Lucene search
+L

138 matches found

CNNVD
CNNVD
added 2026/04/10 12:0 a.m.7 views

goshs 安全漏洞

Goshs is a simple HTTP server developed by Patrick Hener using Go language. Versions of Goshs from 1.0.7 to 2.0.0-beta.4 contained security vulnerabilities. These vulnerabilities stemmed from the SFTP command rename, which only cleaned up the source path but did not clean up the target path,...

7.7CVSS7.3AI score0.00318EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2026/04/09 12:0 a.m.11 views

Linux Distros Unpatched Vulnerability : CVE-2026-32282

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even...

6.4CVSS6.9AI score0.00292EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/04/08 11:25 p.m.10 views

SUSE CVE-2026-32282

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the ATSYMLINKNOFOLLOW flag, which Root.Chmod uses to...

6.3CVSS5.8AI score0.00292EPSS
Exploits0References38
NVD
NVD
added 2026/04/08 2:16 a.m.6 views

CVE-2026-32282

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the ATSYMLINKNOFOLLOW flag, which Root.Chmod uses to...

6.4CVSS0.00292EPSS
Exploits0References4
UbuntuCve
UbuntuCve
added 2026/04/08 2:16 a.m.11 views

CVE-2026-32282

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the ATSYMLINKNOFOLLOW flag, which Root.Chmod uses to...

6.4CVSS5.9AI score0.00292EPSS
Exploits0References5
Debian CVE
Debian CVE
added 2026/04/08 1:6 a.m.8 views

CVE-2026-32282

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the ATSYMLINKNOFOLLOW flag, which Root.Chmod uses to...

6.4CVSS5.3AI score0.00292EPSS
Exploits0
OSV
OSV
added 2026/04/08 1:6 a.m.3 views

CVE-2026-32282 TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the ATSYMLINKNOFOLLOW flag, which Root.Chmod uses to...

6.4CVSS6.6AI score0.00292EPSS
Exploits0References7
AlpineLinux
AlpineLinux
added 2026/04/08 1:6 a.m.5 views

CVE-2026-32282

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the ATSYMLINKNOFOLLOW flag, which Root.Chmod uses to...

6.4CVSS5.8AI score0.00292EPSS
Exploits0
OSV
OSV
added 2026/04/07 10:53 p.m.3 views

GO-2026-4864 TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the ATSYMLINKNOFOLLOW flag, which Root.Chmod uses to...

6.4CVSS5.8AI score0.00292EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/07 7:13 p.m.6 views

EUVD-2026-19875

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the...

6.3CVSS5.9AI score0.00914EPSS
Exploits1References1
OSV
OSV
added 2026/04/07 7:13 p.m.2 views

CVE-2026-39365 Vite has a Path Traversal in Optimized Deps `.map` Handling

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the...

6.3CVSS5.9AI score0.00914EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/07 4:48 p.m.20 views

CVE-2026-39308 PraisonAI recipe registry publish path traversal allows out-of-root file write

PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious...

7.1CVSS0.00334EPSS
Exploits1References1
OSV
OSV
added 2026/04/06 11:9 p.m.15 views

GHSA-R9X3-WX45-2V7F PraisonAI recipe registry publish path traversal allows out-of-root file write

Summary PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bund...

7.1CVSS6.1AI score0.00334EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/04/01 4:8 p.m.2 views

CVE-2026-34603

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the...

7.1CVSS5.8AI score0.00408EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/01 4:5 p.m.1 views

CVE-2026-34604

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed conten...

7.1CVSS5.8AI score0.00372EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/04/01 4:5 p.m.20 views

CVE-2026-34604

CVE-2026-34604 affects TinaCMS GraphQL’s FilesystemBridge, where path containment checks use string-based validation (path.resolve and startsWith) that fail to account for symlinks/junctions. If a symlink exists under the allowed content root, operations like get(), put(), delete(), and glob() ca...

8.8CVSS5.8AI score0.00372EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/04/01 1:44 p.m.10 views

USN-8139-1 rust-cargo-c vulnerability

It was discovered that tar-rs embedded in cargo-c incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside th...

6.5CVSS6AI score0.00379EPSS
Exploits1References2
Ubuntu
Ubuntu
added 2026/04/01 1:35 p.m.9 views

USN-8138-1: tar-rs vulnerability

It was discovered that tar-rs incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside the extraction root, a...

6.5CVSS6AI score0.00379EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2026/04/01 12:23 a.m.8 views

@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions

Summary @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the media root, Tina accepts a path like...

8.3CVSS5.8AI score0.00408EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.4 views

PT-2026-29963

It was discovered that tar-rs incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside the extraction root, a...

6.5CVSS6AI score0.00379EPSS
Exploits1References3
Rows per page
Query Builder