CVE-2026-41863

Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories. Affected versions: Spring AI: 1.1.0...

CVE-2026-41863

Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories. Affected versions: Spring AI: 1.1.0...

CVE-2026-41863 LLM-influenced filename used unsanitized in Path.resolve before file write in Spring AI support for Anthropic Skills API

Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories. Affected versions: Spring AI: 1.1.0...

CVE-2026-41863

Technical details about the vulnerability (affected component specifics, root cause, exploit scenarios, and remediation) are not provided in the supplied documents. Monitor for updates from Spring.io security advisories.

EUVD-2021-0563

Malware in sbrugna...

Moderate: Red Hat Security Advisory: php:7.4 security update

An update for the php:7.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

nodejs: path traversal by monkey-patching buffer internals

A flaw was found in Node.js. The permission model protects itself against path traversal attacks by calling path.resolve on any paths given by the user. If the path is to be treated as a buffer, the implementation uses Buffer.from to obtain a buffer from the result of path.resolve. By...

UBUNTU-CVE-2024-21896

The permission model protects itself against path traversal attacks by calling path.resolve on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from to obtain a Buffer from the result of path.resolve. By monkey-patching Buffer internals, namely...

PT-2023-8865 · Unknown +1 · Minizip-Ng +1

Name of the Vulnerable Software and Affected Versions: minizip-ng version 4.0.2 Description: The issue is related to a Buffer Overflow in the mz path resolve function, located in the mz os.c file, which can be exploited by an attacker using a crafted file. This could allow a remote attacker to...

Array overrun in common path resolve code

...

CVE-2021-37713

A flaw was found in the npm package "tar" aka node-tar. On Windows systems, when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, the result of path.resolveextractionDirectory, entryPath would resolve...

GHSA-PMW4-JGXX-PCQ9 File System Bounds Escape

Impact Clients of FTP servers utilizing ftp-srv hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands, for example, CWD and UPDR. Background When windows separators exist within the path , path.resolve leaves the upper pointers intact and allows...

CVE-2020-26299 File System Bounds Escape

ftp-srv is an open-source FTP server designed to be simple yet configurable. In ftp-srv before version 4.4.0 there is a path-traversal vulnerability. Clients of FTP servers utilizing ftp-srv hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands,...