Incorrect Default Permissions

Overview Affected versions of this package are vulnerable to Incorrect Default Permissions due to insecure default permissions that grant regular users elevated privileges. An attacker can gain unauthorized access to host files and execute code with root-level privileges by leveraging authenticat...

EUVD-2026-30562

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but...

CVE-2026-34078

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access ...

Flatpak 安全漏洞

Flatpak is an open-source system developed by Flatpak for building, distributing, and running sandboxed desktop applications on Linux. Versions of Flatpak prior to 1.16.4 contained a security vulnerability. This vulnerability stemmed from the sandbox-expose option accepting symbolic links that we...

Linux Distros Unpatched Vulnerability : CVE-2026-34078

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can ...

EUVD-2025-208619

Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via "path" parameter in the downloadAttachment and downloadAttachmentFromPath API calls...

CVE-2025-66955

Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via "path" parameter in the downloadAttachment and downloadAttachmentFromPath API calls...

PT-2025-52458

Name of the Vulnerable Software and Affected Versions Takes versions through 2.0-SNAPSHOT Description The Takes web framework’s TkFiles component does not properly sanitize HTTP request paths before using them to access the filesystem. This allows a remote attacker to use "../" sequences within t...

youki container escape via "masked path" abuse due to mount race conditions

Impact youki utilizes bind mounting the container's /dev/null as a file mask. When performing this operation, the initial validation of the source /dev/null was insufficient. Specifically, we initially failed to verify whether /dev/null was genuinely present. However, we did perform validation to...

EUVD-2007-1738

Malware in sbrugna...

SUSE CVE-2025-54287

Template Injection in instance snapshot creation component in Canonical LXD = 4.0 allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine...

Linux Distros Unpatched Vulnerability : CVE-2021-25741

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of...

SUSE CVE-2008-1945

QEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004...

CVE-2021-1800

A path handling issue was addressed with improved validation. This issue is fixed in Xcode 12.4. A malicious application may be able to access arbitrary files on the host device while running an app that uses on-demand resources with Xcode...

CVE-2018-16867

A flaw was found in qemu Media Transfer Protocol MTP before version 3.1.0. A path traversal in the in usbmtpwritedata function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lea...

CVE-2016-7116

Directory traversal vulnerability in hw/9pfs/9p.c in QEMU aka Quick Emulator allows local guest OS administrators to access host files outside the export path via a .. dot dot in an unspecified string...

Directory traversal

Directory traversal vulnerability in hw/9pfs/9p.c in QEMU aka Quick Emulator allows local guest OS administrators to access host files outside the export path via a .. dot dot in an unspecified string...

CVE-2016-7116

Directory traversal vulnerability in hw/9pfs/9p.c in QEMU aka Quick Emulator allows local guest OS administrators to access host files outside the export path via a .. dot dot in an unspecified string...