CVE-2026-10044

Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/filename endpoint on Windows deployments that allows unauthenticated remote attackers to read arbitrary files by supplying absolute Windows paths or backslash-based traversal...

SUSE CVE-2025-22240

Arbitrary directory creation or file deletion. In the findfile method of the GitFS class, a path is created using os.path.join using unvalidated input from the “tgtenv” variable. This can be exploited by an attacker to delete any file on the Master's process has permissions to...

PT-2026-43298

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn in lua/upload/upload.go uses filepath.Join with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This...

CVE-2026-5627

A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the AgentFlows component. The vulnerability arises from improper handling of user input in the loadFlow and deleteFlow methods in server/utils/agentFlows/index.js. Specifically, the...

EUVD-2026-16945

A vulnerability has been found in elecV2 elecV2P up to 3.8.3. Impacted is the function path.join of the file /store/:key. The manipulation of the argument URL leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used...

CVE-2026-5014

The CVE-2026-5014 affects elecV2 elecV2P up to version 3.8.3, targeting the path.join operation in the /log/ component of the Wildcard Handler. The issue enables path traversal and can be exploited remotely. Public exploit exists; the project was informed via issue reports but has not responded. ...

CVE-2026-5014 elecV2 elecV2P Wildcard log path.join path traversal

A vulnerability was found in elecV2 elecV2P up to 3.8.3. The affected element is the function path.join of the file /log/ of the component Wildcard Handler. The manipulation results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The...

CVE-2026-5014 elecV2 elecV2P Wildcard log path.join path traversal

A vulnerability was found in elecV2 elecV2P up to 3.8.3. The affected element is the function path.join of the file /log/ of the component Wildcard Handler. The manipulation results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The...

CVE-2026-5013 elecV2 elecV2P :key path.join path traversal

A vulnerability has been found in elecV2 elecV2P up to 3.8.3. Impacted is the function path.join of the file /store/:key. The manipulation of the argument URL leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used...

CVE-2026-5013

CVE-2026-5013 affects elecV2 elecV2P up to version 3.8.3. The vulnerability is a path traversal in the path.join usage of the /store/:key file, triggered by manipulating the URL argument. It is a remote vulnerability with publicly disclosed exploit information. The reports indicate the project wa...

PT-2026-28727

Name of the Vulnerable Software and Affected Versions elecV2 versions up to 3.8.3 Description A flaw exists in the function path.join within the file /store/:key. Manipulation of the URL argument can lead to path traversal, allowing for remote exploitation. The exploit has been publicly disclosed...

GHSA-HHGJ-GG9H-RJP7 Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal

Summary The Siyuan kernel exposes an unauthenticated file-serving endpoint under /appearance/filepath. Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint,...

Exploit for Path Traversal in Python Setuptools

CVE-2025-47273: Path Traversal in setuptools.packageindex...

TinaCMS 路径遍历漏洞

TinaCMS is an open-source headless CMS developed by Tina for Markdown, MDX, and JSON formats. Versions of TinaCMS prior to 2.1.2 contained a path traversal vulnerability. This vulnerability stemmed from the use of path.join to combine paths without verifying that the resolved path remained within...

Linux Distros Unpatched Vulnerability : CVE-2025-23084

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not...

CVE-2026-24131

CVE-2026-24131 concerns pnpm, a package manager. Before version 10.28.2, processing a package’s directories.bin field could join a path without ensuring it stayed under the package root, enabling a crafted package to escape the package and chmod files at arbitrary locations on Unix-like systems. ...

📄 NodeJS 24.x Path Traversal

NodeJS version 24.x precise windows path traversal proof of concept exploit that leverages reserved device names. ============================================================================================================================================= | Title : NodeJS 24.x Precise Windows Pat...

Security Bulletin: Improper Drive Name Handling in Node.js path.join on Windows, affect watsonx.data

Summary A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root...

CVE-2025-57403

Cola Dnslog v1.3.2 is vulnerable to Directory Traversal. When a DNS query for a TXT record is processed, the application concatenates the requested URL or a portion of it directly with a base path using os.path.join. This bypass allows directory traversal or absolute path injection, leading to th...

CVE-2025-57403

Cola Dnslog v1.3.2 is affected by a Directory Traversal vulnerability in the DNS TXT query handling. The root cause is the application concatenating the requested URL (or a portion) with a base path via os.path.join, allowing directory traversal or absolute path injection and potentially exposing...