Lucene search
K

7417 matches found

CVE
CVE
added 4 days ago11 views

CVE-2026-6101

The CVE-2026-6101 entry affects the AMP for WP – Accelerated Mobile Pages WordPress plugin (versions up to and including 1.1.12). The vulnerability arises from unsafe ZIP extraction in ampforwp_save_local_font() plus inadequate cleanup that omits removal of nested directories/files, enabling auth...

7.5CVSS6.7AI score0.00646EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 4 days ago8 views

CVE-2026-6101

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Arbitrary File Write in versions up to and including 1.1.12. This is due to unsafe ZIP file extraction in the ampforwpsavelocalfont function combined with inadequate cleanup that fails to remove nested directories and...

7.5CVSS6.7AI score0.00646EPSS
Exploits0References11
Cvelist
Cvelist
added 4 days ago38 views

CVE-2026-14345 WPFunnels <= 3.12.7 - Unauthenticated Remote Code Execution via 'postData' Parameter

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the 'postData' parameter parameter. This is due to unsanitized write of attacker-controlled postData values...

9.8CVSS0.00745EPSS
Exploits0References11
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-42200 Coolify: PostgreSQL Init Script Path Traversal Leads to Arbitrary File Write and Root RCE

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL initialization script generateinitscripts method in app/Actions/Database/StartPostgresql.php filename handling did not sufficiently restrict paths, allowing an...

8.8CVSS0.00542EPSS
Exploits0References4
CVE
CVE
added 4 days ago11 views

CVE-2026-42200

Coolify prior to 4.0.0-beta.474 is affected by a path traversal in the PostgreSQL initialization script handling (generate_init_scripts() in app/Actions/Database/StartPostgresql.php). An authenticated user could write files outside the intended directory during database initialization, enabling c...

8.8CVSS6.1AI score0.00542EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 4 days ago8 views

PT-2026-56191

Name of the Vulnerable Software and Affected Versions AMP for WP versions prior to 1.1.13 Description An Arbitrary File Write issue exists due to unsafe ZIP file extraction within the ampforwp save local font function, coupled with inadequate cleanup that fails to remove nested directories and...

7.5CVSS6.7AI score0.00646EPSS
Exploits0References12
OSV
OSV
added 5 days ago5 views

GHSA-QRWJ-VH9X-GW5V Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write

Summary agentConn.apiClient used the default redirect behavior of http.Client while its custom transport dialed the host from the request URL as long as the port was the workspace agent HTTP API port 4. Agent tailnet IPs are deterministic from agent UUIDs, so a malicious workspace agent could...

8.3CVSS6.2AI score
Exploits0References3
NVD
NVD
added 5 days ago9 views

CVE-2026-57571

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, when the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path or travers...

9.6CVSS0.00502EPSS
Exploits1References2
CVE
CVE
added 5 days ago12 views

CVE-2026-57571

CVE-2026-57571 affects Crawl4AI prior to version 0.9.0. The vulnerability arises when saving downloaded files: the destination filename is taken from attacker-controlled input and joined to the downloads directory without confinement. If the filename contains an absolute path or traversal, it esc...

9.6CVSS6.4AI score0.00502EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-57571 Crawl4AI arbitrary file write via download filename path traversal

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, when the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path or travers...

9.6CVSS0.00502EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 5 days ago5 views

CVE-2026-57571

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, when the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path or travers...

9.6CVSS6.4AI score0.00502EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 5 days ago4 views

EUVD-2026-41892

An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root and full privilege escalation on the underlying server...

9.9CVSS6.1AI score0.00294EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 5 days ago5 views

CVE-2026-48614

An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root and full privilege escalation on the underlying server...

9.9CVSS6.1AI score0.00294EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 5 days ago5 views

CVE-2026-50015

A flaw was found in pnpm. An attacker can exploit this by contributing a malicious patch file through a pull request. During the pnpm install process, the patch application pipeline fails to validate file paths extracted from these patch files. This allows the attacker to write or delete arbitrar...

7.3CVSS6.5AI score0.0027EPSS
Exploits1References4
NVD
NVD
added 5 days ago9 views

CVE-2026-24014

Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name t...

9.8CVSS0.00509EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 5 days ago5 views

CVE-2026-24014

Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name t...

6AI score0.00509EPSS
Exploits0References2Affected Software1
CVE
CVE
added 5 days ago11 views

CVE-2026-24014

CVE-2026-24014 — Apache IoTDB Path Traversal in DataNode Trigger JAR Upload : The issue arises in IoTDB’s DataNode internal RPC interface used to create Trigger instances. The JAR name is used to build a file path without sufficient validation, enabling path traversal if the RPC port is reachable...

9.8CVSS6AI score0.00509EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 5 days ago5 views

EUVD-2026-41854

Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name t...

9.8CVSS6AI score0.00509EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-55880

Name of the Vulnerable Software and Affected Versions Apache IoTDB versions 1.3.3 through 2.0.7 Description The internal RPC interface of the Apache IoTDB DataNode used for creating Trigger instances fails to sufficiently validate the name of the uploaded Trigger JAR when constructing a file path...

9.8CVSS6AI score0.00509EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 5 days ago9 views

PT-2026-55960

An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root and full privilege escalation on the underlying server...

9.9CVSS6.1AI score0.00294EPSS
Exploits0References4
Rows per page
Query Builder