9840 matches found
CVE-2026-2297
The import hook in CPython that handles legacy .pyc files SourcelessFileLoader is incorrectly handled in FileLoader a base class and so does not use io.opencode to read the .pyc files. sys.audit handlers for this audit event therefore do not fire...
CVE-2026-28518
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...
EUVD-2026-9349
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.8 via the /ultp/v3/starterdummypost/ and /ultp/v3/starterimportcontent/ REST API endpoints. This makes it possible...
CVE-2026-1487
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data. This makes it possible for authenticated attackers...
CVE-2025-50198
Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configurationfile; POST coursepath; POST homepath parameters. This issue has been patched in version 1.11.30...
PT-2026-23068
Name of the Vulnerable Software and Affected Versions CPython affected versions not specified Description The import hook in CPython that handles legacy .pyc files using SourcelessFileLoader is incorrectly handled within FileLoader, a base class. This results in the failure to utilize io.open cod...
GHSA-659F-22XC-98F2 OpenClaw hook transform path containment missed symlink-resolved escapes
Vulnerability Webhook transform modules were validated with lexical path checks only. A symlink under the allowed hooks transform tree could resolve outside the intended directory and be dynamically imported. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.2.21-2 ...
OpenClaw hook transform path containment missed symlink-resolved escapes
Vulnerability Webhook transform modules were validated with lexical path checks only. A symlink under the allowed hooks transform tree could resolve outside the intended directory and be dynamically imported. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.2.21-2 ...
OpenClaw has multiple E2E/test Dockerfiles that run all processes as root
Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 root. If any process is compromised, the attacker has root inside the container, making container breakout significantly easier. Partial fix 2026-02-08: Commit 28e1a65e added USER sandb...
CVE-2021-35486
A Cross-Site Request Forgery CSRF vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie...
CVE-2021-35486
A Cross-Site Request Forgery CSRF vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie...
OpenViking contains a Path Traversal vulnerability
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...
GHSA-RPQR-J937-6QR9 OpenViking contains a Path Traversal vulnerability
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...
CVE-2026-28518
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...
EUVD-2026-9296
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...
CVE-2026-28518
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...
CVE-2026-28518
OpenViking versions 0.2.1 and earlier are affected by a path traversal vulnerability in the .ovpack import handling. Malicious ZIP archives containing traversal sequences, absolute paths, or drive prefixes in member names can write files outside the intended import directory with the importing pr...
CVE-2026-28518 OpenViking .ovpack Import ZIP Slip Path Traversal
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...
CVE-2026-28518 OpenViking .ovpack Import ZIP Slip Path Traversal
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...
CVE-2026-3409
A security flaw has been discovered in eosphoros-ai db-gpt 0.7.5. Affected is the function importlib.machinery.SourceFileLoader.execmodule of the file /api/v1/serve/awel/flow/import of the component Flow Import Endpoint. Performing a manipulation as part of File results in code injection. The...