Lucene search
K

241 matches found

OSV
OSV
added 2026/06/30 11:50 p.m.5 views

BIT-RCLONE-2026-49980 Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /remote:path/object. The remote value is parsed from the URL and passed...

9.8CVSS5.9AI score0.00701EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/29 10:4 a.m.8 views

CVE-2026-25707

A relative path traversal bug problem when processing repository metadata in libzypp before 17.38.10 could be used by remote attackers supplying repositories to overwrite files on the system, leading to denial of service or privilege escalation...

8.8CVSS5.8AI score0.006EPSS
Exploits0References3
NVD
NVD
added 2026/06/28 10:16 p.m.7 views

CVE-2026-13509

A vulnerability has been found in RAGapp up to 0.1.5. Affected is the function FileHandler.uploadfile/FileHandler.removefile of the file src/ragapp/backend/controllers/files.py of the component Knowledge File Handler. Such manipulation leads to path traversal. The attack can be executed remotely...

6.5CVSS0.00294EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/06/28 10:0 p.m.31 views

CVE-2026-13509 RAGapp Knowledge File files.py FileHandler.remove_file path traversal

A vulnerability has been found in RAGapp up to 0.1.5. Affected is the function FileHandler.uploadfile/FileHandler.removefile of the file src/ragapp/backend/controllers/files.py of the component Knowledge File Handler. Such manipulation leads to path traversal. The attack can be executed remotely...

6.5CVSS0.00294EPSS
Exploits0References7
CVE
CVE
added 2026/06/28 10:0 p.m.16 views

CVE-2026-13509

RAGapp up to 0.1.5 is affected. The vulnerability lies in FileHandler.upload_file and FileHandler.remove_file (src/ragapp/backend/controllers/files.py), enabling path traversal. Exploitation can be performed remotely, and public proof-of-concept/exploitation has been disclosed. A fix via a pull r...

6.5CVSS6.1AI score0.00294EPSS
Exploits0References7
NVD
NVD
added 2026/06/24 7:17 p.m.10 views

CVE-2026-49980

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /remote:path/object. The remote value is parsed from the URL and passed...

9.8CVSS0.00701EPSS
Exploits0References4
AlpineLinux
AlpineLinux
added 2026/06/24 5:52 p.m.5 views

CVE-2026-49980

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /remote:path/object. The remote value is parsed from the URL and passed...

9.8CVSS5.9AI score0.00701EPSS
Exploits0References4
OSV
OSV
added 2026/06/16 11:39 p.m.6 views

GHSA-QW24-GH76-8RVV Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix

Summary rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: text /remote:path/object The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during...

9.8CVSS6.1AI score0.00701EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:40 p.m.10 views

CVE-2026-7149

A vulnerability has been found in dexhunter kaggle-mcp up to 406127ffcb2b91b8c10e20e6c2ca787fbc1dc92d. This vulnerability affects the function preparekaggledataset of the file src/kagglemcp/server.py. The manipulation of the argument competitionid leads to path traversal. The attack is possible t...

7.5CVSS6.5AI score0.00411EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:39 p.m.12 views

CVE-2026-7400

A security vulnerability has been detected in geekgod382 filesystem-mcp-server 1.0.0. This issue affects the function ispathallowed of the file server.py of the component readfiletool/writefiletool. Such manipulation leads to path traversal. The attack can be launched remotely. The exploit has be...

7.5CVSS6.7AI score0.0043EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:39 p.m.15 views

CVE-2026-7404

A weakness has been identified in getsimpletool mcpo-simple-server up to 0.2.0. Affected is the function deletesharedprompt of the file src/mcposimpleserver/services/promptmanager/basemanager.py. This manipulation of the argument detail causes relative path traversal. It is possible to initiate t...

7.5CVSS6.8AI score0.00512EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:39 p.m.22 views

CVE-2026-7386

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mailmcpserver.py. Executing a manipulation of the argument messageids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used...

7.5CVSS6.8AI score0.00429EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:35 p.m.10 views

CVE-2026-5849

A vulnerability was determined in Tenda i12 1.0.0.113862. The impacted element is an unknown function of the component HTTP Handler. Executing a manipulation can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized...

9.8CVSS6.9AI score0.00632EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:35 p.m.11 views

CVE-2026-5962

A vulnerability was detected in Tenda CH22 1.0.0.6468. This issue affects the function R7WebsSecurityHandlerfunction of the component httpd. The manipulation results in path traversal. The attack may be launched remotely. The exploit is now public and may be used...

9.8CVSS7AI score0.00537EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/01 1:45 a.m.12 views

EUVD-2026-33534

A security flaw has been discovered in AstrBotDevs AstrBot 4.23.6. This vulnerability affects unknown code of the file /api/skills/delete of the component API Endpoint. Performing a manipulation of the argument Name results in path traversal. The attack can be initiated remotely. The exploit has...

5.5CVSS5.7AI score0.00372EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/27 2:43 p.m.13 views

EUVD-2026-32535

GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an...

8.2CVSS5.8AI score0.00198EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/26 1:30 p.m.9 views

CVE-2026-9550

A vulnerability was determined in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. Affected by this issue is some unknown functionality of the file /SubstationWEBV2/app/..;/main/upfile. Executing a manipulation of the argument path can lead to path traversal...

7.5CVSS6.8AI score0.00519EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 8:20 p.m.13 views

Snappy : SSRF and local file read via the xsl-style-sheet option

Impact It impacts applications where: - the PHP daemon run with root permissions ; - the application is either running outside a container or has sensitive file access ; It could happens with this kind of workflows: php $stylesheet = $GET'stylesheet'; // = ‘file:///etc/passwd’ $pdf = new...

6.9CVSS5.8AI score0.00249EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/21 8:20 p.m.13 views

GHSA-C5FP-P67M-GQ56 Snappy : SSRF and local file read via the xsl-style-sheet option

Impact It impacts applications where: - the PHP daemon run with root permissions ; - the application is either running outside a container or has sensitive file access ; It could happens with this kind of workflows: php $stylesheet = $GET'stylesheet'; // = ‘file:///etc/passwd’ $pdf = new...

6.9CVSS5.8AI score0.00249EPSS
Exploits0References4
NVD
NVD
added 2026/05/17 1:16 p.m.31 views

CVE-2026-8756

A vulnerability has been found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c. The impacted element is the function generateconfig of the file webuipreprocess.py of the component Gradio Interface. Such manipulation of the argument datadir leads to path traversal. The attac...

7.5CVSS0.00512EPSS
Exploits0References4
Rows per page
Query Builder