CVE-2026-50567

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Unarchive in pkg/utils/zip.go joined each archive entry name with the destination directory via filepath.Join and wrote the result...

IBM MQ 9.1 < 9.1.0.34 LTS / 9.2 < 9.2.0.41 LTS / 9.3 < 9.3.0.37 LTS / 9.3 < 9.4.5.1 CD / 9.4 LTS RCE (7271933)

The version of IBM MQ Server running on the remote host is affected by a remote code execution vulnerability as referenced in the 7271933 advisory. - IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal...

SUSE CVE-2026-35177

Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280...

SUSE-SU-2026:1051-1 Security update for vim

This update for vim fixes the following issues: Update Vim to version 9.2.0110: - CVE-2025-53906: malicious zip archive may cause a path traversal in Vim's zip bsc1246602. - CVE-2026-26269: Netbeans specialKeys stack buffer overflow bsc1258229. - CVE-2026-28417: Fixed that a crafted URL parsed by...

SUSE SLES15 Security Update : vim (SUSE-SU-2026:1095-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1095-1 advisory. Update Vim to version 9.2.0110: - CVE-2025-53906: Fixed that malicious zip archive may cause a path traversal in Vim's zip...

Directory Traversal

Overview @appium/support is a Support libs used across Appium packages Affected versions of this package are vulnerable to Directory Traversal in the extractAllTo function. An attacker can write arbitrary files outside the intended extraction directory by supplying a crafted ZIP archive containin...

Vaadin: Specially crafted ZIP archives can escape the intended extraction directory

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it...

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the restoreConfig function. An attacker can overwrite arbitrary files on the host system and cause permanent data loss by providing a maliciously crafted ZIP archive containing traversal paths and insufficient...

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the restoreConfig function. An attacker can overwrite arbitrary files on the host system and cause permanent data loss by providing a maliciously crafted ZIP archive containing traversal paths and insufficient...

CVE-2026-27819

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the...

PT-2026-4822

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.28.1 Description pnpm, a package manager, contains a flaw in its binary fetcher that permits malicious packages to write files outside the designated extraction directory. This issue arises from two attack vectors:...

EulerOS 2.0 SP12 : vim (EulerOS-SA-2025-2345)

According to the versions of the vim packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vims tar.vim plugin can allow overwriting of...

MGASA-2025-0226 Updated vim packages fix vulnerabilities

Path traversal issue with tar.vim and special crafted tar archives in Vim 9.1.1552. CVE-2025-53905 Path traversal issue with zip.vim and special crafted zip archives in Vim v9.1.1551. CVE-2025-53906...

CVE-2023-38126

Softing edgeAggregator Restore Configuration Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Softing edgeAggregator. Authentication is required to exploit this vulnerability. The specific fl...

CVE-2023-45685

Insufficient path validation when extracting a zip archive in South River Technologies' Titan MFT and Titan SFTP servers on Windows and Linux allows an authenticated attacker to write a file to any location on the filesystem via path traversal...

CVE-2022-26049

This affects the package com.diffplug.gradle:goomph before 3.37.2. It allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an attacker to achieve...

CVE-2021-28959

Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. This leads to remote code execution...

Zoho ManageEngine Eventlog Analyzer 路径遍历漏洞

ZOHO ManageEngine EventLog Analyzer is a system and event log analysis software from ZOHO. A path traversal vulnerability exists in Zoho ManageEngine Eventlog Analyzer 12147 and earlier versions, which is caused by an unauthenticated directory traversal through a ZIP archive entry. An attacker...

PT-2019-5201 · Flightcrew +1 · Flightcrew +1

Name of the Vulnerable Software and Affected Versions: FlightCrew versions 0.9.2 and older Description: The issue is related to insufficient input validation in the EPUB validator, allowing attackers to write arbitrary files via a ../ dot dot slash in a ZIP archive entry that is mishandled during...

Apache Storm Arbitrary File Write Vulnerability

Apache Storm is the United States Apache Apache Software Foundation, a set of Clojure Concurrent Programming Language developed using free open source distributed real-time computing system. An arbitrary file write vulnerability exists in Apache Storm versions 1.0.6 and earlier and 1.2.1 and...