CVE-2026-41917

OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers c...

External Control of File Name or Path in Langflow

Vulnerability Overview If an arbitrary path is specified in the request body's fspath, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths e.g., /etc/poc.txt ar...

PYSEC-2025-125

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's fspath, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction,...

CVE-2025-68478

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's fspath, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction,...

EUVD-2021-0634

Malware in sbrugna...

Malicious code in fs-path-info (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a5bbb0034c7f631436e49a1e2a5c4a5f80204c56e46a101701eeb40d7947eb39 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4348 Malicious code in fs-path-info (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a5bbb0034c7f631436e49a1e2a5c4a5f80204c56e46a101701eeb40d7947eb39 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2020-8298

fs-path node module before 0.0.25 is vulnerable to command injection by way of user-supplied inputs via the copy, copySync, remove, and removeSync methods...

GHSA-8MRF-64FW-2X75 Command injection in fs-path

fs-path node module before 0.0.25 is vulnerable to command injection by way of user-supplied inputs via the copy, copySync, remove, and removeSync methods...

Command injection in fs-path

fs-path node module before 0.0.25 is vulnerable to command injection by way of user-supplied inputs via the copy, copySync, remove, and removeSync methods...

@codedungeon/gunner (>=0.0.1 <=0.80.1), @codedungeon/laravel-versions-cli (>=0.0.3 <=0.1.0) +74 more potentially affected by CVE-2020-8298 via fs-path (>=0.0.22 <=0.0.24)

fs-path NPM version =0.0.22, =0.0.1, =0.0.3, =0.0.9, =1.0.2, =1.0.1, =0.0.1, =1.0.0, =1.0.0, =0.0.40, =1.0.1, =0.0.1, =1.0.1, =0.1.0, =1.0.0, =1.0.2 and more Source cves: CVE-2020-8298 Source advisory: OSV:GHSA-8MRF-64FW-2X75...

CVE-2020-8298

fs-path node module before 0.0.25 is vulnerable to command injection by way of user-supplied inputs via the copy, copySync, remove, and removeSync methods...

CVE-2020-8298

The CVE-2020-8298 issue affects the fs-path Node.js module, specifically versions before 0.0.25. The underlying flaw is a command injection vulnerability triggered by user-supplied inputs through the copy, copySync, remove, and removeSync methods. Reported impact in sources corresponds to high/cr...

fs-path 命令注入漏洞

Mojin fs-path is Mojin an open source application . It provides the ability to scan files recursively or through filters. A command injection vulnerability exists in the fs-path node module before 0.0.25, which stems from the vulnerability of the fs-path node module to a user's use of "copy",...

GHSA-GC94-6W89-HPQR Command Injection in fs-path

All versions of fs-path are vulnerable to command injection is unsanitized user input is passed in. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available...

@codedungeon/gunner (>=0.0.1 <=0.80.1), @codedungeon/laravel-versions-cli (>=0.0.3 <=0.1.0) +74 more potentially affected by unknown CVE via fs-path (>=0.0.22 <=0.0.24)

fs-path NPM version =0.0.22, =0.0.1, =0.0.3, =0.0.9, =1.0.2, =1.0.1, =0.0.1, =1.0.0, =1.0.0, =0.0.40, =1.0.1, =0.0.1, =1.0.1, =0.1.0, =1.0.0, =1.0.2 and more Source cves: unknown CVE Source advisory: OSV:GHSA-GC94-6W89-HPQR...

Command Injection in fs-path

All versions of fs-path are vulnerable to command injection is unsanitized user input is passed in. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available...

Command Injection

Overview All versions of fs-path are vulnerable to command injection is unsanitized user input is passed in. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available. References - HackerOne Report -...

Remote Code Execution (RCE)

fs-path is vulnerable to remote code execution RCE attacks. The vulnerability exists due to the lack of sanitization of user input when performing various operations such as copy, allowing malicious input to be executed...

Node.js third-party modules: `fs-path` concatenates unsanitized input into exec()/execSync() commands

I would like to report command injection in fs-path. It allows to inject and execute arbitrary shell commands while performing various operations from fs-path API like copying files. Module module name: fs-path version: 0.0.24 npm page: https://www.npmjs.com/package/fs-path Module Description...