CVE-2026-42290

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through childprocess.exec. File paths containing shell metacharacters could therefore be interpreted by the shell inste...

CVE-2026-42290

Summary: The vulnerability affects protobufjs-cli’s pbts command. In versions before 1.2.1 and 2.0.2, pbts builds a shell command string from input file paths and runs it via child_process.exec, allowing file paths containing shell metacharacters to be interpreted by the shell. This can enable OS...

CVE-2026-42290

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through childprocess.exec. File paths containing shell metacharacters could therefore be interpreted by the shell inste...

Schneider Electric Saitel DR RTU和Schneider Electric Saitel DP RTU 路径遍历漏洞

Schneider Electric Saitel DR RTU and Schneider Electric Saitel DP RTU are both remote terminal devices from Schneider Electric, a French company. Both devices have a path traversal vulnerability. This vulnerability stems from improper path name restrictions, which may lead to unauthorized access ...

DEBIAN-CVE-2026-41526

In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path t...

seg6: separate dst_cache for input and output paths in seg6 lwtunnel

...

DEBIAN-CVE-2026-0846

A vulnerability in the filestring function of the nltk.util module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by...

CVE-2026-0846

A vulnerability in the filestring function of the nltk.util module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by...

EUVD-2025-12274

Malicious code in bioql PyPI...

Mattermost Server 9.11.x < 9.11.17 / 10.5.x < 10.5.7 / 10.7.x < 10.7.4 / 10.8.x < 10.8.2 (MMSA-2025-00494)

The version of Mattermost Server installed on the remote host is affected by a vulnerability as referenced in the MMSA-2025-00494 advisory. - Mattermost versions 10.8.x = 10.8.1, 10.7.x = 10.7.3, 10.5.x = 10.5.7, 9.11.x = 9.11.16 fail to sanitize input paths of file attachments in the bulk import...

UBUNTU-CVE-2024-40445

A directory traversal vulnerability in forkosh Mime TeX before version 1.77 allows attackers on Windows systems to read or append arbitrary files by manipulating crafted input paths...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere due to insecure initialization of the DEFAULTCACHEDIR in app.py, using of user input...

PT-2022-7691 · Tinygltf +2 · Tinygltf +2

Name of the Vulnerable Software and Affected Versions: tinygltf versions prior to 2.6.0 Description: The tinygltf library has an issue related to the use of the C library function wordexp for file path expansion on untrusted paths from input files. This allows for command injection using backtick...

Mailman: Directory traversal vulnerability

Background Mailman is a Python-based mailing list server with an extensive web interface. Description Mailman contains an error in private.py which fails to properly sanitize input paths. Impact An attacker could exploit this flaw to obtain arbitrary files on the web server. Workaround There is n...