Lucene search
K

25 matches found

RedHat Linux
RedHat Linux
added 2026/06/16 2:45 p.m.6 views

rsync: TOCTOU symlink race condition allowing local privilege escalation in daemon mode without chroot.

A flaw was found in rsync. An rsync daemon configured with "use chroot = no" is exposed to a time-of-check / time-of-use race on parent path components. A local attacker with write access to a module can replace a parent directory component with a symlink between the receiver's check and its open...

7.8CVSS5.3AI score0.00152EPSS
Exploits0References4
NVD
NVD
added 2026/06/10 3:16 p.m.12 views

CVE-2026-45561

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/version,uptime,status,checks/ family of routes takes the URL path component verbatim into requests.getf'http://serverip:agentport/...'. The path component is...

6.5CVSS0.00218EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/02 4:1 p.m.11 views

CVE-2026-44593

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components...

8.7CVSS5.9AI score0.00362EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 4:16 p.m.18 views

CVE-2026-44593

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components...

8.7CVSS0.00362EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.7 views

uutils coreutils 安全漏洞

uutils coreutils is a cross-platform core command-line toolset developed by Uutils Open Source. uutils coreutils has a security vulnerability, which stems from a race condition in split. This condition may allow local attackers to manipulate variable path components, causing split to truncate and...

6.3CVSS5.8AI score0.00074EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/01/06 12:0 a.m.2 views

Linux Distros Unpatched Vulnerability : CVE-2025-69226

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of...

6.3CVSS7.2AI score0.00313EPSS
Exploits0References3
NVD
NVD
added 2026/01/05 11:15 p.m.5 views

CVE-2025-69226

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses...

6.3CVSS0.00313EPSS
Exploits0References2
OSV
OSV
added 2026/01/05 11:15 p.m.2 views

UBUNTU-CVE-2025-69226

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses...

6.3CVSS6.2AI score0.00313EPSS
Exploits0References5
EUVD
EUVD
added 2026/01/05 11:9 p.m.2 views

EUVD-2026-1046

AIOHTTP vulnerable to brute-force leak of internal static file path components...

6.3CVSS6AI score0.00313EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/01/05 10:52 p.m.25 views

CVE-2025-69226 AIOHTTP allows for a brute-force leak of internal static filepath components

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses...

6.3CVSS0.00313EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/01/05 10:52 p.m.1 views

CVE-2025-69226 AIOHTTP allows for a brute-force leak of internal static filepath components

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses...

6.3CVSS6.2AI score0.00313EPSS
Exploits0References2
Hacker One
Hacker One
added 2025/11/10 7:43 p.m.24 views

curl: libcurl FTP path normalization flaw allows decoded %2e%2e → CWD .. and directory escape (Path Traversal, CWE-22)

ftpparseurlpath in lib/ftp.c URL-decodes FTP path segments e.g. %2e%2e and then splits the decoded path into components using an ad-hoc loop that skips empty components produced by //. The code does not perform canonical path normalization no stack-based handling of . or ... As a result, encoded...

7.3AI score
Exploits0
EUVD
EUVD
added 2025/10/07 12:30 a.m.2 views

EUVD-2021-2112

Malware in sbrugna...

8.6CVSS7.6AI score0.01902EPSS
Exploits1References12
Github Security Blog
Github Security Blog
added 2025/08/21 9:30 a.m.8 views

Mattermost Fails to Sanitize Path Traversal Sequences

Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 9.11.x = 9.11.17, 10.9.x = 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file...

6.8CVSS7AI score0.0038EPSS
Exploits0References4Affected Software4
Vulnrichment
Vulnrichment
added 2024/10/21 12:14 p.m.12 views

CVE-2024-47742 firmware_loader: Block path traversal

In the Linux kernel, the following vulnerability has been resolved: firmwareloader: Block path traversal Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple...

6.8AI score0.00286EPSS
Exploits0References9
SUSE CVE
SUSE CVE
added 2023/02/15 4:30 a.m.3 views

SUSE CVE-2018-6954

systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. Th...

7.1CVSS6.7AI score0.00532EPSS
Exploits1References31
RedHat Linux
RedHat Linux
added 2023/01/17 7:29 p.m.3 views

golang: net/url: JoinPath does not strip relative path components in all circumstances

A flaw was found in the golang package. The JoinPath doesn't remove the ../ path components appended to a domain that is not terminated by a slash, possibly leading to a directory traversal attack...

7.5CVSS7.3AI score0.01676EPSS
Exploits0References6
Cvelist
Cvelist
added 2022/09/13 5:8 p.m.28 views

CVE-2022-32190 Failure to strip relative path components in net/url

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath"https://go.dev", "../go" returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result...

7.7AI score0.01676EPSS
Exploits0References4
OSV
OSV
added 2021/09/01 6:37 p.m.1 views

GHSA-V39P-96QG-C8RF Prototype Pollution in object-path

This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is 'proto'. This is because t...

5.6CVSS7.1AI score0.01902EPSS
Exploits1References8
OSV
OSV
added 2020/12/02 5:15 p.m.2 views

DEBIAN-CVE-2020-25265

AppImage libappimage before 1.0.3 allows attackers to trigger an overwrite of a system-installed .desktop file by providing a .desktop file that contains Name= with path components...

6.5CVSS6AI score0.01919EPSS
Exploits1References1
Rows per page
Query Builder