1393 matches found
CVE-2026-33238 AVideo has a Path Traversal in listFiles.json.php that Enables Server Filesystem Enumeration
WWBN AVideo is an open source video platform. Prior to version 26.0, the listFiles.json.php endpoint accepts a path POST parameter and passes it directly to glob without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by...
File Browser 输入验证错误漏洞
File Browser is an open-source file management interface developed by File Browser. It allows for the uploading, deletion, previewing, and editing of files within a specified directory. Versions of File Browser 2.61.2 and earlier contained a vulnerability related to input validation errors. This...
Embedded Malicious Code
Overview @emilgroup/document-uploader is an A new version of the package Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released o...
GHSA-4JW9-5HRC-M4J6 AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`
Summary POST /objects/aVideoEncoder.json.php accepts a requester-controlled chunkFile parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass isValidURLOrPath. That...
GHSA-4WMM-6QXJ-FPJ4 AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration
Summary The listFiles.json.php endpoint accepts a path POST parameter and passes it directly to glob without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating .mp4 filenames and...
Directory Traversal
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Directory Traversal via the listFiles.json.php file. An attacker can enumerate and disclose the absolute paths of .mp4 files located anywhere on the server...
PT-2026-26491
Summary POST /objects/aVideoEncoder.json.php accepts a requester-controlled chunkFile parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass isValidURLOrPath. That...
Camaleon CMS Vulnerable To Path Traversal Through AWS S3 Uploader Implementation
Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...
CVE-2026-1776
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...
EUVD-2026-10362
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...
EUVD-2026-10361
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...
GHSA-JW5G-F64P-6X78 Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation
Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...
Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation
Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...
CVE-2026-1776
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...
CAMALEON CMS 路径遍历漏洞
CAMALEON CMS is a dynamic advanced content management system developed by Owen Peredo Diaz. Versions of Camaleon CMS prior to 2.9.0 and versions before f54a77e contained a path traversal vulnerability. This vulnerability stems from path traversal in the AWS S3 uploader implementation, which could...
Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation
Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...
Directory Traversal
Overview camaleoncms is a dynamic and advanced content management system based on Ruby on Rails as an alternative to Wordpress. Affected versions of this package are vulnerable to Directory Traversal via the downloadprivatefile function when the application is configured to use the...
CVE-2026-1776
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...
CVE-2026-1776 Camaleon CMS AWS Uploader Authenticated Path Traversal Arbitrary File Read
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...
CVE-2026-1776 Camaleon CMS AWS Uploader Authenticated Path Traversal Arbitrary File Read
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...