60017 matches found
wireshark-mcp vulnerable to arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured
Description Impact wireshark-mcp exposes a wiresharkexportobjects MCP tool that accepts an attacker-controlled destdir parameter and passes it to tshark's --export-objects flag with no mandatory path restriction. The path sandbox alloweddirs is None by default and only activates when the...
exiftool-vendored vulnerable to argument injection via newline characters in tag names
Impact exiftool-vendored starts ExifTool in -stayopen True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return inside one of tho...
GHSA-CW26-7653-2RP5 exiftool-vendored vulnerable to argument injection via newline characters in tag names
Impact exiftool-vendored starts ExifTool in -stayopen True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return inside one of tho...
CVE-2026-35397
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured rootdir and access sibling directories whose names begin with the same prefix as the rootdir. For exampl...
Prometheus Azure AD remote write OAuth client secret exposed via config API
Impact Users who use Azure AD remote write with OAuth authentication are impacted. The clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the...
GHSA-WG65-39GG-5WFJ Prometheus Azure AD remote write OAuth client secret exposed via config API
Impact Users who use Azure AD remote write with OAuth authentication are impacted. The clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the...
EUVD-2026-27017
PPTAgent: Arbitrary File Write via savegeneratedslides...
PPTAgent: Arbitrary File Write via `save_generated_slides`
Summary This vulnerability has been fixed in https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00. The savegeneratedslides MCP tool accepts a pptxpath argument and writes the generated PPTX file to that path without any workspace restriction or path validation:...
GHSA-PXHG-7XR2-W7XG PPTAgent: Arbitrary File Write via `save_generated_slides`
Summary This vulnerability has been fixed in https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00. The savegeneratedslides MCP tool accepts a pptxpath argument and writes the generated PPTX file to that path without any workspace restriction or path validation:...
PPTAgent: Arbitrary File Write + Directory Creation via markdown_table_to_image
Summary The markdowntabletoimage tool accepts a caller-controlled path parameter and passes it directly to gethtmltableimage: python pptagent/mcpserver.py:127-143 def markdowntabletoimagemarkdowntable: str, path: str, css: str - str: """ Args: path str: The file path where the image will be saved...
GHSA-HRCW-XC63-G29M PPTAgent: Arbitrary File Write + Directory Creation via markdown_table_to_image
Summary The markdowntabletoimage tool accepts a caller-controlled path parameter and passes it directly to gethtmltableimage: python pptagent/mcpserver.py:127-143 def markdowntabletoimagemarkdowntable: str, path: str, css: str - str: """ Args: path str: The file path where the image will be saved...
Incorrect Behavior Order
Overview Affected versions of this package are vulnerable to Incorrect Behavior Order due to a write operation to the session storage backend occurring before authentication. An attacker can exhaust storage resources by sending unauthenticated requests. Remediation Upgrade horizon to version 25.7...
GHSA-VXVF-XVM3-P8J5 OpenStack Horizon has Incorrect Behavior Order
An issue was discovered in OpenStack Horizon 25.6 and 25.7 before 25.7.3. There is a write operation to the session storage backend before authentication and thus storage can be exhausted by unauthenticated requests. This is a regression of the CVE-2014-8124 fix...
GHSA-8GPM-H2MH-36QC Eclipse BaSyx Java Server SDK vulnerable to Path Traversal
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an...
CLSA-2026-1778003565 Fix CVE(s): CVE-2026-40684, CVE-2026-40685, CVE-2026-40687
SECURITY UPDATE: out-of-bounds read in DNS reverse-lookup escape decoding when running against musl libc - debian/patches/CVE-2026-40684.patch: harden stringcopydnsdomain to consume 1, 2, or 3 digits incrementally instead of indexing past the input string when fewer than 3 digits follow a backsla...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the fileName parameter during a file upload operation. An attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process by supplyi...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the fileName parameter during a file upload operation. An attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process by supplyi...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the fileName parameter during a file upload operation. An attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process by supplyi...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the fileName parameter during a file upload operation. An attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process by supplyi...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal due to the getospath check in fileio.py in the file manager component. An attacker can read, write, and delete files outside the configured root directory by supplying a path whose resolved absolute path shares a...