CVE-2026-39844

NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload filename. Applications that construct file paths using file.name a pattern...

samba: Fix of 2 CVEs

CVE-2019-3880: Refuse winreg SaveKey/RestoreKey RPCs to prevent writing registry hive files outside intended share boundaries via symlink races - CVE-2019-10218: Reject server-supplied filenames containing path separators in SMB1 directory listings to protect libsmbclient consumers from path...

SUSE CVE-2026-6321

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize and equal functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications...

UBUNTU-CVE-2026-6321

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize and equal functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications...

@fastify/static vulnerable to route guard bypass via encoded path separators

Impact @fastify/static v9.1.0 and earlier decodes percent-encoded path separators %2F before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on /admin/ do not match /admin%2Fsecret.html, but @fastify/static decodes it to...

CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

CVE-2026-6414

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

Fastify-Static 安全漏洞

Fastify-Static is an open-source plugin developed by Fastify. It is used to deliver static files as quickly as possible. Versions of Fastify-Static from 8.0.0 to 9.1.0 contain security vulnerabilities. These vulnerabilities stem from decoding percent-encoded path separators, which may allow...

Security update for gpg2

This update for gpg2 fixes the following issues: Security fix: Fixed GnuPG accepting Path Separators and Path Traversals in Literal Data bsc1256389 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively...

SUSE-SU-2026:0694-1 Security update for gpg2

This update for gpg2 fixes the following issues: Security fix: - Fixed GnuPG accepting Path Separators and Path Traversals in Literal Data bsc1256389...

SUSE SLES12 Security Update : gpg2 (SUSE-SU-2026:0378-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2026:0378-1 advisory. - CVE-2025-68973: Fixed possile memory corruption in the armor parser T7906 bsc1255715 - Fixed GnuPG Accepting Path Separators and Path Traversals in...

CVE-2021-33896

Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal only for creation of new files via URI-encoded path separators...

EUVD-2022-52463

Malicious code in bioql PyPI...

EUVD-2022-52461

Malicious code in bioql PyPI...

CVE-2025-11233

Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target x8664-pc-cygwin didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could...

CVE-2025-11233

CVE-2025-11233 affects Rust when using the tier 3 Cygwin target (x86_64-pc-cygwin) with Rust 1.87.0 up to 1.88.x. The standard library Path API failed to handle backslash-separated components on Cygwin, potentially enabling path traversal or unsafe filesystem operations. Rust 1.89.0 fixes the iss...

Rust 安全漏洞

Rust is a general-purpose, compiled programming language from the Mozilla Foundation. A security vulnerability exists in Rust version 1.87.0 through versions prior to 1.89.0, which stems from improper handling of path separators and could lead to a path traversal attack or malicious file system...

USN-7525-1 Tomcat vulnerability

It was discovered that Apache Tomcat incorrectly implemented partial PUT functionality by replacing path separators with dots in temporary files. A remote attacker could possibly use this issue to access sensitive files, inject malicious content, or execute remote code...

PT-2024-36790

Name of the Vulnerable Software and Affected Versions pyrage versions 1.2.0 through 1.2.2 Description The issue concerns the execution of arbitrary binaries due to malicious plugin names, recipients, or identities. This can occur when a plugin name containing a path separator is provided to the a...