Lucene search
K

10 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:35 p.m.10 views

CVE-2026-32885

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

9.1CVSS5.6AI score0.00418EPSS
Exploits3References1
Github Security Blog
Github Security Blog
added 2026/04/22 7:6 p.m.8 views

DDEV has ZipSlip path traversal in tar and zip archive extraction

Summary The DDEV local dev tool has unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. This flaw allows users to download and extract archives from remote sources without path validation. Vulnerable Code pkg/archive/archive.go:235 Untar: go fullPath :=...

9.1CVSS5.9AI score0.00418EPSS
Exploits3References6Affected Software1
NVD
NVD
added 2026/04/22 5:16 p.m.11 views

CVE-2026-32885

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

9.1CVSS0.00418EPSS
Exploits3References2
Cvelist
Cvelist
added 2026/04/22 4:54 p.m.28 views

CVE-2026-32885 DDEV has ZipSlip path traversal in tar and zip archive extraction

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

6.5CVSS0.00418EPSS
Exploits3References2
Vulnrichment
Vulnrichment
added 2026/04/22 4:54 p.m.7 views

CVE-2026-32885 DDEV has ZipSlip path traversal in tar and zip archive extraction

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

6.5CVSS5.8AI score0.00418EPSS
Exploits3References2
CVE
CVE
added 2026/04/22 4:54 p.m.18 views

CVE-2026-32885

CVE-2026-32885 (DDEV ZipSlip) affects the DDEV project prior to v1.25.2. The vulnerability resides in the archive extraction routines (pkg/archive/archive.go) for both Untar() and Unzip(), which unzip/downloaded archives from remote sources without validating the extraction path. This enables pat...

9.1CVSS5.8AI score0.00418EPSS
Exploits3References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.11 views

PT-2026-34524

Name of the Vulnerable Software and Affected Versions DDEV versions prior to 1.25.2 Description DDEV is an open-source tool for running local web development environments for PHP and Node.js. The software performs unsanitized extraction of archives from remote sources without path validation with...

9.1CVSS5.9AI score0.00418EPSS
Exploits3References10
EUVD
EUVD
added 2026/04/03 10:35 p.m.8 views

EUVD-2026-18901

Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip function include/lib/common.php:793. When extracting ZIP archives plugin/template uploads, backup imports, the function calls $zip-extractTo$path without sanitizing Z...

7.2CVSS6.1AI score0.00874EPSS
Exploits1References1
Veracode
Veracode
added 2025/10/16 7:7 a.m.6 views

Path Traversal

monai is vulnerable to Path Traversal Zip Slip. The vulnerability is due to extracting user-controlled paths without sanitization, an attacker can supply a crafted or downloadable ZIP to overwrite system files or drop malicious code...

8.8CVSS6.9AI score0.00568EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2020/04/30 5:15 p.m.3 views

ALPINE-CVE-2020-10691

An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file with...

5.2CVSS6.6AI score0.00358EPSS
Exploits0References1
Rows per page
Query Builder