CVE-2026-45061

Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint POST /api/plugin validates the submitted URL with a single substring check: url.includes".tar.gz". Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes thi...

CVE-2026-45061

CVE-2026-45061 : Budibase (open-source low-code platform) remains vulnerable to SSRF due to a trivial substring URL check in the Plugin URL upload endpoint (/api/plugin). Before 3.35.10, the code validates only that the URL contains “.tar.gz” anywhere in the string (path, query, or fragment). The...

CVE-2026-46383

Summary: CVE-2026-46383 affects Microsoft APM prior to 0.13.0, where the legacy-bundle probing during apm install on Windows can mishandle local .tar.gz archives. On Python 3.10/3.11, the probe may extract untrusted tar members with tar.extractall() without rejecting Windows absolute member name...

CVE-2026-46483

Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tarVimuntar in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescapetartail without the...

GHSA-9F4Q-Q82Q-4359 Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks

Docling's METS GBS backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions XML Bo...

Budibase vulnerable to SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)

Summary | Field | Value | |-------|-------| | Title | SSRF via trivial .tar.gz substring bypass in Plugin URL upload | | Product | Budibase Self-Hosted | | Version | ≤ 3.34.11 latest stable as of 2026-03-30 | | Component | packages/server/src/api/controllers/plugin/url.ts | | Vulnerability Type...

Astra Linux - уязвимость в libxpm

A flaw was discovered in libXpm. When processing files with the .Z or .gz extensions, the library calls external programs to compress and uncompress files. This process relies on the PATH environment variable to locate these programs. This vulnerability could allow a malicious user to execute oth...

CVE-2026-31970

HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP BGZF files. In the GZI loading function, bgzfindexloadhfile, it was possible to trigger an integer overflow, leading to an under- or zero-sized buffer being allocated to stor...

org.webjars.npm:canvas (>=2.5.0 <=2.6.0), org.webjars.npm:color-thief (=2.2.5) +12 more potentially affected by CVE-2026-29786 via org.webjars.npm:tar (>=0.1.20 <=4.4.19)

org.webjars.npm:tar MAVEN version =0.1.20, =2.5.0, =0.97.5, =0.2.0, =3.4.0, =0.6.19, =2.0.0, =3.1.4, =3.4.1 - org.webjars.npm:tar.gz =1.0.7 Source cves: CVE-2026-29786 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15416076...

📄 C‑Bitrix 25.100.500 Translate Module Arbitrary File Upload

C‑Bitrix version 25.100.500 proof of concept exploit that demonstrates an arbitrary file upload vulnerability in the translate module. ============================================================================================================================================= | Title : C‑Bitrix...

Path Traversal

ZenML is vulnerable to a path traversal. The vulnerability is due to improper validation of file paths during data.tar.gz extraction in the PathMaterializer class, which fails to detect symbolic and hard links, allowing an attacker to write arbitrary files and potentially achieve arbitrary comman...

Deserialization of Untrusted Data

Overview pdfminer.six is a PDF parser and analyzer Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the CMap loading process. An attacker can execute arbitrary code with the privileges of the process running the library by placing a malicious .pickle.gz fi...

EUVD-2006-3323

Malware in sbrugna...

EUVD-2007-2053

Malware in sbrugna...

EUVD-2008-7103

Malware in sbrugna...

Directory Traversal

Overview zenml is a ZenML: Write production-ready ML code. Affected versions of this package are vulnerable to Directory Traversal via the load function in the PathMaterializer class during extraction of data.tar.gz archives. An attacker can overwrite arbitrary files, potentially leading to comma...

GHSA-Q92X-2X5G-H365 ZenML is vulnerable to Path Traversal through its `PathMaterializer` class

ZenML version 0.83.1 is affected by a path traversal vulnerability in the PathMaterializer class. The load function uses ispathwithindirectory to validate files during data.tar.gz extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file...

EUVD-2023-44200

Malicious code in bioql PyPI...

EUVD-2023-44215

Malicious code in bioql PyPI...

EUVD-2023-44207

Malicious code in bioql PyPI...