Lucene search
K

53 matches found

NVD
NVD
added last week12 views

CVE-2026-60102

Horde Virtual File System VFS API before 3.0.1 contains an OS command injection vulnerability in the HordeVfsSmb driver where the escapeShellCommand method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled...

8.8CVSS0.01803EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/06 7:25 p.m.5 views

CVE-2026-58403

Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile...

5.9CVSS5.9AI score0.00318EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/07/06 7:25 p.m.35 views

CVE-2026-58403 Hugo symlink confinement bypass in os.ReadFile

Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile...

5.9CVSS0.00318EPSS
Exploits0References4
OSV
OSV
added 2026/06/25 8:39 a.m.2 views

CVE-2026-53244 VFS: fix possible failure to unlock in nfsd4_create_file()

In the Linux kernel, the following vulnerability has been resolved: VFS: fix possible failure to unlock in nfsd4createfile atomiccreate in fs/namei.c drops the reference to the dentry when it returns an error. This behaviour was imported into dentrycreate so that it will drop the reference if an...

7.5CVSS5.8AI score0.00359EPSS
Exploits0References5
AstraLinux
AstraLinux
added 2026/06/24 3:11 p.m.5 views

Astra Linux – Vulnerability in Linux 6.12

In the Linux kernel, the following vulnerabilities have been resolved: ksmbd: In the vfs module, a race condition occurred regarding the mFlags field. ksmbd maintains states such as “delete-on-close” and “pending-delete” in the mFlags field of the ksmbdinode structure. In the vfscache.c code, thi...

5.9AI score0.00168EPSS
Exploits0References2
OSV
OSV
added 2026/06/05 3:48 p.m.11 views

OESA-2026-2570 gvfs security update

Gvfs is a userspace virtual filesystem implementation for GIO a library available in GLib. It comes with a set of backends, including trash support, SFTP, SMB, HTTP, DAV, and many others. Gvfs also contains modules for GIO that implement volume monitors and persistent metadata storage. Security...

4.3CVSS8.4AI score0.0036EPSS
Exploits2References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in WebKit2GTK

In BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before version 2.34.1, there was a limited bypass of the sandbox mechanism that allowed a sandboxed process to trick host processes into believing that the sandboxed process was not confined by the sandbox. This was achieved by exploiting VFS...

5.3CVSS6.5AI score0.00501EPSS
Exploits1References2
Mageia
Mageia
added 2026/04/22 10:8 p.m.9 views

Updated gvfs packages fix security vulnerabilities

Gvfs: gvfs ftp backend: information disclosure via untrusted pasv responses. CVE-2026-28295 Gvfs: ftp gvfs backend: arbitrary ftp command injection via crlf sequences in file paths. CVE-2026-28296...

4.3CVSS5.9AI score0.0036EPSS
Exploits2References3
OSV
OSV
added 2026/03/31 9:8 a.m.2 views

SUSE-SU-2026:20988-1 Security update for gnome-online-accounts, gvfs

This update for gnome-online-accounts, gvfs fixes the following issues: Changes for gvfs: Update gvfs to 1.59.90: - CVE-2026-28295: information disclosure when processing untrusted PASV responses from FTP servers bsc1258953. - CVE-2026-28296: arbitrary FTP command injection due to unsanitized CRL...

4.3CVSS7.4AI score0.0036EPSS
Exploits2References5
OSV
OSV
added 2026/03/28 12:0 a.m.6 views

DLA-4513-1 gvfs - security update

Bulletin has no description...

4.3CVSS5.8AI score0.0036EPSS
Exploits2
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.11 views

CVE-2026-30914

SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths...

8.1CVSS5.8AI score0.00521EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/13 7:2 p.m.2 views

CVE-2026-30914 SFTPGo has a Path Traversal and Permission Bypass via Path Normalization Discrepancy

SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths...

5.3CVSS5.8AI score0.00521EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/03/13 6:55 p.m.9 views

SFTPGo Vulnerable to Path Traversal and Permission Bypass via Path Normalization Discrepancy

Impact In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the...

8.1CVSS5.7AI score0.00521EPSS
Exploits0References5Affected Software2
Positive Technologies
Positive Technologies
added 2026/03/13 12:0 a.m.5 views

PT-2026-25354

Name of the Vulnerable Software and Affected Versions SFTPGo versions prior to 2.7.1 Description SFTPGo is an open-source, event-driven file transfer solution. A path normalization discrepancy exists between the protocol handlers and the internal Virtual Filesystem routing in versions prior to...

9.9CVSS7.1AI score0.22162EPSS
Exploits70References136
AstraLinux
AstraLinux
added 2026/03/03 9:29 a.m.2 views

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: vfs: Do not leak disconnected dentrys during umount When the user calls openbyhandleat on an inode that is not cached, we will create a disconnected dentry for it. If such a dentry is a directory, exportfsdecodefhraw will attempt...

6.1AI score0.00193EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/03/03 12:0 a.m.7 views

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005534)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005534 advisory. In the Linux kernel, the following vulnerability has been resolved: vfs: fix race between eviceinodes and findinode&iput Hi, all Recently I noticed a bug1 in btrfs,...

4.7CVSS6.8AI score0.00194EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/26 3:33 p.m.4 views

CVE-2026-28295 Gvfs: gvfs ftp backend: information disclosure via untrusted pasv responses

A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode PASV response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the...

4.3CVSS5.6AI score0.00186EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/02 4:27 p.m.4 views

CVE-2025-48769

Use After Free vulnerability was discovered in fs/vfs/fsrename code of the Apache NuttX RTOS, that due recursive implementation and single buffer use by two different pointer variables allowed arbitrary user provided size buffer reallocation and write to the previously freed heap chunk, that in...

8.1CVSS7.5AI score0.01514EPSS
Exploits0References1
CVE
CVE
added 2026/01/01 4:14 p.m.32 views

CVE-2025-48769

CVE-2025-48769 affects Apache NuttX RTOS. The flaw is a Use-After-Free in the fs/vfs/fs_rename code caused by a recursive implementation reusing a single buffer across two pointers, enabling arbitrary user-provided buffer reallocations and writes to a freed heap chunk. In affected scenarios, this...

8.1CVSS7.2AI score0.01514EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/01/01 4:14 p.m.32 views

CVE-2025-48769 Apache NuttX RTOS: fs/vfs/fs_rename: use after free

Use After Free vulnerability was discovered in fs/vfs/fsrename code of the Apache NuttX RTOS, that due recursive implementation and single buffer use by two different pointer variables allowed arbitrary user provided size buffer reallocation and write to the previously freed heap chunk, that in...

0.01514EPSS
Exploits0References2
Rows per page
Query Builder