CVE-2026-30915

SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the handling of dynamic group paths when placeholders such as %username% are used. An attacker can gain unauthorized access to parent directories by creating a specially crafted username containing relative path...

CVE-2022-50907

Affected software: e107 CMS 3.2.1. Issue: a file upload restriction bypass in the Media Manager import flow allows authenticated admin users to upload PHP files outside restricted locations, enabling remote code execution. Root cause: manipulation of the upload URL parameter enables placing malic...

CVE-2024-38449

A Directory Traversal vulnerability in KasmVNC 1.3.1.230e50f7b89663316c70de7b0e3db6f6b9340489 and possibly earlier versions allows remote authenticated attackers to browse parent directories and read the content of files outside the scope of the application...

SUSE CVE-2009-3897

Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the basedir directory, and possibly the basedir directory...

The vulnerability of the Jenkins automation server, related to the absence of an authentication procedure that allows attackers to create parent directories in FilePath#mkdirs.

The vulnerability of the Jenkins automation server lies in the absence of authentication procedures. Exploiting this vulnerability allows a malicious actor to create parent directories in FilePathmkdirs from a remote location...

jenkins: FilePath#mkdirs does not check permission to create parent directories

An incorrect permissions validation vulnerability was found in Jenkins. The FilePathmkdirs does not check permission to create parent directories, which may allow an attacker who controls the agent process to get read and write arbitrary files on the Jenkins controller file system...

Apache ServiceComb Service-Center 路径遍历漏洞

Apache ServiceComb Service-Center is a Restful-based service registry from the Apache Foundation that provides microservice discovery and microservice management. Apache ServiceComb Service-Center is vulnerable to a path traversal vulnerability in version 1.x.x. The vulnerability stems from A...

USN-4024-1 evince update

As a security improvement, this update adjusts the AppArmor profile for the Evince thumbnailer to reduce access to the system and adjusts the AppArmor profile for Evince and Evince previewer to limit access to the DBus system bus. Additionally adjust the evince abstraction to disallow writes on...

Microstrategy Web Directory Traversal Vulnerability

MicroStrategy Web is a highly interactive, easy-to-use application for report analysis and continuous business monitoring. A directory traversal vulnerability exists in Microstrategy Web 7 at "/WebMstr7/servlet/mstrWeb". A remote authenticated user can exploit this vulnerability to bypass expecte...

USN-3784-1 AppArmor update

As a security improvement, this update adjusts the private-files abstraction to disallow writing to thumbnailer configuration files. Additionally adjust the private-files, private-files-strict and user-files abstractions to disallow writes on parent directories of sensitive files...

Directory Traversal

superstatic is vulnerable to directory traversal. The attack exists because it does not check the decoded path has..\ which allow traversal to parent directories in Windows...

CVE-2013-4482

Untrusted search path vulnerability in python-paste-script aka paster in Luci 0.26.0, when started using the initscript, allows local users to gain privileges via a Trojan horse .egg-info file in the 1 current working directory or 2 its parent directories...

Design/Logic Flaw

Untrusted search path vulnerability in python-paste-script aka paster in Luci 0.26.0, when started using the initscript, allows local users to gain privileges via a Trojan horse .egg-info file in the 1 current working directory or 2 its parent directories...

dovecot -- Insecure directory permissions

Dovecot author reports: Dovecot v1.2.x had been creating basedir and its parents if necessary with 0777 permissions. The basedir's permissions get changed to 0755 automatically at startup, but you may need to chmod the parent directories manually...

Moderate: Red Hat Security Advisory: unzip security update

Updated unzip packages resolving a vulnerability allowing arbitrary files to be overwritten are now available. Updated 15 August 2003 Ben Laurie found that the original patch to fix this issue missed a case where the path component included a quoted slash. These updated packages contain a new pat...

CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization

More info at https://symfony.com/cve-2026-48784...