CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/06/01 4:4 p.m.•25 views

CVE-2026-44740

CVE-2026-44740 affects the go-billy interface filesystem abstraction. Before 5.9.0 and 6.0.0-alpha.1, multiple components may mishandle crafted input, risking panics, infinite loops, uncontrolled recursion, or excessive resource consumption due to missing validation, cycle detection, and defensiv...

6.5CVSS5.7AI score0.00042EPSS

Github Security Blog•added 2026/05/13 3:29 p.m.•8 views

go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion

Impact Multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or...

6.5CVSS5.8AI score0.00042EPSS

Exploits0References5Affected Software2

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop through insufficient validation and missing safety mechanisms during symlink resolution. An attacker can cause infinite loops and resource exhaustion by providing crafted or malformed input that triggers uncontrolled...

Infinite loop

OSV•added 2026/05/13 3:29 p.m.•1 views

GHSA-M3XC-H892-GGX6 go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion

6.5CVSS5.8AI score0.00042EPSS

Exploits0References5

Snyk•added 2026/05/13 3:29 p.m.•5 views

Infinite loop

Infinite loop

Infinite loop

Snyk•added 2026/05/13 3:29 p.m.•5 views

Infinite loop

Snyk•added 2026/05/13 3:29 p.m.•6 views

Infinite loop

Positive Technologies•added 2026/04/06 12:0 a.m.•2 views

PT-2026-30763

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 1.5.113 Description PraisonAI is susceptible to a path traversal issue due to a flaw in the validate path function. This function first calls os.path.normpath, which collapses '..' sequences, and then checks for the...

9.2CVSS5.9AI score0.00088EPSS

Exploits1References8

EUVD•added 2026/04/01 4:8 p.m.•1 views

EUVD-2026-17964

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the...

7.1CVSS5.8AI score0.00101EPSS

Exploits0References2

CVE•added 2026/03/30 7:7 p.m.•15 views

CVE-2026-21715

Node.js CVE-2026-21715 (Permission Model Bypass in realpathSync.native) is detailed in the March 2026 Node.js security releases. The vulnerability stems from missing read-permission checks in fs.realpathSync.native(), enabling code running under --permission with restricted --allow-fs-read to sti...

3.3CVSS6.5AI score0.00006EPSS

Cvelist•added 2026/03/30 7:7 p.m.•18 views

CVE-2026-21715

A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under --permission with restricted --allow-fs-read can still use...

3.3CVSS0.00006EPSS

ATTACKERKB•added 2026/03/30 7:7 p.m.•1 views

CVE-2026-21715

3.3CVSS5.9AI score0.00006EPSS

Exploits0References2Affected Software1

RedhatCVE•added 2025/12/18 10:37 p.m.•3 views

CVE-2025-68145

In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did not validate that repopath arguments in subsequent tool calls were actually within that configured path. This could allow tool calls t...

6.4CVSS6.7AI score0.00177EPSS

Cvelist•added 2025/12/17 10:12 p.m.•20 views

CVE-2025-68145 mcp-server-git has missing path validation when using --repository flag

6.4CVSS0.00177EPSS