Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename

Summary filepath.Base on the Linux container does not strip backslashes , because \ is only a path separator on Windows. A multipart filename like ........\Windows\System32\evil.pdf survives Gotenberg's input sanitisation and lands verbatim as the zip entry name when a multi-output route...

CVE-2026-2405

CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests...

CVE-2026-2405

CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests...

CVE-2026-2405

CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests...

concretecms 资源管理错误漏洞

ConcreteCMS is an open-source content management system developed by Concrete. Version 9.4.7 of ConcreteCMS contains a vulnerability related to resource management. This vulnerability stems from improper memory management during the creation of zip archives by the file manager component, which ma...

PT-2025-48950

Aquarius Desktop 3.0.069 for macOS contains an insecure file handling vulnerability in its support data archive generation feature. The application follows symbolic links placed inside the /Library/Logs/Aquarius directory and treats them as regular files. When building the support ZIP, Aquarius...

CVE-2025-65843

Aquarius Desktop 3.0.069 for macOS contains an insecure file handling vulnerability in its support data archive generation feature. The application follows symbolic links placed inside the /Library/Logs/Aquarius directory and treats them as regular files. When building the support ZIP, Aquarius...

jszip 安全漏洞

jszip is a JavaScript library for creating, reading and editing .zip files. A security vulnerability exists in jszip versions prior to 3.7.0, which stems from the fact that when a new zip file is created with the filename set to an object prototype value, an object with a modified instance of the...

Internet Bug Bounty: CVE-2017-12858: Heap UAF in _zip_buffer_free() / Double free in _zip_dirent_read()

libzip is a C library for reading, creating, and modifying zip archives. A partial list of projects using libzip include: Plex Home Theater, MySQL Workbench, ckmame, fuse-zip, lua-zip, php zip extension, zipruby, Endeavour2, FreeDink, DeaDBeeF vfszip plugin, OpenLierox, ebook-tools, PDF Expert,...