5 matches found
CVE-2026-44002
A flaw was found in vm2 before 3.11.0. The CallSite wrapper blocks getThis and getFunction but returns unsanitized host absolute paths from getFileName, allowing sandboxed code to learn host directory layout, library paths, and framework versions. Fixed in 3.11.0...
vm2 安全漏洞
vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using built-in Node.js modules listed in the allowlist. Versions of vm2 prior to 3.11.0 have security vulnerabilities; these vulnerabilities stem from the CallSite wrapper class allowing...
PT-2026-38393
Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0 Description The CallSite wrapper class, designed as a safe wrapper for V8's native CallSite, fails to sanitize the output of the getFileName function. While the class blocks getThis and getFunction to prevent host...
CVE-2024-52677
HkCms = v2.3.2.240702 is vulnerable to file upload in the getFileName method in /app/common/library/Upload.php...
PT-2024-35410 · Hkcms · Hkcms
Name of the Vulnerable Software and Affected Versions: HkCms versions prior to 2.3.2.240702 Description: The issue concerns a file upload vulnerability in the getFileName method located in /app/common/library/Upload.php. Recommendations: For versions prior to 2.3.2.240702, consider disabling the...