 2026/06/24 5:30 p.m.33 views

CVE-2026-48731 Warp: Linux external editor command injection

Warp is an agentic development environment. From 0.2024.02.20.08.01.stable01 until 0.2026.05.06.15.42.stable01, Warp contains a command injection issue in the Linux external editor launcher. Warp expanded freedesktop .desktop Exec templates for affected editor integrations and executed the expand...

7.8CVSS0.00496EPSS
Exploits0References2
cve
cve
added 2026/06/23 3:36 p.m.24 views

CVE-2026-56695

OpenHarness ohmo gateway exposed by default to remote invocation via /resume and /summary, enabling attackers to enumerate and load arbitrary session snapshots by ID. This can grant access to private prompts, credentials, tool output, and file paths through shared gateway channels. Documented imp...

7.1CVSS6.1AI score0.00231EPSS
Exploits0References3
cvelist
cvelist
added 2026/06/23 3:36 p.m.38 views

CVE-2026-56695 OpenHarness - Cross-Session Disclosure via /resume and /summary Commands

OpenHarness ohmo gateway /resume and /summary slash commands default remoteinvocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and...

7.1CVSS0.00231EPSS
Exploits0References3
nvd
nvd
added 2026/06/19 6:16 p.m.14 views

CVE-2019-25760

Joomla! Component Easy Shop 1.2.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by supplying base64-encoded file paths. Attackers can send GET requests to index.php with the option parameter set to comeasyshop, task set to...

6.9CVSS0.00426EPSS
Exploits0References4
cve
cve
added 2026/06/19 5:42 p.m.17 views

CVE-2019-25760

CVE-2019-25760 describes a Local File Inclusion in Joomla! Easy Shop 1.2.3. An unauthenticated attacker can read arbitrary server files by supplying a base64-encoded file path via the file parameter in a GET request to index.php with option=com_easyshop and task=ajax.loadImage. Affected files inc...

6.9CVSS6AI score0.00426EPSS
Exploits0References4
attackerkb
attackerkb
added 2026/06/19 5:42 p.m.5 views

CVE-2019-25760

Joomla! Component Easy Shop 1.2.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by supplying base64-encoded file paths. Attackers can send GET requests to index.php with the option parameter set to comeasyshop, task set to...

6.9CVSS6AI score0.00426EPSS
Exploits0References4Affected Software1
github
github
added 2026/06/18 5:22 p.m.18 views

Armeria: External Control of File Name or Path in xDS SDS DataSource

External Control of File Name or Path in xDS SDS DataSource Summary DataSourceStream in the :xds module resolves control-plane-supplied filename and environmentvariable fields from SDS Secret resources without any allow-list or base-directory confinement. A semi-trusted or compromised xDS control...

5.9CVSS5.5AI score0.00198EPSS
Exploits0References4Affected Software1
snyk
snyk
added 2026/06/18 1:55 p.m.7 views

Incorrect Authorization

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

8.8CVSS6.1AI score
Exploits0References3
Rows per page
Query Builder