56 matches found
EUVD-2026-24981
rm: --preserve-root bypassed via a symlink to / string check instead of dev/inode...
EUVD-2026-24963
chmod: --preserve-root bypassed by any path that resolves to root e.g. /../...
CVE-2026-53422 SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root
Observable Response Discrepancy vulnerability in Erlang OTP ssh sshsftpd module allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. The SSHFXPREALPATH handler in sshsftpd calls relatefilename/3 with Canonicalize=false, unlik...
DEBIAN-CVE-2026-46680
containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an...
UBUNTU-CVE-2026-46680
containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an...
CVE-2026-49738
The path allowance check in GeneralUtility::isAllowedAbsPath performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator...
GHSA-P462-PRXW-MJX4 NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker)
Summary The Binary Stream Capture BSC component exposes an unauthenticated HTTP API for dynamically creating packet capture “handlers.” Because the code blindly trusts path‑related form fields, a remote client can: - Bypass the configured log root and direct BSC to log to arbitrary filesystem...
PT-2026-47089
Name of the Vulnerable Software and Affected Versions AIT-Core versions prior to 3.1.1 AIT-Core versions 2.x prior to 2.6.1 Description The Binary Stream Capture BSC component features an unauthenticated HTTP API for creating packet capture handlers. The system blindly trusts path-related form...
Access of Resource Using Incompatible Type ('Type Confusion')
Overview Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' via improper handling of numeric User directives in container configuration. An attacker can gain elevated privileges by supplying a crafted image with an /etc/passwd file that...
Algernon: handler.lua discovery walks parent directories above the server root
Summary When Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancest...
GHSA-XWCR-WM99-G9JC Algernon: handler.lua discovery walks parent directories above the server root
Summary When Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancest...
CVE-2026-43998 vm2: NodeVM require.root bypass via symlink traversal allows sandbox escape
vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve which does not...
CVE-2026-43998 vm2: NodeVM require.root bypass via symlink traversal allows sandbox escape
vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve which does not...
vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape
Summary NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve which does not dereference symlinks but module loading uses Node's...
GHSA-CP6G-6699-WX9C vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape
Summary NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve which does not dereference symlinks but module loading uses Node's...
CVE-2026-35338
A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbol...
CVE-2026-35349
A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can bypass this safeguard by using a...
Duplicate Advisory: uutils coreutils has a Link Following Issue Via rm Utility
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7cr3-h577-g38j. This link is maintained to preserve external references. Original Description A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The...
GHSA-V762-X3CF-5MFG Duplicate Advisory: uutils coreutils has a Link Following Issue Via rm Utility
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7cr3-h577-g38j. This link is maintained to preserve external references. Original Description A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The...
GHSA-9GQX-53GP-C8G3 Duplicate Advisory: uutils coreutils allows users to bypass the --preserve-root safety mechanism
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4c7q-4928-8445. This link is maintained to preserve external references. Original Description A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism...