Lucene search
K

10 matches found

OSV
OSV
added 2026/05/07 8:16 p.m.5 views

DEBIAN-CVE-2026-39817

The "go tool pack" subcommand usually used only by the compiler as an internal tool with known-good inputs does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem...

5.9CVSS5.9AI score0.0017EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/02/17 6:46 p.m.9 views

Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

Summary Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the javascript: scheme e.g. javascript:alert1, the generated index includes an anchor whose href attribute is exactly...

5.4CVSS6.5AI score0.00224EPSS
Exploits1References5Affected Software1
RedhatCVE
RedhatCVE
added 2023/01/31 5:35 a.m.93 views

CVE-2022-48285

A flaw was found in the JSZip package. Affected versions of JSZip could allow a remote attacker to traverse directories on the system caused by the failure to sanitize filenames when files are loaded with loadAsync, which makes the library vulnerable to a Zip Slip attack. By extracting files from...

7.3CVSS4.7AI score0.01411EPSS
Exploits0References7
AlpineLinux
AlpineLinux
added 2020/11/20 3:40 p.m.775 views

CVE-2020-13671

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to...

8.8CVSS8.8AI score0.04269EPSS
Exploits0
ATTACKERKB
ATTACKERKB
added 2020/11/20 12:0 a.m.32 views

CVE-2020-13671

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to...

8.8CVSS3.7AI score0.04269EPSS
In wildExploits0References6
Node.js
Node.js
added 2019/12/11 5:18 p.m.12 views

Command Injection

Overview All versions of node-df are vulnerable to Command Injection. The package fails to sanitize filenames passed to the file option. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. Recommendation No fix is currently available. Consider using an...

7.1AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/09/16 6:1 p.m.15 views

Cross-Site Scripting

Overview All versions of snekserve are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently available...

6.7AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/08/07 7:39 p.m.20 views

Cross-Site Scripting

Overview All versions of http-file-server are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently availabl...

3.5CVSS4.1AI score0.00709EPSS
Exploits1Affected Software1
Node.js
Node.js
added 2019/06/18 11:36 p.m.12 views

Cross-Site Scripting

Overview Versions of serve prior to 10.0.2 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation Upgrade to version 10.0.2 o...

6.7AI score
Exploits0Affected Software1
seebug.org
seebug.org
added 2014/07/01 12:0 a.m.13 views

GNU a2ps 4.13 File Name Command Execution Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/11025/info Reportedly GNU a2ps is affected by a filename command-execution vulnerability. This issue is due to the application's failure to properly sanitize filenames. An attacker might leverage this issue to execute...

7.1AI score
Exploits0
Rows per page
Query Builder