GHSA-PR96-94W5-MX2H @fastify/static vulnerable to path traversal in directory listing

Impact @fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path to resolve a directory outside the root via path.join without a containment check. A remote...

CVE-2026-6410

Affected product/component: @fastify/static, versions 8.0.0–9.1.0. Root cause: dirList.path() uses path.join() to resolve directories outside the configured static root without containment checks, enabling path traversal when directory listing is enabled via the list option. Impact: remote unauth...

CVE-2026-6410

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path function resolves directories outside the configured static root using path.join without a containment check. A remote unauthenticated attacker can obtain...

CVE-2025-50645

A vulnerability has been discovered in D-Link DI-8003 16.07.26A1, which can lead to a buffer overflow when the s parameter in the pppoelistopt.asp endpoint is manipulated. By sending a crafted request with an excessively large value for the s parameter, an attacker can trigger a buffer overflow...

CVE-2025-50645

CVE-2025-50645 affects the D-Link DI-8003 (16.07.26A1). The vulnerability arises from improper validation of the s parameter in the pppoe_list_opt.asp endpoint, allowing a crafted request with an oversized s value to trigger a buffer overflow. Connected sources (CNVD-2026-17623, RH:CVE-2025-50645...

CVE-2025-64118

node-tar is a Tar for Node.js. In 7.5.1, using .t aka .list with sync: true to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2...