CVE-2026-23482

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks...

CVE-2026-23482 Blinko: Unauthorized Arbitrary File Read - /api/file/temp

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks...

CVE-2026-23482

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks...

EUVD-2025-28000

Malicious code in bioql PyPI...

llama-index-core insecurely handles temporary files

The llama-index-core package, up to version 0.12.44, contains a vulnerability in the getcachedir function where a predictable, hardcoded directory path /tmp/llamaindex is used on Linux systems without proper security controls. This vulnerability allows attackers on multi-user systems to steal...

CVE-2025-7647

The llama-index-core package, up to version 0.12.44, contains a vulnerability in the getcachedir function where a predictable, hardcoded directory path /tmp/llamaindex is used on Linux systems without proper security controls. This vulnerability allows attackers on multi-user systems to steal...

Untrusted Search Path

Overview Affected versions of this package are vulnerable to Untrusted Search Path due to the use of an unprotected C:\Windows\Temp directory to copy and execute binaries. When a bundle runs as the SYSTEM user, it uses GetTempPathW which points to this insecure directory to drop and load multiple...

CVE-2023-28872

Support Assistant in NCP Secure Enterprise Client before 13.10 allows attackers to execute DLL files with SYSTEM privileges by creating a symbolic link from a %LOCALAPPDATA%\Temp\NcpSupport location...

PT-2023-25852 · Atera · Atera

Name of the Vulnerable Software and Affected Versions: Atera affected versions not specified Description: The issue arises from the C:WindowsTempAgent.Package.AvailabilityAgent.Package.Availability.exe file being automatically launched as SYSTEM when the system reboots. Since the...

CVE-2022-40777

Interspire Email Marketer through 6.5.0 allows arbitrary file upload via a surveyssubmit.php "create survey and submit survey" operation, which can cause a .php file to be accessible under a /admin/temp/surveys/ URI. NOTE: this issue exists because of an incomplete fix for CVE-2018-19550...

util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname constructed with an empty first argument in an ioutil.TempDir call.

...

Apache Struts ParametersInterceptor Remote Code Execution

This module exploits a remote command execution vulnerability in Apache Struts versions 'Apache Struts ParametersInterceptor Remote Code Execution', 'Description' = %q This module exploits a remote command execution vulnerability in Apache Struts versions 'Meder Kydyraliev', Vulnerability Discove...