4 matches found
CVE-2026-40318 SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal...
SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
Summary The endpoint /api/av/removeUnusedAttributeView is vulnerable to a path traversal CWE-22 that allows an attacker to delete arbitrary .json files on the server. The issue arises because user-controlled input id is directly used in filesystem path construction without validation or...
EUVD-2024-47245
Malicious code in bioql PyPI...
CVE-2021-35054
Minecraft before 1.17.1, when online-mode=false is configured, allows path traversal for deletion of arbitrary JSON files...