CVE-2026-50568

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefixpath,...

EUVD-2026-36072

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefixpath,...

CVE-2026-50568

Fission (Kubernetes-native serverless framework) has a lexical path check vulnerability in SanitizeFilePath (pkg/utils/utils.go) that used strings.HasPrefix(path, safedir) instead of a directory-boundary check. This allowed a sibling directory escape (e.g., /packages-extra/evil under /packages) t...

PT-2026-48513

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefixpath,...

MiracleLinux 8 : git-2.39.1-1.el8 (AXSA:2023-5936:07)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-5936:07 advisory. git: On multi-user machines Git users might find themselves unexpectedly in a Git worktree CVE-2022-24765 git: Bypass of safe.directory protections...

MiracleLinux 9 : git-2.39.1-1.el9 (AXSA:2023-5623:05)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-5623:05 advisory. git: On multi-user machines Git users might find themselves unexpectedly in a Git worktree CVE-2022-24765 git: Bypass of safe.directory protections...

CVE-2025-14106

Vulnerability summary: CVE-2025-14106 affects ZSPACE Q2C NAS up to 1.1.0210050. The issue is in the HTTP POST Request Handler, under the function zfilev2_api.CloseSafe in file /v2/file/safe/close. By manipulating the safe_dir argument, an attacker can perform a remote command injection. Exploit c...

ZSPACE Q2C 命令注入漏洞

ZSPACE Q2C is a private cloud storage device from China's ZSPACE ZSPACE company. A command injection vulnerability exists in ZSPACE Q2C 1.1.0210050 and earlier versions, which stems from incorrect manipulation of the parameter safedir in the file /v2/file/safe/open, which could lead to a command...

git: Bypass of safe.directory protections

A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This issue allows the owner of the repository to cause arbitrary commands to be executed by...

CLSA-2023-1685631809 git: Fix of 2 CVEs

CVE-2022-24765: fix safe.directory key not being checked in setup.c - CVE-2022-29178: avoid failing dir ownership check - some unstable tests were disabled...

CLSA-2023-1685629885 git: Fix of 2 CVEs

CVE-2022-24765: fix safe.directory key not being checked in setup.c - CVE-2022-29178: avoid failing dir ownership check - some unstable tests were disabled...

Moderate: Red Hat Security Advisory: git security and bug fix update

An update for git is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CV...

git: Bypass of safe.directory protections

A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This issue allows the owner of the repository to cause arbitrary commands to be executed by...

Insecure Temporary File

Overview com.squareup:connect is a stack of middleware that is executed in order in each request. Affected versions of this package are vulnerable to Insecure Temporary File. The method prepareDownloadFilecreates creates a temporary file with the permissions bits of -rw-r--r-- on unix-like system...

PHP securiy vulnerabilities

safedir protection bypass and code execution on SOAP handling...