GHSA-7C78-JF6Q-G5CM tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template

Summary The assertPath guard added to [email protected] rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value Array, Buffer, or any object whose includes'..' returns falsy but whose stringification still contains ../...

CVE-2026-49982 tmp: Type-confusion bypass of _assertPath in [email protected] allows path traversal via non-string prefix/postfix/template

tmp is a temporary file and directory creator for node.js. In version 0.2.6, the assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value Array, Buffer, or any object whose includes'....

CVE-2026-49982

The CVE concerns the node-tmp package (tmp) used by Node.js apps. In v0.2.6, a guard in the _assertPath function rejects only string values containing the substring "..", but the bypass occurs when prefix/postfix/template are provided as non-string values (e.g., Array, Buffer, or objects) whose i...

Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching

Summary The fetch-apify-docs tool validates URLs against a domain allowlist using String.startsWith instead of proper URL hostname comparison. This allows bypass via attacker-controlled subdomains e.g., https://docs.apify.com.evil.com/, enabling the tool to fetch and return arbitrary web content ...

Exploit for Out-of-bounds Write in Php

This is an exploit module for a bug in php-fpm CVE-2019-11043. The bug allows a web user to execute code on a vulnerable server if the server has a specific configuration. The exploit targets the PHP 7+ versions, but the bug itself is present in earlier versions. The exploit works by setting the...