49 matches found
CVE-2026-11968
CVE-2026-11968 affects TortoiseGitBlame. The issue arises from argument injection via malicious Git history filenames, enabling arbitrary file write in TortoiseGit. The provided sources describe the vulnerability name and impact but do not include concrete exploit details, affected versions, root...
📄 OpenSTAManager 2.9.8 Command Injection
OpenSTAManager versions 2.9.8 and below suffer from a command injection vulnerability via the P7M file processing functionality. CVE-2025-69212: OpenSTAManager has an OS Command Injection in P7M File Processing Overview | Field | Details | |---|---| | CVE ID | CVE-2025-69212 | | Severity | CRITIC...
CVE-2026-40024
A flaw was found in The Sleuth Kit, specifically in the tskrecover tool. An attacker can exploit this path traversal vulnerability by providing a specially crafted filesystem image containing malicious filenames or directory paths with path traversal sequences. This allows the attacker to write...
CVE-2026-34563
CVE-2026-34563 (CI4MS) is a vulnerability in the CodeIgniter 4–based CMS skeleton where, before version 0.31.0.0, user input is not properly sanitized during backup uploads and backup metadata processing. An attacker can inject a malicious JavaScript payload into the backup filename via an xss.sq...
CVE-2026-33653
Uploady is vulnerable to a stored XSS in versions before 3.1.2 due to improper sanitization of filenames during upload. A malicious filename can execute JavaScript when displayed in the file list or details page. The issue is fixed in version 3.1.2. The available connected documents confirm the a...
CVE-2026-4092
Path Traversal in Clasp impacting versions 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences...
CVE-2026-28484
...
CVE-2026-28484
OpenClaw contains an option-injection vulnerability in the git-hooks/pre-commit hook in versions prior to 2026.2.15. The hook fails to use a -- separator when piping filenames through xargs to git add, enabling an attacker to inject git flags by supplying maliciously-named files beginning with da...
Directory Traversal
Overview eml-parser is a Python EML parser library Affected versions of this package are vulnerable to Directory Traversal via the recursivelyextractattachments.py script when processing email attachments with attacker-controlled filenames. An attacker can write arbitrary files outside the intend...
Salvo is vulnerable to stored XSS in the list_html function by uploading files with malicious names
Summary The function listhtml generates a file view of a folder without sanitizing the files or folders names, potentially leading to XSS in cases where a website allows access to public files using this feature, allowing anyone to upload a file. Details The vulnerable snippet of code is the...
CVE-2025-64756
A flaw was found in glob. This vulnerability allows arbitrary command execution via processing files with malicious names when the glob command-line interface CLI is used with the -c/--cmd option, enabling shell metacharacters to trigger command injection. Mitigation To mitigate this issue, avoid...
CVE-2025-66258
Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames a...
PT-2025-48112
Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames a...
CVE-2025-64756
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are...
CVE-2025-64756
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection in the CLI, via the -c/--cmd option. The processing of commandline options in src/bin.mts calls the foregroundChild on them, which defaults to setting shell: true. An attacker who can control the filenames being matche...
GHSA-5J98-MCP5-4VW2 glob CLI: Command injection via -c/--cmd executes matches with shell:true
Summary The glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to...
glob CLI: Command injection via -c/--cmd executes matches with shell:true
Summary The glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to...
PT-2025-47185
Name of the Vulnerable Software and Affected Versions Glob versions 10.3.7 through 11.0.3 Description The glob command-line interface contains a command injection issue in its -c/--cmd option. This allows arbitrary command execution when processing files with maliciously crafted names. When using...
Cross-site Scripting (XSS)
io.vertx:vertx-web is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper escaping of file and directory names in generated HTML when directory listing is enabled, which allows an attacker to craft malicious filenames that execute arbitrary scripts in the browser of users...