CVE-2026-20613

The ArchiveReader.extractContents function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using...

CVE-2026-20613

The ArchiveReader.extractContents function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using...

CVE-2026-20613

The CVE-2026-20613 issue is in ArchiveReader.extractContents() used by cctl image load and container image load. It does not validate pathnames when extracting archive members, enabling a crafted archive with relative paths to write files to arbitrary user-writable locations on the host. Document...

CVE-2026-20613

The ArchiveReader.extractContents function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using...

Container and Containerization archive extraction does not guard against escapes from extraction base directory.

The ArchiveReader.extractContents function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using...

PT-2026-4315

Name of the Vulnerable Software and Affected Versions container versions prior to 0.8.0 containerization versions prior to 0.21.0 Description The ArchiveReader.extractContents function, utilized by cctl image load and container image load, lacks proper pathname validation during archive extractio...

MiracleLinux 7 : keepalived-1.3.5-16.el7 (AXSA:2019-4318:03)

The remote MiracleLinux 7 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2019-4318:03 advisory. keepalived: Improper pathname validation allows for overwrite of arbitrary filenames via symlinks CVE-2018-19044 Tenable has extracted the preceding...

EUVD-2025-15175

Malicious code in bioql PyPI...

CVE-2024-41704

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images...

CVE-2021-38573

An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows writing to arbitrary files because a CombineFiles pathname is not validated...

CVE-2025-48050

In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script...

CVE-2022-35949 `undici.request` vulnerable to SSRF using absolute URL on `pathname`

undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF Server-side Request Forgery when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici =...

GHSA-W8R2-5J8X-X8J6 Improper Limitation of a Pathname to a Restricted Directory in WildFly

WildFly Core before version 6.0.0.Alpha3 does not properly validate file paths in .war archives, allowing for the extraction of crafted .war archives to overwrite arbitrary files. This is an instance of the 'Zip Slip' vulnerability...

CVE-2021-38572

CVE-2021-38572 affects Foxit Reader and Foxit PhantomPDF prior to 10.1.4, where the extractPages pathname is not validated, allowing an attacker to write to arbitrary files. The connected documents confirm the affected products and the root cause (unvalidated extractPages pathname). No exploitati...

CVE-2021-38573

Foxit Reader and Foxit PhantomPDF are affected by CVE-2021-38573. The vulnerability arises from not validating the CombineFiles pathname, enabling arbitrary file writes via this component/file handling; affected product versions are prior to 10.1.4. The issue is described across multiple sources ...

CVE-2020-9106

HUAWEI P30 Pro versions earlier than 10.1.0.160C00E160R2P8 have a path traversal vulnerability. The system does not sufficiently validate certain pathname, successful exploit could allow the attacker access files and cause information disclosure...

CVE-2020-9252

HUAWEI Mate 20 versions earlier than 10.1.0.160C00E160R3P8, HUAWEI Mate 20 X versions earlier than 10.1.0.135C00E135R2P8, HUAWEI Mate 20 RS versions earlier than 10.1.0.160C786E160R3P8, and Honor Magic2 smartphones versions earlier than 10.1.0.160C00E160R2P11 have a path traversal vulnerability...

The vulnerability of the SMB server’s configuration file smb.conf, which is part of the Samba networking software package, allows a hacker to gain unauthorized access to protected information.

The vulnerability of the SMB server’s configuration file smb.conf in the Samba networking software package is related to deficiencies in pathname validation for restricted access directories. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized...

keepalived security update

CentOS Errata and Security Advisory CESA-2019:2285 An update for keepalived is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severi...

keepalived security and bug fix update

1.3.5-16 - Rework previous miscscript/vrrpscript patch 1667292 1.3.5-15 - Rework previous checker comparison patch 1715308 1.3.5-14 - Make checker variables non global 1715308 1.3.5-13 - Fix comparison of checkers on reload 1715308 1.3.5-12 - Fix build errors 1678480 1.3.5-11 - Fix problems with...