CVE-2026-28816

A path handling issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to delete files for which it does not have permission...

CVE-2026-28827

The CVE-2026-28827 entry describes a parsing issue in the handling of directory paths that could allow an app to break out of its sandbox. Concrete details indicate remediation via macOS updates: Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4 include the fix for improved path validation. The relat...

CVE-2026-28827

A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox...

EUVD-2026-15097

A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox...

CVE-2026-28827

A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox...

CVE-2026-28827

A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox...

PT-2026-28149

The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-lev...

CVE-2025-70952

pf4j before 20c2f80 has a path traversal vulnerability in the extract function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation...

SUSE-SU-2026:20822-1 Security update for systemd

This update for systemd fixes the following issues: Security issues: - CVE-2026-4105: privilege escalation due to improper access control in RegisterMachine D-Bus method bsc1259650. - CVE-2026-29111: local unprivileged user can trigger an assert in systemd bsc1259418. - udev: check for invalid...

PT-2026-27529

Name of the Vulnerable Software and Affected Versions macOS versions prior to 26.4 Description A flaw exists in how the operating system parses directory paths. This could allow an application to access sensitive user data due to insufficient path validation. Recommendations Update to macOS versi...

PT-2026-27596

Name of the Vulnerable Software and Affected Versions iOS versions prior to 18.7.7 iPadOS versions prior to 18.7.7 macOS Sequoia version 15.7.5 macOS Sonoma versions prior to 14.8.5 macOS Tahoe version 26.4 visionOS version 26.4 Description A flaw exists in the way directory paths are processed,...

OpenClaw path traversal vulnerability (CNVD-2026-14857)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a Path Validation Improperity vulnerability, which is caused by an incorrect path validation flaw in sandboxed media handling. An attacker can exploit the vulnerability to traverse a directory on a...

OpenClaw code issue vulnerability (CNVD-2026-14844)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a code issue vulnerability caused by a path validation bypass flaw in the exec approval distribution list pattern on macOS. An attacker can exploit the vulnerability to execute arbitrary commands on th...

PT-2026-27563

Name of the Vulnerable Software and Affected Versions macOS versions prior to Sequoia 15.7.5 macOS versions prior to Sonoma 14.8.5 macOS versions prior to Tahoe 26.4 Description A flaw exists in how the operating system parses directory paths, potentially allowing an application to escape its...

CVE-2026-28483

...

CVE-2026-28483

OpenClaw before 2026.3.2 is affected by a race condition in ZIP extraction. The vulnerability arises from a gap between path validation and file write operations in src/infra/archive.ts, allowing a local attacker to write files outside the intended extraction root by abusing parent-directory syml...

CVE-2026-33354

CVE-2026-33354 affects WWBN AVideo up to version 26.0, where POST /objects/aVideoEncoder.json.php accepts a requester-controlled chunkFile path. The local path check (isValidURLOrPath) allows broad server directories (e.g., /var/www/, app root, cache, tmp, videos) while rejecting only .php files....

Directory Traversal

Keras is vulnerable to Directory Traversal. The vulnerability is due to unsafe extraction of tar archives in keras.utils.getfile without proper filtering during extraction, which allows an attacker to bypass path validation and write files outside the intended directory...

Fedora 43 : scitokens-cpp (2026-52c99ecf64)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-52c99ecf64 advisory. - Fix scope path boundary validation to deny sibling-prefix authorization bypasses - Reject parent-directory traversal in scope paths, including encoded...

CVE-2026-33186

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory...