139 matches found
CVE-2026-58228 Scheme validation bypass in Phoenix.LiveView.Utils leads to XSS via <.link>
Cross-site scripting vulnerability in phoenixframework phoenixliveview allows an attacker to bypass URL scheme validation and execute JavaScript in a victim's browser session. The Phoenix.LiveView.Utils.validdestination!/2 and Phoenix.LiveView.Utils.validlivenavigationdestination!/2 functions in...
CVE-2026-39822
A flaw was found in the os.Root functionality of Go on Unix systems. This vulnerability allows an attacker to bypass intended directory restrictions by crafting a path that ends with a symbolic link and a trailing slash. When a file is opened in os.Root with such a path, the symbolic link is...
CVE-2026-59223
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEBFETCHFILTERLIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL pa...
CVE-2026-59223
Open WebUI vulnerability CVE-2026-59223 affects the WEB_FETCH_FILTER_LIST logic prior to 0.10.0, allowing path-based blocklist bypasses (e.g., !internal.example.com in a URL path) and misalignment with hostname policy for sibling-domain matches. The issue is fixed in version 0.10.0. Impact is a p...
EUVD-2026-42377
Composio SDK before 0.2.32-beta.283 contains a path validation bypass vulnerability that allows attackers to read and exfiltrate sensitive files by exploiting a missing assertSafeFileUploadPath check in the readFileFromDisk function within tool-file-uploads.ts. Attackers can exploit prompt...
dotnet: .NET: Local file tampering via link following vulnerability
A flaw was found in .NET's System.Formats.Tar library. When extracting a specially crafted TAR archive containing symbolic links, the TarFile.ExtractToDirectory method may incorrectly follow those links and write files outside the intended extraction directory. An attacker could exploit this issu...
CVE-2026-8095
CVE-2026-8095 — The Frontend File Manager Plugin for WordPress (up to version 23.6) is vulnerable to Authenticated Arbitrary File Deletion. A case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler allows an attacker to overwrite the stored file...
EulerOS 2.0 SP15 : kata-containers (EulerOS-SA-2026-2484)
"According to the versions of the kata-containers package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input...
CVE-2026-53576 Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API @Filter"/api/v1/" treats any request whose path ends in /configs as the public instance-config endpoint and forwards it without a credential check. kestra addresse...
CVE-2026-53576
Kestra prior to versions 1.0.45 and 1.3.21 contained an authentication filter bypass on the REST API. Requests whose path ends in /configs were treated as the public instance-config endpoint and forwarded without credential checks, allowing anonymous access to resources such as /api/v1/{tenant}/f...
FreeBSD : caddy -- multiple vulnerabilities (94f93681-6775-11f1-8044-002590af0794)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 94f93681-6775-11f1-8044-002590af0794 advisory. Caddy project reports: Caddy 2.11.4 contains multiple security fixes. GitHub Security Advisory...
EulerOS 2.0 SP13 : kata-containers (EulerOS-SA-2026-2292)
"According to the versions of the kata-containers package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input...
PT-2026-47606
Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 1.30.5 Description An issue exists in the File::prohibitWrappers function where the use of parse url to detect stream wrappers can be bypassed. When an input contains three or more slashes after the scheme e.g....
caddy -- multiple vulnerabilities
Caddy project reports: Caddy 2.11.4 contains multiple security fixes. GitHub Security Advisory GHSA-qrp7-cvwr-j2c6 reports: Windows-encoded backslashes in request paths could bypass path-scoped authorization rules before files are served by fileserver. GitHub Security Advisory GHSA-f59h-q822-g45g...
VulnCheck KEV: CVE-2026-31816
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any...
Canonical Multipass 安全漏洞
Canonical Multipass is a virtual instance of Ubuntu developed by Canonical OpenSource. Versions of Canonical Multipass prior to 1.16.3 contained security vulnerabilities. These vulnerabilities stemmed from the validatepath function in the sshfsserver component, which had a path bypass issue. It...
CVE-2026-47274
pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, multiple pamusb helper tools resolved external binaries through the PATH environment variable rather than using absolute paths. An attacker who can influence the process environment during PAM...
CVE-2026-48710 Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a TOCTOU vulnerability in ONNX [GHSA-q56x-g2fj-4rj6]
Summary IBM Watson Speech Services Cartridge is vulnerable to a TOCTOU vulnerability in ONNX, due to multiple issues in the saveexternaldata method which introduce an arbitrary file read/write on any system GHSA-q56x-g2fj-4rj6. ONNX is used in our speech runtimes. This vulnerabilitiy has been...
Security Bulletin: Consul-template vulnerable to sandbox path bypass in file helper via a symlink attack
Summary The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability CVE-2026-5061 is fixed in consul-template 0.42.0. Vulnerability Details CVEID:CVE-2026-5061 DESCRIPTION:...