GHSA-6R62-W2Q3-48HF BentoML has a Path Traversal via Bentofile Configuration

Summary BentoML's bentofile.yaml configuration allows path traversal attacks through multiple file path fields description, docker.setupscript, docker.dockerfiletemplate, conda.environmentyml. An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files fr...

CVE-2025-53358

Summary (CVE-2025-53358) : Kotaemon, an open‑source RAG-based document tool, is affected in versions up to 0.10.6. The function index_fn in libs/ktem/ktem/index/file/ui.py accepts both URLs and local file paths without validation, causing the pipeline to stream and store these paths. This enables...

CVE-2025-53358 kotaemon Vulnerable to Path Traversal via Link Upload

kotaemon is an open-source RAG-based tool for document comprehension. From versions 0.10.6 and prior, in libs/ktem/ktem/index/file/ui.py, the indexfn method accepts both URLs and local file paths without validation. The pipeline streams these paths directly and stores them, enabling attackers to...

CVE-2025-49138 HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion LFI vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field...