Lucene search
K

1872 matches found

EUVD
EUVD
added 5 days ago5 views

EUVD-2026-42272

File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create...

6.3CVSS6AI score0.00269EPSS
Exploits0References3
OSV
OSV
added 2026/07/06 9:12 p.m.3 views

CVE-2026-34153 Coolify LocalFileVolume fs_path command injection enables RCE

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped fspath and parentdir values before validation, and submitFileStorage does not validate the...

8.8CVSS6.1AI score0.00403EPSS
Exploits0References5
OSV
OSV
added 2026/07/06 7:52 p.m.3 views

CVE-2026-50135 Hugo: Symlink confinement bypass in resources.Get

Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat follows symlinks instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount e.g. a...

6.9CVSS5.9AI score0.00275EPSS
Exploits0References5
OSV
OSV
added 2026/07/01 4:43 p.m.10 views

USN-8488-1 linux, linux-aws, linux-gcp, linux-ibm, linux-oracle, linux-realtime vulnerabilities

It was discovered that some AMD processors did not properly clear data in the floating point divider unit during speculative execution. A local attacker could use this to expose sensitive information. CVE-2025-54505 Several security issues were discovered in the Linux kernel. An attacker could...

9.8CVSS6.8AI score0.00675EPSS
Exploits17References237
EUVD
EUVD
added 2026/06/26 1:14 a.m.8 views

EUVD-2026-39608

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.3CVSS6.2AI score0.00154EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 1:14 a.m.42 views

CVE-2026-48935

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.3CVSS0.00154EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/06/26 1:14 a.m.8 views

CVE-2026-48935

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.3CVSS6.6AI score0.00154EPSS
Exploits0
EUVD
EUVD
added 2026/06/25 5:28 p.m.9 views

EUVD-2026-37006

i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names...

9.1CVSS5.8AI score0.00419EPSS
Exploits0References3
CVE
CVE
added 2026/06/15 8:31 p.m.43 views

CVE-2026-48713

CVE-2026-48713 affects i18next-fs-backend prior to 2.6.6. The issue arises when crafted missing-key strings are persisted via missingKeyHandler, where Backend.writeFile() splits keys on keySeparator and the path walker could reach Object.prototype (e.g., a key like "proto .polluted"), allowing pr...

9.1CVSS5.5AI score0.00419EPSS
Exploits0References2Affected Software1
Patchstack
Patchstack
added 2026/06/15 5:17 p.m.8 views

NPM: vite: `server.fs.deny` bypass on Windows alternate paths

NPM: vite: server.fs.deny bypass on Windows alternate paths vulnerability discovered by ? in WordPress Npm vite versions = 6.4.2...

8.2CVSS5.8AI score0.00393EPSS
Exploits2References2Affected Software1
OSV
OSV
added 2026/06/10 8:33 p.m.6 views

GHSA-78V8-VPJP-CJQH PDM wheel installation leads to Path Traversal via overridden write_to_fs

InstallDestination.writetofs in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but replaces the safe pathwithdestdir which validates via Path.resolve + isrelativeto with a bare os.path.join that performs no path validation. A malicious wheel with travers...

7.1CVSS5.6AI score0.00047EPSS
Exploits0References4
NVD
NVD
added 2026/06/08 4:16 p.m.13 views

CVE-2026-42535

A path handling issue in moddavfs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue...

9.1CVSS0.00538EPSS
Exploits0References2
AlpineLinux
AlpineLinux
added 2026/06/08 3:14 p.m.12 views

CVE-2026-42535

A path handling issue in moddavfs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue...

9.1CVSS5.3AI score0.00538EPSS
Exploits0
OSV
OSV
added 2026/06/05 3:48 p.m.8 views

OESA-2026-2557 kata-containers security update

This is core component of Kata Container, to make it work, you need a isulad/docker engine. Security Fixes: 'This vulnerability was fixed in Kata Containers 3.31.0:', 'Description:\n\nIn the runtime-rs standalone virtio-fs path, Kata Containers runs virtiofsd\nas root with --sandbox none --seccom...

5.7AI score0.00067EPSS
Exploits0References2
OSV
OSV
added 2026/06/04 9:4 p.m.5 views

ROOT-APP-NPM-CVE-2025-59343 CVE-2025-59343 in @rootio/tar-fs - Patched by Root

Root has patched CVE-2025-59343 in the @rootio/tar-fs package for Root:npm. Multiple fixed versions available...

7.5CVSS5.4AI score0.00516EPSS
Exploits0
OSV
OSV
added 2026/06/04 9:4 p.m.4 views

ROOT-APP-NPM-CVE-2025-48387 CVE-2025-48387 in @rootio/tar-fs - Patched by Root

Root has patched CVE-2025-48387 in the @rootio/tar-fs package for Root:npm. Multiple fixed versions available...

8.7CVSS5.4AI score0.00474EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/06/04 12:0 a.m.9 views

Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : tar-fs vulnerabilities (USN-8367-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8367-1 advisory. It was discovered that tar-fs did not properly limit paths when extracting crafted tar files. An attacker could possibly use this iss...

8.7CVSS6AI score0.02186EPSS
Exploits2References4
Cvelist
Cvelist
added 2026/06/03 3:49 p.m.42 views

CVE-2026-46256 NFS/localio: prevent direct reclaim recursion into NFS via nfs_writepages

In the Linux kernel, the following vulnerability has been resolved: NFS/localio: prevent direct reclaim recursion into NFS via nfswritepages LOCALIO is an NFS loopback mount optimization that avoids using the network for READ, WRITE and COMMIT if the NFS client and server are determined to be on...

0.00099EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/03 12:0 a.m.10 views

Linux Distros Unpatched Vulnerability : CVE-2026-46256

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - NFS/localio: prevent direct reclaim recursion into NFS via nfswritepages LOCALIO is an NFS loopback mount optimization that avoids using the network for READ,...

5.5CVSS6.2AI score0.00099EPSS
Exploits0References4
OSV
OSV
added 2026/06/02 1:0 p.m.11 views

USN-8367-1 node-tar-fs vulnerabilities

It was discovered that tar-fs did not properly limit paths when extracting crafted tar files. An attacker could possibly use this issue to write or overwrite files outside the intended extraction directory. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. CVE-2024-12905 It was...

8.7CVSS6.2AI score0.02186EPSS
Exploits2References4
Rows per page
Query Builder