DEBIAN-CVE-2026-5422

A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the getospath function within jupyterserver/services/contents/fileio.py. The check uses startswithroot without appending a trailing path separator, allowing sibling...

CVE-2026-5422

Affected software: jupyter-server 2.17.0. Root cause: path traversal due to an incorrect boundary check in _get_os_path() (uses startswith(root) without trailing separator) and to_os_path() not stripping '..' from path parts. Impact: unauthorized read/write access to files in sibling directories,...

CVE-2026-35525

CVE-2026-35525 affects LiquidJS and involves a root restriction bypass for partial and layout loading via symlinked templates. The issue arises because the code checks the candidate path against allowed partials/layouts directories using a path-based check, not the canonical real filesystem path....

CVE-2026-35525 LiquidJS has a root restriction bypass for partial and layout loading through symlinked templates

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for % include %, % render %, and % layout %, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is path-based, not...

CVE-2026-23942

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Erlang OTP sshsftpd module allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/sshsftpd.erl and program routines sshsftpd:iswithinroot/2. The SFTP server uses string...

Path Traversal via Incorrect startswith() Root Directory Check in jupyter-server Allows Access to Sibling Directories

This report is not public...

GHSA-M733-5W8F-5GGW pnpm has symlink traversal in file:/git dependencies

Summary When pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd, /.ssh/idrsa causes pnpm to copy that file's contents...

EUVD-2025-14509

Malicious code in bioql PyPI...

UBUNTU-CVE-2025-38059

In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid csum tree BUG When trying read-only scrub on a btrfs with rescue=idatacsums mount option, it will crash with the following call trace: BUG: kernel NULL pointer dereference, addres...

Auto-Root-Exploit

It is an offensive tool for Linux kernel exploitation. The tool, Auto-Root-Exploit, targets various versions of the Linux kernel, specifically those between 2.6 and 2.6.31.5, with the primary focus on exploiting vulnerabilities in these versions. The tool's primary entry point is the autoroot.sh...

Wear Root Check - Dangerous filesystem permissions, WebView code execution vulnerabilities

HackApp vulnerability scanner discovered that application Wear Root Check published at the 'play' market has multiple vulnerabilities...

Check Your Root - Possible privilege escalation, Runtime command execution, Runtime privilege escalation vulnerabilities

HackApp vulnerability scanner discovered that application Check Your Root published at the 'play' market has multiple vulnerabilities...

Uber’s Android app is Literally Malware?

The popular ride-sharing service Uber has been hit by various controversies lately, but now the things gone even worse for the company when a security researcher made a worrying discovery this week and claims, "Uber’s app is literally malware." The ride-hailing company is in disputes of handling...

UBUNTU-CVE-2014-6394

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory...

MultiHTML.txt

Title : MultiHTML vulnerability. Description : Retrieve files from the server. Vendor status : Notified and a new not much improved script is released. Short description of the tool: ============================== MultiHTML allows you to put an SSI call where you want the HTML file to be displaye...