19 matches found
CVE-2026-10211
A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function normalizerwpath of the file astrbot/core/tools/computertools/fs.py. This manipulation causes incorrect authorization. It is possible to initiate the attack remotely. The exploit has been publicly...
CVE-2026-10211
A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function normalizerwpath of the file astrbot/core/tools/computertools/fs.py. This manipulation causes incorrect authorization. It is possible to initiate the attack remotely. The exploit has been publicly...
CVE-2026-10211 AstrBotDevs AstrBot fs.py _normalize_rw_path authorization
A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function normalizerwpath of the file astrbot/core/tools/computertools/fs.py. This manipulation causes incorrect authorization. It is possible to initiate the attack remotely. The exploit has been publicly...
MAL-2026-4622 Malicious code in normalize-path-seq (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 048493f47bc6a8b0a61c93d14a9bfbbe5edd77baff2d2423870e3cc8b7099b0a On require, index.js invokes initPlugin at the module top level, which performs an HTTPS GET to https://jsonkeeper.com/b/VL3WY, parses the response...
Malicious code in normalize-path-seq (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 048493f47bc6a8b0a61c93d14a9bfbbe5edd77baff2d2423870e3cc8b7099b0a On require, index.js invokes initPlugin at the module top level, which performs an HTTPS GET to https://jsonkeeper.com/b/VL3WY, parses the response...
CVE-2026-35613
CVE-2026-35613 affects coursevault-preview prior to 0.1.1. The issue arises from a boundary check that uses String.prototype.startsWith(baseDir) on a normalized path, which does not enforce a directory boundary, permitting a path traversal via a client-controlled relativePath. An attacker could r...
CVE-2026-5627
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the AgentFlows component. The vulnerability arises from improper handling of user input in the loadFlow and deleteFlow methods in server/utils/agentFlows/index.js. Specifically, the...
PT-2026-30759
Impact PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured...
GHSA-P224-6X5R-FJPM Ory Oathkeeper has a path traversal authorization bypass
Description Ory Oathkeeper is vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences e.g. /public/../admin/secrets that resolves to a protected path after normalization, but is matched against a permissive rule because the ra...
Access Control Bypass
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Access Control Bypass through the normalizePath function, by utilizing a double file:// scheme to bypass local file system validation. Note: This is only exploitable if the administrator has ...
PT-2024-35159 · Craft · Craft
Name of the Vulnerable Software and Affected Versions: Craft versions prior to 4.12.2 and 5.4.3 Description: The issue is related to a missing normalizePath in the FileHelper::absolutePath function, which could lead to Remote Code Execution on the server via twig Server Side Template Injection...
SUSE CVE-2021-21330
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...
DEBIAN-CVE-2021-21330
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...
AZL-44805 CVE-2021-21330 affecting package python-aiohttp 3.6.2-3
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...
PYSEC-2021-76
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...
CVE-2021-21330
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...
PYSEC-2021-76
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...
UBUNTU-CVE-2021-21330
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...
GHSA-V6WP-4M6F-GCJG `aiohttp` Open Redirect vulnerability (`normalize_path_middleware` middleware)
Impact Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.webmiddlewares.normalizepathmiddleware middleware. Patches This security problem has been fixed in v3.7.4. Upgrade...