EUVD-2026-25068

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value...

Directory Traversal

Overview @samanhappy/mcphub is an A hub server for mcp servers Affected versions of this package are vulnerable to Directory Traversal in the uploadMcpbFile process when the name field from the uploaded manifest.json is concatenated directly into file system paths without sanitization or...

EUVD-2026-25082

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled name and scope values and pass them into template path construction without normalization or traversal filtering. As a result, an...

CVE-2026-33733 EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled name and scope values and pass them into template path construction without normalization or traversal filtering. As a result, an...

CVE-2026-33733

CVE-2026-33733 affects EspoCRM prior to version 9.3.4, where admin TemplateManager endpoints incorrectly handle attacker-controlled name and scope values. This allows an authenticated admin to use directory traversal (../) to escape the intended template directory and read, create, overwrite, or ...

DDEV has ZipSlip path traversal in tar and zip archive extraction

Summary The DDEV local dev tool has unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. This flaw allows users to download and extract archives from remote sources without path validation. Vulnerable Code pkg/archive/archive.go:235 Untar: go fullPath :=...

GHSA-X4MC-MQM7-GG39 uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition

A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute xattr preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with writ...

uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition

A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file...

GHSA-M26V-HJQ3-X245 uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition

A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file...

EUVD-2026-24994

A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file...

libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion

A flaw was found in libpng. A remote attacker could exploit an out-of-bounds read and write vulnerability in the ARM/AArch64 Neon-optimized palette expansion path. This occurs when processing a final partial chunk of 8-bit paletted rows without verifying sufficient input pixels, leading to...

GHSA-8847-338W-5HCJ i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite

Summary Versions of i18next-fs-backend prior to 2.6.4 interpolate the caller-supplied lng and ns values directly into the configured loadPath and addPath templates with no path-component validation and no sanitisation. When an application exposes the resolved language code to user-controlled inpu...

i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite

Summary Versions of i18next-fs-backend prior to 2.6.4 interpolate the caller-supplied lng and ns values directly into the configured loadPath and addPath templates with no path-component validation and no sanitisation. When an application exposes the resolved language code to user-controlled inpu...

Directory Traversal

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Directory Traversal via the upload function. An attacker can write arbitrary files to the filesystem and execute remote code by uploading a crafted ZIP archive containing...

CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE

Summary ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations Zip Slip and achieve remote code execution by dropping a PHP file under the publ...

GHSA-XP9F-PVVC-57P4 CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE

Summary ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations Zip Slip and achieve remote code execution by dropping a PHP file under the...

Directory Traversal

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Directory Traversal in the restore process. An attacker can write arbitrary files to the filesystem and execute code by uploading a specially crafted ZIP archive containin...

CVE-2026-35356

A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file...

CVE-2026-35359

A Time-of-Check to Time-of-Use TOCTOU vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the ONOFOLLOW flag. An attacker with...

CVE-2026-31437

A flaw was found in the Linux kernel's netfs component. When a write operation is retried, the netfsunbufferedwrite function can attempt to access a non-existent function, leading to a NULL pointer dereference. This vulnerability can be triggered by specific filesystem configurations, such as 9P,...