Lucene search
K

20 matches found

OSV
OSV
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-464 PraisonAI Has Path Traversal in FileTools

Executive Summary: The path validation has a critical logic bug: it checks for .. AFTER normpath has already collapsed all .. sequences. This makes the check completely useless and allows trivial path traversal to any file on the system. The path validation function also does not resolve the...

9.2CVSS6AI score0.00416EPSS
Exploits1References6
NVD
NVD
added 2026/06/01 2:16 a.m.14 views

CVE-2026-10211

A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function normalizerwpath of the file astrbot/core/tools/computertools/fs.py. This manipulation causes incorrect authorization. It is possible to initiate the attack remotely. The exploit has been publicly...

6.5CVSS0.00201EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/01 1:15 a.m.10 views

CVE-2026-10211

A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function normalizerwpath of the file astrbot/core/tools/computertools/fs.py. This manipulation causes incorrect authorization. It is possible to initiate the attack remotely. The exploit has been publicly...

6.5CVSS6.3AI score0.00201EPSS
Exploits0References5Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/01 1:15 a.m.13 views

CVE-2026-10211 AstrBotDevs AstrBot fs.py _normalize_rw_path authorization

A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function normalizerwpath of the file astrbot/core/tools/computertools/fs.py. This manipulation causes incorrect authorization. It is possible to initiate the attack remotely. The exploit has been publicly...

6.5CVSS5.5AI score0.00201EPSS
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/25 5:50 p.m.11 views

Malicious code in normalize-path-seq (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 048493f47bc6a8b0a61c93d14a9bfbbe5edd77baff2d2423870e3cc8b7099b0a On require, index.js invokes initPlugin at the module top level, which performs an HTTPS GET to https://jsonkeeper.com/b/VL3WY, parses the response...

6.5AI score
Exploits0References2
OSV
OSV
added 2026/05/25 5:50 p.m.11 views

MAL-2026-4622 Malicious code in normalize-path-seq (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 048493f47bc6a8b0a61c93d14a9bfbbe5edd77baff2d2423870e3cc8b7099b0a On require, index.js invokes initPlugin at the module top level, which performs an HTTPS GET to https://jsonkeeper.com/b/VL3WY, parses the response...

6.5AI score
Exploits0References2
CVE
CVE
added 2026/04/07 4:39 p.m.16 views

CVE-2026-35613

CVE-2026-35613 affects coursevault-preview prior to 0.1.1. The issue arises from a boundary check that uses String.prototype.startsWith(baseDir) on a normalized path, which does not enforce a directory boundary, permitting a path traversal via a client-controlled relativePath. An attacker could r...

5.1CVSS5.8AI score0.00141EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/07 1:6 p.m.2 views

CVE-2026-5627

A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the AgentFlows component. The vulnerability arises from improper handling of user input in the loadFlow and deleteFlow methods in server/utils/agentFlows/index.js. Specifically, the...

9.1CVSS6AI score0.00809EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.10 views

PT-2026-30759

Name of the Vulnerable Software and Affected Versions Kedro-Datasets versions prior to 9.3.0 Description The Kedro-Datasets plugin is susceptible to a path traversal issue in the PartitionedDataset component. Partition IDs were directly concatenated with the dataset base path without proper...

6.5CVSS6.2AI score0.00427EPSS
Exploits0References14
OSV
OSV
added 2026/03/20 8:51 p.m.8 views

GHSA-P224-6X5R-FJPM Ory Oathkeeper has a path traversal authorization bypass

Description Ory Oathkeeper is vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences e.g. /public/../admin/secrets that resolves to a protected path after normalization, but is matched against a permissive rule because the ra...

10CVSS5.8AI score0.00519EPSS
Exploits0References4
Snyk
Snyk
added 2024/11/13 2:12 p.m.4 views

Access Control Bypass

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Access Control Bypass through the normalizePath function, by utilizing a double file:// scheme to bypass local file system validation. Note: This is only exploitable if the administrator has ...

8.7CVSS6.6AI score0.01138EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2024/11/13 12:0 a.m.7 views

PT-2024-35159 · Craft · Craft

Name of the Vulnerable Software and Affected Versions: Craft versions prior to 4.12.2 and 5.4.3 Description: The issue is related to a missing normalizePath in the FileHelper::absolutePath function, which could lead to Remote Code Execution on the server via twig Server Side Template Injection...

9CVSS7.5AI score0.01308EPSS
Exploits1References14
SUSE CVE
SUSE CVE
added 2023/02/15 3:46 a.m.3 views

SUSE CVE-2021-21330

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...

8.2CVSS8.6AI score0.01905EPSS
Exploits0References5
OSV
OSV
added 2021/02/26 3:15 a.m.14 views

AZL-44805 CVE-2021-21330 affecting package python-aiohttp 3.6.2-3

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...

6.1CVSS5.7AI score0.01905EPSS
Exploits0References1
OSV
OSV
added 2021/02/26 3:15 a.m.1 views

DEBIAN-CVE-2021-21330

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...

6.1CVSS6.8AI score0.01905EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2021/02/26 3:15 a.m.5 views

CVE-2021-21330

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...

6.1CVSS5.4AI score0.01905EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added 2021/02/26 3:15 a.m.15 views

PYSEC-2021-76

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...

6.1CVSS6.7AI score0.01905EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2021/02/26 3:15 a.m.17 views

UBUNTU-CVE-2021-21330

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...

6.1CVSS6.8AI score0.01905EPSS
Exploits0References8
OSV
OSV
added 2021/02/26 3:15 a.m.14 views

PYSEC-2021-76

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the...

6.1CVSS6.7AI score0.01905EPSS
Exploits0References7
OSV
OSV
added 2021/02/26 2:11 a.m.10 views

GHSA-V6WP-4M6F-GCJG `aiohttp` Open Redirect vulnerability (`normalize_path_middleware` middleware)

Impact Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.webmiddlewares.normalizepathmiddleware middleware. Patches This security problem has been fixed in v3.7.4. Upgrade...

3.1CVSS6.7AI score0.01905EPSS
Exploits0References13
Rows per page
Query Builder