Lucene search
K

11 matches found

Cvelist
Cvelist
added last week16 views

CVE-2026-31978 motionEye: Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint

motionEye mEye is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, suhc as /picture/id/preview/filename. Neither the API handlers, nor the...

6.5CVSS0.00418EPSS
Exploits0References2
CVE
CVE
added last week10 views

CVE-2026-31978

Summary: CVE-2026-31978 affects motionEye (pre-0.44.0). A path traversal flaw in the picture/movie preview endpoints (/picture/{id}/preview/{filename}) allows an authenticated, non-admin user to read arbitrary files on the host filesystem via the get_media_preview() path, since it doesn’t check f...

6.5CVSS5.9AI score0.00418EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/23 6:32 p.m.9 views

motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read

Summary mEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using os.path.join. When an absolute...

8.7CVSS6AI score0.00623EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/06/23 6:32 p.m.2 views

GHSA-RW9Q-97R9-8GVH motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read

Summary mEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using os.path.join. When an absolute...

8.7CVSS6AI score0.00623EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/06/22 5:10 p.m.5 views

motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint

Summary motionEye v0.43.1 latest stable is vulnerable to path traversal in the picture and movie API endpoints, like /picture/id/preview/filename. Neither the API handlers, nor the mediafiles.py functions like getmediapreview check for .. sequences in the filename parameter, except getmediaconten...

6.5CVSS5.9AI score0.00418EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.17 views

PT-2026-51430

Name of the Vulnerable Software and Affected Versions motionEye version 0.43.1 Description An absolute path traversal issue exists in the picture and movie API endpoints, such as '/picture/id/preview/filename'. The vulnerability occurs because the API handlers and functions get media preview and...

6.5CVSS6AI score0.00418EPSS
Exploits0References10
NVD
NVD
added 2021/05/07 10:15 a.m.15 views

CVE-2021-30172

Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS Cross-site scripting attacks, additionally access and manipulate customer’s...

5.4CVSS0.00586EPSS
Exploits0References1
Prion
Prion
added 2021/05/07 10:15 a.m.14 views

Cross site scripting

Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS Cross-site scripting attacks, additionally access and manipulate customer’s...

3.5CVSS5.2AI score0.00586EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2021/05/07 9:30 a.m.40 views

CVE-2021-30172

CVE-2021-30172 affects the Jun-He/Quan-Fang-Wei-Tong-Xun system: special characters on the image preview page input are not filtered, enabling a remote authenticated attacker to inject JavaScript via reflected XSS and access/manipulate customer information. Connected sources confirm the XSS vecto...

5.4CVSS4.7AI score0.00586EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2021/05/07 9:30 a.m.20 views

CVE-2021-30172 Jun-He Technology Ltd. Quan-Fang-Wei-Tong-Xun system - Reflected XSS

Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS Cross-site scripting attacks, additionally access and manipulate customer’s...

4.6CVSS5.4AI score0.00586EPSS
Exploits0References1
myhack58
myhack58
added 2014/12/10 12:0 a.m.16 views

U-Mail the latest version of the arbitrary File Download vulnerability-vulnerability warning-the black bar safety net

The problem occurs is in the picture preview of the place code area http://192.168.1.24/webmail/client/mail/index. php? module=operate&action=attach-img-preview&durl=1. gif&type=application/octet-stream The key code is as follows: code area if ACTION == "attach-img-preview" $downloadurl =...

1.9AI score
Exploits0
Rows per page
Query Builder