1872 matches found
EUVD-2026-42272
File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create...
CVE-2026-34153 Coolify LocalFileVolume fs_path command injection enables RCE
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped fspath and parentdir values before validation, and submitFileStorage does not validate the...
CVE-2026-50135 Hugo: Symlink confinement bypass in resources.Get
Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat follows symlinks instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount e.g. a...
USN-8488-1 linux, linux-aws, linux-gcp, linux-ibm, linux-oracle, linux-realtime vulnerabilities
It was discovered that some AMD processors did not properly clear data in the floating point divider unit during speculative execution. A local attacker could use this to expose sensitive information. CVE-2025-54505 Several security issues were discovered in the Linux kernel. An attacker could...
EUVD-2026-39608
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...
CVE-2026-48935
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...
CVE-2026-48935
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...
EUVD-2026-37006
i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names...
CVE-2026-48713
CVE-2026-48713 affects i18next-fs-backend prior to 2.6.6. The issue arises when crafted missing-key strings are persisted via missingKeyHandler, where Backend.writeFile() splits keys on keySeparator and the path walker could reach Object.prototype (e.g., a key like "proto .polluted"), allowing pr...
NPM: vite: `server.fs.deny` bypass on Windows alternate paths
NPM: vite: server.fs.deny bypass on Windows alternate paths vulnerability discovered by ? in WordPress Npm vite versions = 6.4.2...
GHSA-78V8-VPJP-CJQH PDM wheel installation leads to Path Traversal via overridden write_to_fs
InstallDestination.writetofs in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but replaces the safe pathwithdestdir which validates via Path.resolve + isrelativeto with a bare os.path.join that performs no path validation. A malicious wheel with travers...
CVE-2026-42535
A path handling issue in moddavfs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue...
CVE-2026-42535
A path handling issue in moddavfs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue...
OESA-2026-2557 kata-containers security update
This is core component of Kata Container, to make it work, you need a isulad/docker engine. Security Fixes: 'This vulnerability was fixed in Kata Containers 3.31.0:', 'Description:\n\nIn the runtime-rs standalone virtio-fs path, Kata Containers runs virtiofsd\nas root with --sandbox none --seccom...
ROOT-APP-NPM-CVE-2025-59343 CVE-2025-59343 in @rootio/tar-fs - Patched by Root
Root has patched CVE-2025-59343 in the @rootio/tar-fs package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2025-48387 CVE-2025-48387 in @rootio/tar-fs - Patched by Root
Root has patched CVE-2025-48387 in the @rootio/tar-fs package for Root:npm. Multiple fixed versions available...
Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : tar-fs vulnerabilities (USN-8367-1)
The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8367-1 advisory. It was discovered that tar-fs did not properly limit paths when extracting crafted tar files. An attacker could possibly use this iss...
CVE-2026-46256 NFS/localio: prevent direct reclaim recursion into NFS via nfs_writepages
In the Linux kernel, the following vulnerability has been resolved: NFS/localio: prevent direct reclaim recursion into NFS via nfswritepages LOCALIO is an NFS loopback mount optimization that avoids using the network for READ, WRITE and COMMIT if the NFS client and server are determined to be on...
Linux Distros Unpatched Vulnerability : CVE-2026-46256
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - NFS/localio: prevent direct reclaim recursion into NFS via nfswritepages LOCALIO is an NFS loopback mount optimization that avoids using the network for READ,...
USN-8367-1 node-tar-fs vulnerabilities
It was discovered that tar-fs did not properly limit paths when extracting crafted tar files. An attacker could possibly use this issue to write or overwrite files outside the intended extraction directory. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. CVE-2024-12905 It was...