CVE-2026-49980

A flaw was found in Rclone, a command-line program for cloud storage synchronization. When the rcd --rc-serve option is enabled, an unauthenticated remote attacker can send specially crafted GET or HEAD requests to execute arbitrary commands as the Rclone process user. This vulnerability allows f...

CVE-2026-49980

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /remote:path/object. The remote value is parsed from the URL and passed...

CVE-2026-49980 Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /remote:path/object. The remote value is parsed from the URL and passed...

CVE-2026-49980 Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /remote:path/object. The remote value is parsed from the URL and passed...

CVE-2026-55447

Langflow’s BaseFileComponent family (including Read File, DoclingInlineComponent, DoclingServe, DoclingRemoteComponent, NvidiaIngestComponent, VideoFileComponent, UnstructuredComponent) is affected by CVE-2026-55447. The underlying issue is in base_file.py: _unpack_bundle TAR extraction does not ...

CVE-2026-54286

CVE-2026-54286 concerns Hono’s path traversal in the Windows environment via encoded backslash (%5C) in the request path. A prior issue (pre-4.12.25) causes %5C to decode to a backslash, which Windows path resolution treats as a separator, allowing a crafted URL segment (e.g., admin\secret.txt) t...

CVE-2026-54286

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as...

Rclone 1.46.x < 1.74.3 Unauthenticated Command Execution

The version of Rclone installed on the remote host is 1.46.x prior to 1.74.3. It is, therefore, affected by an unauthenticated command execution vulnerability: - rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form /remote:path/object. The remote value is parse...

Directory Traversal

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal via the serve-static method on Windows hosts when an encoded backslash %5C in the request path is decoded to , which is treated as a separator by the Windows path...

hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

Summary On Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static file...

NPM: hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

NPM: hono: Path traversal in serve-static on Windows via encoded backslash %5C vulnerability discovered by ? in WordPress Npm hono versions 4.12.25...

PT-2026-49733

Name of the Vulnerable Software and Affected Versions serve-static affected versions not specified Description On Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. Because the router splits paths only on /, a request su...

dbgate-serve (>=7.0.0 <=7.1.13), dbmodel (>=7.0.0 <=7.1.13) potentially affected by CVE-2026-48017 via dbgate-api (>=7.1.10 <=7.1.8)

dbgate-api NPM version =7.1.10, =7.0.0, =7.0.0, =7.1.13 Source cves: CVE-2026-48017 Source advisory: SNYK:JS-DBGATEAPI-17223766...

CVE-2026-6636

A vulnerability was detected in p2r3 convert up to 6998584ace3e11db66dff0b423612a5cf91de75b. Affected is the function Bun.serve of the file buildCache.js of the component API. Performing a manipulation of the argument pathname results in path traversal. It is possible to initiate the attack...

CVE-2026-39406

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

CVE-2026-42047

Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the...

CVE-2026-26210

KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balanceserve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads without validation. Attackers can...

BIT-MLFLOW-2026-2651 Missing Authorization Validation in mlflow/mlflow

A vulnerability in MLflow versions =3.10.1.dev0 allows unauthorized access to multipart upload MPU endpoints when the --serve-artifacts mode is enabled. The authorization logic does not enforce resource-level permission checks for /mlflow-artifacts/mpu/ endpoints, enabling attackers to overwrite...

PT-2026-45252

A vulnerability was determined in NousResearch hermes-agent up to 2026.4.30. Affected is the function serve plugin skill/skill view of the file tools/skills tool.py. Executing a manipulation can lead to injection. The attack may be performed from remote. The exploit has been publicly disclosed an...

CVE-2026-2651

A flaw was found in MLflow when the --serve-artifacts mode is enabled. A remote attacker can exploit this vulnerability due to insufficient resource-level permission checks for multipart upload MPU endpoints. This allows the attacker to overwrite artifacts belonging to other users, which can lead...