CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/06/05 7:30 p.m.•10 views

CVE-2026-42795

Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball. The file collection helpers gleamfiles, nativefiles, privatefiles in compiler-cli/src/fs.rs use followlinkstrue when walking publishable directories...

5.1CVSS5.6AI score0.00132EPSS

RedhatCVE•added 2026/06/05 7:30 p.m.•7 views

CVE-2026-42549

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir..., recursive: true on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name...

4.4CVSS5.5AI score0.00154EPSS

NVD•added 2026/06/02 2:16 p.m.•12 views

CVE-2026-42795

5.1CVSS0.00132EPSS

Exploits0References4

ATTACKERKB•added 2026/06/02 1:41 p.m.•8 views

CVE-2026-42795

5.1CVSS5.9AI score0.00132EPSS

Exploits0References5

ATTACKERKB•added 2026/06/02 1:41 p.m.•7 views

CVE-2026-32685

Path traversal vulnerability in Gleam's handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory. The documentation.pages entries from gleam.toml are incorporated into filesystem paths without sufficient validation or...

4.6CVSS5.9AI score0.00152EPSS

Exploits0References6Affected Software1

VulnCheck KEV•added 2026/05/22 12:0 a.m.•18 views

VulnCheck KEV: CVE-2026-39365

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the...

6.3CVSS5.8AI score0.00914EPSS

In wildExploits1References4

Vulnrichment•added 2026/05/13 7:22 p.m.•9 views

CVE-2026-42549 Flight: Path traversal in `make:controller` CLI creates arbitrary directories outside project root

4.4CVSS5.8AI score0.00154EPSS

CNNVD•added 2026/05/13 12:0 a.m.•7 views

Flight 路径遍历漏洞

Flight is a PHP microframework developed by Mike Cao. Versions of Flight prior to 3.18.1 contained a path traversal vulnerability. This vulnerability stemmed from the make:controller CLI command, which created directories based on the controller names provided by users before class name validatio...

4.4CVSS5.8AI score0.00154EPSS

Tenable Nessus•added 2026/05/13 12:0 a.m.•6 views

Linux Distros Unpatched Vulnerability : CVE-2026-44301

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node- based asset pipelines PostCSS, Babel, TailwindCSS, Hugo...

8.6CVSS5.5AI score0.00274EPSS

CVE•added 2026/05/12 9:37 p.m.•28 views

CVE-2026-44301

Hugo (static site generator) versions 0.43 through 0.160.x are vulnerable when building a site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS). The vulnerability arises because Hugo invoked the configured Node tools without restrictions on file system access, potentially allowi...

Exploits0References1Affected Software1

Vulnrichment•added 2026/05/12 9:37 p.m.•5 views

CVE-2026-44301 Hugo: Node tool execution allows file system access outside the project directory

Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines PostCSS, Babel, TailwindCSS, Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could...

ATTACKERKB•added 2026/05/12 9:37 p.m.•6 views

CVE-2026-44301

Exploits0References2Affected Software1

Debian CVE•added 2026/05/12 9:37 p.m.•6 views

CVE-2026-44301

AlpineLinux•added 2026/05/12 9:37 p.m.•7 views

Exploits0

CVE-2026-44301

OSV•added 2026/05/06 9:34 p.m.•4 views

GHSA-3XJV-PMF2-GF2Q Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root

Summary The make:controller CLI command calls mkdir..., recursive: true on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains /, but the recursive directory creation side effect...

4.4CVSS5.8AI score0.00154EPSS

Snyk•added 2026/05/06 9:34 p.m.•7 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the make:controller process. An attacker can create arbitrary directories outside the intended project root by supplying crafted input containing directory traversal sequences. Details A Directory Traversal attac...

4.8CVSS6.3AI score0.00154EPSS

Exploits0References2

Github Security Blog•added 2026/05/06 8:59 p.m.•19 views

Hugo's Node tool execution allows file system access outside the project directory

Impact When building a Hugo site that uses Node-based asset pipelines PostCSS, Babel, TailwindCSS, Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write...

Exploits0References3Affected Software1

OSV•added 2026/05/06 8:59 p.m.•5 views

GHSA-X597-9FR4-5857 Hugo's Node tool execution allows file system access outside the project directory