1617 matches found
CVE-2026-14361
The CVE-2026-14361 issue affects consul-template prior to 0.42.1, where the writeToFile helper opens the destination path directly and follows links in the path. This can allow template output to be written outside the intended directory or overwrite an existing file. The root cause is path redir...
PYSEC-2026-1568 LlamaIndex is vulnerable to Path Traversal attack through its ObsidianReader class
A vulnerability in the ObsidianReader class in LlamaIndex Readers Integration: Obsidian before version 0.5.1 from the run-llama/llamaindex repository versions 0.12.23 to 0.12.28 allows for arbitrary file read through symbolic links. The ObsidianReader fails to resolve symlinks to their real paths...
GHSA-MP2F-45PM-3CG9 Decompress: Archive extraction can create files and links outside of the target directory
Impact When extracting an archive to a directory, a crafted archive can read or write files outside that directory. The flaw is in the code that writes the parsed entries, so it affects every format decompress handles: tar, tar.gz, tar.bz2, and zip by default, plus any others added through the...
CVE-2026-58403
Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile...
CVE-2026-59195 pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under nodemodules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml who...
EUVD-2026-41878
pydantic-settings provides settings management using Pydantic. From 2.12.0 until 2.14.2, NestedSecretsSettingsSource reads secret values from files in a configured secretsdir. When secretsnestedsubdir=True, a directory entry inside secretsdir that is a symbolic link pointing outside secretsdir is...
CVE-2026-50016
A flaw was found in pnpm, a package manager. This vulnerability allows a malicious registry package to include specially crafted dependency aliases that contain path traversal segments. During the installation process, pnpm incorrectly processes these aliases, which can lead to the replacement of...
flatpak: Flatpak: Arbitrary code execution via crafted symlinks in sandbox-expose options
A flaw was found in Flatpak, a Linux application sandboxing and distribution framework. A malicious application could exploit this by using specially crafted symlinks within the sandbox-expose options of the Flatpak portal. This allows the application to access arbitrary host files and potentiall...
PT-2026-55947
Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.4 pnpm versions prior to 11.8.0 Description pnpm accepts package names from the configDependencies section of the env lockfile and uses them directly when creating config dependency symlinks under node...
RLSA-2026:30857 Important: perl-Archive-Tar security update
Archive::Tar provides an object oriented mechanism for handling tar files. It provides class methods for quick and easy files handling while also allowing for the creation of tar file objects for custom manipulation. If you have the IO::Zlib module installed, Archive::Tar will also support...
perl-Archive-Tar security update
An update is available for perl-Archive-Tar. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Archive::Tar provides an object oriented mechanism for handling tar...
CVE-2026-25718
Gitea prior to version 1.25.5 is affected by a symlink-based path resolution issue during template repository generation, allowing template processing to read or write via symlinked/non-regular paths. The vulnerability affects Gitea core components used for template repository generation (e.g., m...
CVE-2026-25718 Gitea template repository generation mishandles symlinked paths
Gitea versions before 1.25.5 mishandle path resolution during template repository generation, allowing template processing to read or write through symlinked or otherwise non-regular paths...
PT-2026-55594
Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.25.5 Description Improper path resolution occurs during the generation of template repositories. This allows template processing to read or write data through symlinks or other non-regular paths, potentially leading t...
Cursor < 3.0 Multiple Sandbox Escapes
The version of Cursor installed on the remote host is prior to 3.0. It is, therefore, affected by multiple vulnerabilities: - A flaw in the agent sandbox allows a malicious agent to manipulate the workingdirectory parameter, causing the sandbox to include writable paths outside the intended...
RLSA-2026:30856 Important: perl-Archive-Tar security update
Archive::Tar provides an object oriented mechanism for handling tar files. It provides class methods for quick and easy files handling while also allowing for the creation of tar file objects for custom manipulation. If you have the IO::Zlib module installed, Archive::Tar will also support...
perl-Archive-Tar security update
An update is available for perl-Archive-Tar. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Archive::Tar provides an object oriented mechanism for handling tar...
CVE-2026-41579
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join strin...
EUVD-2026-40859
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join strin...
CVE-2026-55607
A flaw was found in Claude Code, an agentic coding tool, in its handling of worktrees. This vulnerability allowed the creation of specially named worktrees and navigation outside of the intended secure environment, leading to what is known as a 'git directory confusion attack'. By manipulating...