CVE-2026-42597

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can lo...

EUVD-2026-30317

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can lo...

CVE-2026-42597

Gotenberg’s Chromium URL routes (/forms/chromium/convert/url and /forms/chromium/screenshot/url) allow file:// access to /tmp for anonymous callers, enabling cross-request data exfiltration by enumerating work/request directories during overlapping conversions. This is caused by the HTML/Markdown...

CVE-2026-42597

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can lo...

CVE-2026-42597 Gotenberg: Chromium URL conversion routes read arbitrary files under /tmp via file:// scheme

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can lo...

Gotenberg 安全漏洞

Gotenberg is an open-source, developer-friendly API developed by Gotenberg. It is used to convert various document formats into PDF files. Versions of Gotenberg prior to 8.32.0 contained security vulnerabilities. These vulnerabilities stemmed from the lack of protection for URL routing using...

CVE-2026-34354

Akamai Guardicore Platform Agent GPA and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directory. It accepts unauthenticated IPC control messages. This enables a TOCTOU vulnerability in the...

CVE-2026-8115 gyoridavid short-video-maker REST API rest.ts path traversal

A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the component REST API. The manipulation of the argument req.params.tmpFile results in path traversal. The attack can be launched remotely. The...

race-condition-exploit

🔐 Race Condition Exploit & Mitigation TOCTOU This project d...

Arbitrary File Upload

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Arbitrary File Upload via the installthemefromtmp process. An attacker can execute arbitrary PHP code on the server by uploading a specially crafted ZIP file containing...

uutils coreutils' mktemp utility doesn't properly handle an empty TMPDIR environment variable

The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the...

CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE

Summary ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations Zip Slip and achieve remote code execution by dropping a PHP file under the publ...

SUSE SLES15 / openSUSE 15 Security Update : smc-tools (SUSE-SU-2026:1422-1)

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:1422-1 advisory. This update for smc-tools fixes the following issue: Update to smc-tools v1.8.7: - predictable /tmp file allows for local denial of servic...

BIT-MLFLOW-2025-10279 Privilege Escalation in mlflow/mlflow

In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions 0o777. This vulnerability allows an attacker with write access to the /tmp directory to exploit a race condition and overwrite .py files in the virtual...

The long road to your crypto: ClipBanker and its marathon infection chain

At the start of the year, a certain Trojan caught our eye due to its incredibly long infection chain. In most cases, it kicks off with a web search for "Proxifier". Proxifiers are speciaized software designed to tunnel traffic for programs that do not natively support proxy servers. They are a...

OPENSUSE-FU-2026:20453-1 Feature update for himmelblau

This update for himmelblau fixes the following issues: Update to himmelblau 2.3.8 jscPED-14511: Security issues: - CVE-2025-54882: world readable cloud TGT token bsc1247735. - CVE-2025-58160: tracing-subscriber: Tracing log pollution bsc1249013. - CVE-2026-25727: time: parsing of user-provided...

SUSE-FU-2026:20990-1 Feature update for himmelblau

This update for himmelblau fixes the following issues: Update to himmelblau 2.3.8 jscPED-14511: Security issues: - CVE-2025-54882: world readable cloud TGT token bsc1247735. - CVE-2025-58160: tracing-subscriber: Tracing log pollution bsc1249013. - CVE-2026-25727: time: parsing of user-provided...

CVE-2026-31979

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Prior to 3.1.0 and 2.3.8, the himmelblaud-tasks daemon, running as root, writes Kerberos cache files under /tmp/krb5cc without symlink protections. Since commit 87a51ee, PrivateTmp is explicitly removed from the task...

GHSA-9FFQ-6457-8958 Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil

Summary A path traversal vulnerability exists in the FileUtil class of the code16/sharp package. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. Detail In src/Utils/FileUtil.php, the FileUtil::explodeExtension function...

CVE-2026-33017

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/buildpublictmp/flowid/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses...