36 matches found
XAgent 路径遍历漏洞
XAgent is an open-source, experimental large language model-driven autonomous agent developed by OpenBMB. Version XAgent 1.0.0 contains a path traversal vulnerability, which stems from incorrect handling of the filename parameter in the workspace.py function of the XAgentServer/application/router...
CVE-2025-67720
Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the downloadmedia method before using them in file path construction. When downloading media, if the user does not specify a custom filename...
EUVD-2017-3088
Malware in sbrugna...
EUVD-2009-2371
Malware in sbrugna...
EUVD-2022-43274
Malicious code in bioql PyPI...
EUVD-2021-28609
Malicious code in bioql PyPI...
EUVD-2023-51134
Malicious code in bioql PyPI...
CVE-2025-52053
TOTOLINK X6000R V9.4.0cu.1360B20241207 was found to contain a command injection vulnerability in the sub417D74 function via the filename parameter. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request...
CVE-2024-45894
BlueCMS 1.6 suffers from Arbitrary File Deletion via the filename parameter in an /admin/database.php?act=del request...
Wangshen SecGate 路径遍历漏洞
Wangshen SecGate is a series of gigabit firewalls from China's Wangshen. A path traversal vulnerability exists in Wangshen SecGate 3600, which stems from improper handling of the parameter filename in the file ?g=logexportfile, which could lead to a path traversal attack...
BlueCMS 安全漏洞
BlueCMS is a content management system CMS based on PHP and MySQL. A security vulnerability exists in BlueCMS version 1.6, which originates from arbitrary file deletion via the filename parameter in the /admin/database.php?act=del request...
CVE-2024-45894
BlueCMS 1.6 suffers from Arbitrary File Deletion via the filename parameter in an /admin/database.php?act=del request...
CVE-2024-0416
The CVE-2024-0416 entry concerns DeShang DSMall (up to v5.0.3). The vulnerability lies in file application/home/controller/MemberAuth.php, where manipulating the file_name argument triggers a path traversal (../filedir). This is a remote issue and the exploit has public disclosure. Impact is tied...
Command injection
TOTOLINK A3300R 17.0.0cu.557B20221024 contains a command injection via the filename parameter in the UploadFirmwareFile function...
CVE-2023-46976
TOTOLINK A3300R 17.0.0cu.557B20221024 contains a command injection via the filename parameter in the UploadFirmwareFile function...
CVE-2023-46976
TOTOLINK A3300R 17.0.0cu.557B20221024 contains a command injection via the filename parameter in the UploadFirmwareFile function...
CVE-2023-46976
CVE-2023-46976 affects TOTOLINK A3300R (version 17.0.0cu.557_B20221024). The vulnerability is a command injection in the UploadFirmwareFile function triggered via the file_name parameter, allowing arbitrary command execution with network access and no user interaction. The NVD entry lists a base ...
CVE-2023-27639
An issue was discovered in the tshirtecommerce aka Custom Product Designer component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter filename in the tshirtecommerce/ajax.php?type=svg endpoint, to allow a remote attacker to traverse directories on the system in order to...
CVE-2023-23294
Korenix JetWave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to Command Injection. An attacker can modify the filename parameter to execute commands as root...
CVE-2023-23294
Korenix JetWave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to Command Injection. An attacker can modify the filename parameter to execute commands as root...