Lucene search
K

109 matches found

NVD
NVD
added 2026/02/23 9:19 p.m.19 views

CVE-2026-23521

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device uniqueId to an absolute path. When uploading a device image, Traccar uses that uniqueId to build the filesystem path...

6.5CVSS0.0032EPSS
Exploits1References1
SUSE CVE
SUSE CVE
added 2026/02/20 12:25 a.m.10 views

SUSE CVE-2026-22860

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory's path check used a string prefix match on the expanded path. A request like /../rootexample/ can escape the configured root if the target path starts with the root string, allowing directory...

7.5CVSS6.4AI score0.00665EPSS
Exploits1References3
UbuntuCve
UbuntuCve
added 2026/02/18 7:21 p.m.4 views

CVE-2026-22860

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../rootexample/ can escape the configured root if the target path starts with the root string, allowing directory...

7.5CVSS6.7AI score0.00665EPSS
Exploits1References3
OSV
OSV
added 2026/02/18 6:45 p.m.6 views

CVE-2026-22860 Rack has a Directory Traversal via Rack:Directory

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../rootexample/ can escape the configured root if the target path starts with the root string, allowing directory...

7.5CVSS5.6AI score0.00665EPSS
Exploits1References7
Cvelist
Cvelist
added 2026/02/18 6:45 p.m.42 views

CVE-2026-22860 Rack has a Directory Traversal via Rack:Directory

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../rootexample/ can escape the configured root if the target path starts with the root string, allowing directory...

7.5CVSS0.00665EPSS
Exploits1References2
CVE
CVE
added 2026/02/18 6:45 p.m.36 views

CVE-2026-22860

CVE-2026-22860 — Rack (Ruby Rack) Directory Traversal Rack::Directory is vulnerable because its path check uses a string prefix match on the expanded path. A request like /../root_example/ can escape the configured root and enable directory listing outside of the intended root. This issue affects...

7.5CVSS5.5AI score0.00665EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/02/04 11:15 p.m.5 views

UBUNTU-CVE-2025-22873

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open"../" would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained with...

3.8CVSS7.3AI score0.00238EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/02/04 7:2 p.m.6 views

CVE-2026-25121

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatte...

7.5CVSS5.4AI score0.00369EPSS
Exploits0References3Affected Software1
SUSE CVE
SUSE CVE
added 2026/01/28 12:24 a.m.4 views

SUSE CVE-2026-24131

pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's directories.bin field, it uses path.join without validating the result stays within the package root. A malicious npm package can specify "directories": "bin": "../../../../tmp" to escape the package directory,...

6.7CVSS6AI score0.00244EPSS
Exploits1References3
AlpineLinux
AlpineLinux
added 2026/01/26 10:3 p.m.7 views

CVE-2026-24131

pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's directories.bin field, it uses path.join without validating the result stays within the package root. A malicious npm package can specify "directories": "bin": "../../../../tmp" to escape the package directory,...

6.7CVSS6AI score0.00244EPSS
Exploits1
CVE
CVE
added 2026/01/26 10:3 p.m.24 views

CVE-2026-24131

CVE-2026-24131 concerns pnpm, a package manager. Before version 10.28.2, processing a package’s directories.bin field could join a path without ensuring it stayed under the package root, enabling a crafted package to escape the package and chmod files at arbitrary locations on Unix-like systems. ...

6.7CVSS6AI score0.00244EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/01/26 12:0 a.m.4 views

PT-2026-4829

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.28.2 Description pnpm, a package manager, is susceptible to a file permission issue when processing the directories.bin field within a package. A malicious npm package can manipulate this field, specifically by using...

6.7CVSS6.1AI score0.00244EPSS
Exploits1References11
OSV
OSV
added 2025/12/12 6:30 p.m.2 views

GHSA-7V39-2HX7-7C43 Weaviate OSS has a Path Traversal Vulnerability via Backup ZipSlip

An issue was discovered in Weaviate OSS before 1.33.4. An attacker with access to insert data into the database can craft an entry name with an absolute path e.g., /etc/... or use parent directory traversal ../../.. to escape the restore root when a backup is restored, potentially creating or...

8.7CVSS7AI score0.00771EPSS
Exploits0References6
Cvelist
Cvelist
added 2025/12/09 3:35 a.m.30 views

CVE-2025-67487 Static Web Server is vulnerable to symbolic link Path Traversal

Static Web Server SWS is a production-ready web server suitable for static web files or assets. Versions 2.40.0 and below contain symbolic links symlinks which can be used to access files or directories outside the intended web root folder. SWS generally does not prevent symlinks from escaping th...

6.9CVSS0.00362EPSS
Exploits0References2
OSV
OSV
added 2025/12/09 3:35 a.m.6 views

CVE-2025-67487 Static Web Server is vulnerable to symbolic link Path Traversal

Static Web Server SWS is a production-ready web server suitable for static web files or assets. Versions 2.40.0 and below contain symbolic links symlinks which can be used to access files or directories outside the intended web root folder. SWS generally does not prevent symlinks from escaping th...

6.9CVSS6.7AI score0.00362EPSS
Exploits0References4
CVE
CVE
added 2025/12/09 3:35 a.m.24 views

CVE-2025-67487

The CVE refers to Static Web Server (SWS) where versions 2.40.0 and earlier fail to properly constrain symbolic links, allowing path traversal to files/directories outside the web root via URL or directory listings. Root cause: symlinks escaping the server’s root due to inadequate checks. Impact:...

8.6CVSS6.3AI score0.00362EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2025/12/09 12:0 a.m.5 views

PT-2025-49798

Name of the Vulnerable Software and Affected Versions Static Web Server versions 2.40.0 and below Description Static Web Server SWS is a web server designed for static web files. Versions 2.40.0 and below do not adequately prevent symbolic links symlinks from being used to access files and...

8.6CVSS6.6AI score0.00362EPSS
Exploits0References6
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2020-3794

Malware in sbrugna...

7.5CVSS7.5AI score0.01082EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/08/22 4:35 p.m.5 views

CVE-2012-10061

Sockso Music Host Server versions = 1.5 are vulnerable to a path traversal flaw that allows unauthenticated remote attackers to read arbitrary files from the server’s filesystem. The vulnerability exists in the HTTP interface on port 4444, where the endpoint /file/ fails to properly sanitize...

8.7CVSS7.2AI score0.01165EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/02/19 12:0 a.m.6 views

crun 路径遍历漏洞

crun is an OCI Open Container Initiative container runtime library written in C from Containers open source. A path traversal vulnerability exists in versions of crun prior to 1.20, which stems from the fact that a malicious container image could trick a krun handler into escaping the root...

8.5CVSS8.3AI score0.00533EPSS
Exploits0References4
Rows per page
Query Builder