CVE-2026-1056

The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generateuserdirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

PT-2026-5121

Name of the Vulnerable Software and Affected Versions Snow Monkey Forms versions up to and including 12.0.3 Description The Snow Monkey Forms plugin for WordPress is susceptible to arbitrary file deletion. Insufficient file path validation within the generate user dirpath function allows...

PT-2026-5235

Name of the Vulnerable Software and Affected Versions Erugo versions up to and including 0.2.14 Description Erugo is a self-hosted file-sharing platform. An authenticated, low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user-supplied path...

Erugo code issues and vulnerabilities

Erugo is an open-source file sharing platform developed by Erugo. Versions of Erugo 0.2.14 and earlier have code vulnerabilities. These vulnerabilities stem from insufficient path validation when creating shares. This allows low-privilege users to upload arbitrary files to designated locations,...

mariadb security update

1:5.5.68-1.0.1 - Fixes CVE-2025-13699, remote code execution via improper path validation Orabug: 38829265 - Fixes failing SSL and timezone tests...

Oracle Linux 7 : mariadb (ELSA-2026-0367)

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-0367 advisory. - Fixes CVE-2025-13699, remote code execution via improper path validation Orabug: 38829265 Tenable has extracted the preceding description block directly from...

CVE-2026-24473

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment...

EUVD-2026-4751

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment...

CVE-2026-24473 Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment...

Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

Summary Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys...

CVE-2026-20613

The ArchiveReader.extractContents function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using...

PT-2026-5013

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.11.7 Description The Serve static Middleware for the Cloudflare Workers adapter in Hono does not properly validate user-controlled paths, potentially allowing attackers to read arbitrary keys from the Workers...

pnpm security vulnerabilities

PNPM is a package manager developed by the open-source project Pnpm. Versions of Pnpm prior to 10.28.2 had security vulnerabilities. These vulnerabilities stemmed from the lack of path validation when processing the directories.bin field of packages. This allowed malicious npm packages to modify...

WordPress Plugin Administrative Shortcodes Security Vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There ar...

UBUNTU-CVE-2026-24137

sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client pkg/tuf/client.go supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from...

CVE-2026-20613

The ArchiveReader.extractContents function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using...

Exploit for CVE-2026-22444

CVE-2026-22444 Apache Solr UNC Path Validation Vulnerability...

CVE-2026-24047 @backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass

Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is...

EUVD-2026-3291

SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality...

SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality

Summary The SiYuan Note application v3.5.3 contains a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation Details The...