CVE-2026-33238

WWBN AVideo is an open source video platform. Prior to version 26.0, the listFiles.json.php endpoint accepts a path POST parameter and passes it directly to glob without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by...

CVE-2022-45133

Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 allows unsafe font upload for skins. A particularly structured XML file could allow one to traverse the server to obtain access to secure files or cause code execution based on the payload...

CVE-2022-45133

Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 allows unsafe font upload for skins. A particularly structured XML file could allow one to traverse the server to obtain access to secure files or cause code execution based on the payload...

CVE-2022-45133

Affected software: Mahara. Vulnerable versions: 21.10 < 21.10.6, 22.04 < 22.04.4, 22.10

Path Traversal

glance is vulnerable to path traversal attacks. Using a string including ../, attackers can traverse the server and any file with a known path...

NiteServer < 1.85 FTP Server Traversal Directory Listing

Binary data 1826.prm...