ots has a negative expire override that can bypass its secret retention policy

Summary The /api/create endpoint accepted negative expire query values. For the memory storage backend, negative values were passed to secret creation as a negative duration and treated as no expiry, allowing callers to create secrets that persisted longer than intended. Impact Unauthenticated...

AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload

Summary The currentDirectory request parameter in the Flow.js media upload endpoint POST /api/station/stationid/files/upload is not sanitized for path traversal sequences. When combined with a local filesystem storage backend the default, an authenticated user with media management permissions ca...

GHSA-4M88-WXJ4-9QJ6 Incus Vulnerable to Panic via Snapshot Bounds Check

Summary Missing validation logic in the storage volume import logic allows an authenticated user with access to Incus' storage volume feature to cause the Incus daemon to crash. Repeated use of this issue can be used to keep Incus offline causing a denial of service. Details The backup restore...

Incus has a Nil-Pointer Dereference Panic via Bucket Metadata

Summary Missing validation logic in the storage bucket import logic allows an authenticated user with access to Incus' storage bucket feature to cause the Incus daemon to crash. Repeated use of this issue can be used to keep Incus offline causing a denial of service. Details The storage bucket...

CVE-2026-35492

Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a...

PT-2026-24112

Name of the Vulnerable Software and Affected Versions Camaleon CMS versions 2.4.5.0 through 2.9.0 Description Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, have a path traversal issue in the AWS S3 uploader implementation. Authenticated users can read arbitrary files from...

Python Library Django 4.2.x < 4.2.29 / 5.2.x < 5.2.12 / 6.0.x < 6.0.3 Race Condition

The detected version of the Django Python package, is 4.2.x prior to 4.2.29, 5.2.x prior to 5.2.12, or 6.0.x prior to 6.0.3. It is, therefore, affected by a race condition vulnerability as referenced by security release advisory: - An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, a...

CVE-2026-23939

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Store.Local' module allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines...

EEF-CVE-2026-23939 Path Traversal in Local File Store Backend

Summary Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Store.Local' module allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines...

CVE-2026-23939 Path Traversal in Local File Store Backend

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Store.Local' module allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines...

CVE-2026-23939 Path Traversal in Local File Store Backend

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Store.Local' module allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines...

CVE-2026-23939

The CVE-2026-23939 issue affects the Local Storage backend of hexpm (Elixir.Hexpm.Store.Local) used in self-hosted deployments. The vulnerability is a path traversal flaw in local storage routines get/3, put/4, delete/2, and delete_many/2 within lib/hexpm/store/local.ex, allowing relative path tr...

PT-2026-22180

Name of the Vulnerable Software and Affected Versions hexpm versions prior to 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0 Description A path traversal issue exists in hexpm’s Local Storage backend, impacting self-hosted deployments. The issue resides within the 'Elixir.Hexpm.Store.Local' module and...

CVE-2026-25964 Tandoor Recipes Affected by Authenticated Local File Disclosure (LFD) via Recipe Import leads to Arbitrary File Read

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This...

PT-2026-8022

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This...

Exposure of Storage Secret in Pyroscope

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage COS. If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secretkey configuration value from the...

EUVD-2014-3541

Malware in sbrugna...

EUVD-2021-31839

Malicious code in bioql PyPI...

Lemmy user purging users or communities or banning users can delete images they didn't upload/exclusively use

Summary An improper uploaded media ownership check can result in inadvertent deletion of media when a user is banned with content removal or purged. This can lead to deletion of media that was not uploaded by the banned/purged user. This also applies to purged communities, in which case all media...

CVE-2025-24961

CVE-2025-24961 affects org.gaul S3Proxy and describes an insecure path traversal in the filesystem and filesystem-nio2 storage backends that could unintentionally expose local files to users. The root cause is a path traversal flaw when using those backends, enabling access to files outside the i...