Lucene search
K

8456 matches found

CVE
CVE
added yesterday4 views

CVE-2026-59948

CVE-2026-59948 affects Composer (PHP dependency manager). A malicious package from an untrusted repo (not Packagist.org/Private Packagist) with an invalid name could cause install/update to write attacker-controlled files outside the vendor directory and project. Root cause: failure to validate t...

7CVSS6AI score
Exploits0References5
NVD
NVD
added yesterday4 views

CVE-2026-14967

BBOT's githubworkflows module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve .., so a crafted CODEREPOSITORY URL could traverse out of the intended folder. The write is bounded to two directory levels above the...

3.1CVSS
Exploits0References1
CVE
CVE
added yesterday5 views

CVE-2026-39822

CVE-2026-39822 describes a root-escape vulnerability in Unix environments involving os.Root: when opening a path whose final component is a symbolic link and the path ends with a slash, the implementation may follow the symlink to locations outside the designated root. Example: root.Open("symlink...

7.8CVSS6AI score
Exploits0References4
EUVD
EUVD
added yesterday3 views

EUVD-2026-42316

On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, 'root.Open"symlink/"' will open "symlink" even when "symlink" is a symbolic link pointing...

7.8CVSS6AI score
Exploits0References4
CVE
CVE
added yesterday5 views

CVE-2026-14967

BBOT’s github_workflows module has a path-traversal vulnerability: the path-containment check fails to resolve ‘..’, allowing a crafted CODE_REPOSITORY URL to traverse out of the configured output directory. The write is bounded to two directory levels above the output location and the target is ...

3.1CVSS5.9AI score
Exploits0References1
Cvelist
Cvelist
added yesterday6 views

CVE-2026-14967 Path traversal in github_workflows allows writing artifacts outside output directory

BBOT's githubworkflows module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve .., so a crafted CODEREPOSITORY URL could traverse out of the intended folder. The write is bounded to two directory levels above the...

3.1CVSS
Exploits0References1
Cvelist
Cvelist
added yesterday7 views

CVE-2026-55668 File Browser: ScopedFs follows a dangling symlink on write, letting a scoped user create files outside their scope

File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create...

6.3CVSS
Exploits0References3
EUVD
EUVD
added yesterday4 views

EUVD-2026-42272

File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create...

6.3CVSS6AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2 days ago3 views

Malicious code in zredis-typed (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 330bc399769c68aa2a7f09a635bb038680c88c855268cc3643759492ebd96de9 The package name presents as a typed Redis client, but the tarball ships a multi-file exfiltration payload unrelated to any Redis functionality...

6AI score
Exploits0References2
EUVD
EUVD
added 2 days ago6 views

EUVD-2011-5272

Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded. Module names starting with "::" could be passed to the load function to specify arbitrary module paths. Attackers able to influence module names passed to load could use that bug to execute arbitrary...

9.8CVSS6.1AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 days ago5 views

CVE-2011-10043

Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded. Module names starting with "::" could be passed to the load function to specify arbitrary module paths. Attackers able to influence module names passed to load could use that bug to execute arbitrary...

9.8CVSS6.1AI score
Exploits0References4
Cvelist
Cvelist
added 2 days ago29 views

CVE-2011-10043 Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded

Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded. Module names starting with "::" could be passed to the load function to specify arbitrary module paths. Attackers able to influence module names passed to load could use that bug to execute arbitrary...

Exploits0References3
CVE
CVE
added 2 days ago9 views

CVE-2011-10043

Technical details about CVE-2011-10043 are not publicly available in the provided documents. Monitor for updates from official advisories; no confirmed exploit vectors, affected products, or remediation details are included here.

9.8CVSS6.1AI score
Exploits0References3
RedHat Linux
RedHat Linux
added 2 days ago5 views

python-pip: Path traversal via malicious entry point name in pip wheel installation allows arbitrary file overwrite

A flaw was found in pip, the package installer for Python. A remote attacker can exploit this vulnerability by tricking a victim into installing a malicious Python wheel. This wheel contains specially crafted entry-point names that use directory traversal or absolute paths. This allows pip to wri...

8CVSS7.4AI score0.0032EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 3 days ago8 views

kernel: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()

A flaw was found in the Linux kernel's Direct Rendering Manager DRM Graphics Execution Manager GEM component. This vulnerability arises from an inconsistent calculation of plane dimensions, which can lead to incorrect memory allocation checks. A local attacker could exploit this by creating a...

7.8CVSS6.7AI score0.00139EPSS
Exploits0References5
OSV
OSV
added 3 days ago4 views

DEBIAN-CVE-2026-50135

Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat follows symlinks instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount e.g. a...

6.9CVSS5.9AI score0.00359EPSS
Exploits0References1
NVD
NVD
added 3 days ago4 views

CVE-2026-50135

Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat follows symlinks instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount e.g. a...

6.9CVSS0.00359EPSS
Exploits0References3
NVD
NVD
added 3 days ago5 views

CVE-2026-14468

HashiCorp Terraform Enterprise contained an issue in its version control system VCS ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in ...

7.7CVSS0.00295EPSS
Exploits0References1
OSV
OSV
added 3 days ago3 views

DEBIAN-CVE-2026-58403

Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile...

6.5CVSS5.9AI score0.00371EPSS
Exploits0References1
NVD
NVD
added 3 days ago4 views

CVE-2026-58403

Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile...

6.5CVSS0.00371EPSS
Exploits0References4
Rows per page
Query Builder