Common Weakness Enumeration

CWE-23

Allowed

Relative Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

778 vulnerabilities reference this CWE, most recent first.

GHSA-73GH-39WP-XM6C

Vulnerability from github – Published: 2025-04-30 12:31 – Updated: 2025-04-30 12:31
VLAI
Details

A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary files in arbitrary file system paths via a crafted HTTP request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24343"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-30T12:15:17Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the \u201cManages app data\u201d functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary files in arbitrary file system paths via a crafted HTTP request.",
  "id": "GHSA-73gh-39wp-xm6c",
  "modified": "2025-04-30T12:31:24Z",
  "published": "2025-04-30T12:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24343"
    },
    {
      "type": "WEB",
      "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-73GX-X7R9-77X2

Vulnerability from github – Published: 2025-02-26 20:07 – Updated: 2025-10-16 20:41
VLAI
Summary
Mautic allows Remote Code Execution and File Deletion in Asset Uploads
Details

Summary

This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be exploited by authenticated users.

  • Remote Code Execution (RCE) via Asset Upload: A Remote Code Execution vulnerability has been identified in the asset upload functionality. Insufficient enforcement of allowed file extensions allows an attacker to bypass restrictions and upload executable files, such as PHP scripts.

  • Path Traversal File Deletion: A Path Traversal vulnerability exists in the upload validation process. Due to improper handling of path components, an authenticated user can manipulate the file deletion process to delete arbitrary files on the host system.

Mitigation

Please update to 5.2.3 or later.

Workarounds

None

References

https://owasp.org/www-community/attacks/Code_Injection https://owasp.org/www-community/attacks/Path_Traversal

If you have any questions or comments about this advisory:

Email us at security@mautic.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47051"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-26T20:07:45Z",
    "nvd_published_at": "2025-02-26T13:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThis advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3.  These vulnerabilities could be exploited by authenticated users.\n\n* **Remote Code Execution (RCE) via Asset Upload:**  A Remote Code Execution vulnerability has been identified in the asset upload functionality. Insufficient enforcement of allowed file extensions allows an attacker to bypass restrictions and upload executable files, such as PHP scripts.\n\n* **Path Traversal File Deletion:** A Path Traversal vulnerability exists in the upload validation process.  Due to improper handling of path components, an authenticated user can manipulate the file deletion process to delete arbitrary files on the host system. \n  \n### Mitigation\nPlease update to 5.2.3 or later.\n\n### Workarounds\nNone\n\n### References\nhttps://owasp.org/www-community/attacks/Code_Injection\nhttps://owasp.org/www-community/attacks/Path_Traversal\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@mautic.org](mailto:security@mautic.org)",
  "id": "GHSA-73gx-x7r9-77x2",
  "modified": "2025-10-16T20:41:27Z",
  "published": "2025-02-26T20:07:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/security/advisories/GHSA-73gx-x7r9-77x2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47051"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/commit/75bc488ce98b9c8ec01114984049fc1c42c0cae5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mautic/mautic"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/attacks/Code_Injection"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/attacks/Path_Traversal"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mautic allows Remote Code Execution and File Deletion in Asset Uploads"
}

GHSA-75JV-VFXF-3865

Vulnerability from github – Published: 2025-07-25 14:15 – Updated: 2025-08-12 13:26
VLAI
Summary
Assemblyline 4 service client vulnerable to Arbitrary Write through path traversal in Client code
Details

Path-Traversal -> Arbitrary File Write in Assemblyline Service Client

IMPORTANT: This vulnerability is valid if you decide to use the assemblyline-service-client outside of the normal practice to using Assemblyline in a production environment. In practice, this code should always be executed within a containerized environment such as assemblyline-v4-service which ensures filesystem-level permissions of what the running user is allowed to access. Furthermore, there is fewer chances for a MiTM compromise when deployed properly in a Docker or Kubernetes deployment where the platform will assign the correct network policies to secure connections between containers instead of relying on the user to set this up manually.

See https://github.com/CybercentreCanada/assemblyline/issues/382 for further discussion.


1. Summary

The Assemblyline 4 service client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.

No validation / sanitisation is performed.

A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as
../../../etc/cron.d/evil
and force the client to write the downloaded bytes to an arbitrary location on disk.


2. Affected Versions

Item Value
Component assemblyline-service-client
Repository CybercentreCanada/assemblyline-service-client
Affected All releases up to master branch.

3. CVSS 3.1 Vector & Score

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

4. Technical Details

Field Content
Location assemblyline_service_client/task_handler.py, inside download_file()
Vulnerable Line file_path = os.path.join(self.tasking_dir, sha256)
Root Cause The sha256 string is taken directly from the service-server JSON response and used as a file name without any validation or sanitisation.
Exploit Flow 1. Attacker (service server) returns HTTP 200 for GET /api/v1/file/../../../etc/cron.d/evil.
2. Client writes the response body to /etc/cron.d/evil.
3. Achieves arbitrary file write (code execution if file is executable).

5. Impact

  • Integrity – Overwrite any file writable by the service UID (often root).
  • Availability – Corrupt critical files or exhaust disk space.
  • Code Execution – Drop cron jobs, systemd units, or overwrite binaries.

6. Mitigation / Fix

import re

_SHA256_RE = re.compile(r'^[0-9a-fA-F]{64}\Z')

def download_file(self, sha256: str, sid: str) -> Optional[str]:
    if not _SHA256_RE.fullmatch(sha256):
        self.log.error(f"[{sid}] Invalid SHA256: {sha256}")
        self.status = STATUSES.ERROR_FOUND
        return None
    # or your preferred way to check if a string is a shasum.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "assemblyline-service-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.0.stable11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "assemblyline-service-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.6.1.dev0"
            },
            {
              "fixed": "4.6.1.dev138"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-25T14:15:48Z",
    "nvd_published_at": "2025-08-09T03:15:47Z",
    "severity": "MODERATE"
  },
  "details": "**Path-Traversal -\u003e Arbitrary File Write in Assemblyline Service Client**\n\n**IMPORTANT**: This vulnerability is valid if you decide to use the assemblyline-service-client outside of the normal practice to using Assemblyline in a production environment. In practice, this code should always be executed within a containerized environment such as [assemblyline-v4-service](https://github.com/CybercentreCanada/assemblyline-v4-service) which ensures filesystem-level permissions of what the running user is allowed to access. Furthermore, there is fewer chances for a MiTM compromise when deployed properly in a Docker or Kubernetes deployment where the platform will assign the correct network policies to secure connections between containers instead of relying on the user to set this up manually.\n\nSee https://github.com/CybercentreCanada/assemblyline/issues/382 for further discussion.\n\n---\n\n## 1. Summary  \nThe Assemblyline 4 **service client** (`task_handler.py`) accepts a SHA-256 value returned by the service **server** and uses it directly as a local file name.  \n\u003e No validation / sanitisation is performed.\n\nA **malicious or compromised server** (or any MITM that can speak to client) can return a path-traversal payload such as  \n`../../../etc/cron.d/evil`  \nand force the client to write the downloaded bytes to an arbitrary location on disk.\n\n---\n\n## 2. Affected Versions  \n| Item | Value |\n|---|---|\n| **Component** | `assemblyline-service-client` |\n| **Repository** | [CybercentreCanada/assemblyline-service-client](https://github.com/CybercentreCanada/assemblyline-service-client) |\n| **Affected** | **All releases up to master branch.**  |\n\n\n---\n\n## 3. CVSS 3.1 Vector \u0026 Score  \n```\nCVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\n```\n\n\n---\n\n## 4. Technical Details\n\n| Field | Content |\n|---|---|\n| **Location** | `assemblyline_service_client/task_handler.py`, inside `download_file()` |\n| **Vulnerable Line** | `file_path = os.path.join(self.tasking_dir, sha256)` |\n| **Root Cause** | The `sha256` string is taken directly from the service-server JSON response and used as a file name without any validation or sanitisation. |\n| **Exploit Flow** | 1. Attacker (service server) returns HTTP 200 for `GET /api/v1/file/../../../etc/cron.d/evil`.\u003cbr\u003e2. Client writes the response body to `/etc/cron.d/evil`.\u003cbr\u003e3. Achieves arbitrary file write (code execution if file is executable). |\n\n---\n\n## 5. Impact  \n- **Integrity** \u2013 Overwrite any file writable by the service UID (often root).  \n- **Availability** \u2013 Corrupt critical files or exhaust disk space.  \n- **Code Execution** \u2013 Drop cron jobs, systemd units, or overwrite binaries.\n\n---\n\n## 6. Mitigation / Fix\n\n```python\nimport re\n\n_SHA256_RE = re.compile(r\u0027^[0-9a-fA-F]{64}\\Z\u0027)\n\ndef download_file(self, sha256: str, sid: str) -\u003e Optional[str]:\n    if not _SHA256_RE.fullmatch(sha256):\n        self.log.error(f\"[{sid}] Invalid SHA256: {sha256}\")\n        self.status = STATUSES.ERROR_FOUND\n        return None\n    # or your preferred way to check if a string is a shasum.\n```\n---",
  "id": "GHSA-75jv-vfxf-3865",
  "modified": "2025-08-12T13:26:14Z",
  "published": "2025-07-25T14:15:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/CybercentreCanada/assemblyline/security/advisories/GHSA-75jv-vfxf-3865"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55013"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CybercentreCanada/assemblyline-service-client/commit/351414e7e96cc1f5640ae71ae51b939e8ba30900"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/CybercentreCanada/assemblyline-service-client"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Assemblyline 4 service client vulnerable to Arbitrary Write through path traversal in Client code "
}

GHSA-76MM-JG8W-RCJ3

Vulnerability from github – Published: 2025-08-06 21:31 – Updated: 2025-08-06 21:31
VLAI
Details

A path traversal vulnerability in Vedo Suite 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'file_get_contents()' function call in '/api_vedo/template'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-51052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-06T21:15:29Z",
    "severity": "MODERATE"
  },
  "details": "A path traversal vulnerability in Vedo Suite 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized \u0027file_get_contents()\u0027 function call in \u0027/api_vedo/template\u0027.",
  "id": "GHSA-76mm-jg8w-rcj3",
  "modified": "2025-08-06T21:31:40Z",
  "published": "2025-08-06T21:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51052"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jacopoaugelli/vedo-suite-exploits"
    },
    {
      "type": "WEB",
      "url": "http://vedo.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-76Q8-QPVR-6MHP

Vulnerability from github – Published: 2025-02-24 00:30 – Updated: 2025-02-24 00:30
VLAI
Details

A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/app/profile_crud.php. The manipulation of the argument old_cat_img leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-24T00:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/app/profile_crud.php. The manipulation of the argument old_cat_img leads to path traversal: \u0027../filedir\u0027. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-76q8-qpvr-6mhp",
  "modified": "2025-02-24T00:30:55Z",
  "published": "2025-02-24T00:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1599"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/best-church-management-software-Delete-any-file.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.296594"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.296594"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.498188"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7793-HMG3-GH57

Vulnerability from github – Published: 2026-07-09 18:31 – Updated: 2026-07-09 18:31
VLAI
Details

LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-61343"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-09T18:16:58Z",
    "severity": "HIGH"
  },
  "details": "LibreBooking\u0027s email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0.",
  "id": "GHSA-7793-hmg3-gh57",
  "modified": "2026-07-09T18:31:53Z",
  "published": "2026-07-09T18:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-61343"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LibreBooking/librebooking/pull/1456"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LibreBooking/librebooking/commit/cb9b7ad9da0243bd105809f6a4a8a6b9147c71ea"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LibreBooking/librebooking/releases/tag/v5.1.0"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-190-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-61343"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-77CJ-JX2Q-994Q

Vulnerability from github – Published: 2024-12-16 09:31 – Updated: 2024-12-16 09:31
VLAI
Details

The topm-client from Chunghwa Telecom has an Arbitrary File Read vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to read arbitrary files on the user's system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-16T07:15:06Z",
    "severity": "MODERATE"
  },
  "details": "The topm-client from Chunghwa Telecom has an Arbitrary File Read vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to read arbitrary files on the user\u0027s system.",
  "id": "GHSA-77cj-jx2q-994q",
  "modified": "2024-12-16T09:31:10Z",
  "published": "2024-12-16T09:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12645"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-8303-3220b-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-8297-13670-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77JM-6QR9-XF3J

Vulnerability from github – Published: 2026-01-07 18:30 – Updated: 2026-01-07 18:30
VLAI
Details

@sylphxltd/filesystem-mcp v0.5.8 is an MCP server that provides file content reading functionality. Version 0.5.8 of filesystem-mcp contains a critical path traversal vulnerability in its "read_content" tool. This vulnerability arises from improper symlink handling in the path validation mechanism: the resolvePath function checks path validity before resolving symlinks, while fs.readFile resolves symlinks automatically during file access. This allows attackers to bypass directory restrictions by leveraging symlinks within the allowed directory that point to external files, enabling unauthorized access to files outside the intended operational scope.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-67366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-07T17:16:01Z",
    "severity": "HIGH"
  },
  "details": "@sylphxltd/filesystem-mcp v0.5.8 is an MCP server that provides file content reading functionality. Version 0.5.8 of filesystem-mcp contains a critical path traversal vulnerability in its \"read_content\" tool. This vulnerability arises from improper symlink handling in the path validation mechanism: the resolvePath function checks path validity before resolving symlinks, while fs.readFile resolves symlinks automatically during file access. This allows attackers to bypass directory restrictions by leveraging symlinks within the allowed directory that point to external files, enabling unauthorized access to files outside the intended operational scope.",
  "id": "GHSA-77jm-6qr9-xf3j",
  "modified": "2026-01-07T18:30:26Z",
  "published": "2026-01-07T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67366"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylphxltd/filesystem-mcp/issues/134"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylphxltd/filesystem-mcp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-792Q-Q67H-W579

Vulnerability from github – Published: 2023-10-24 01:35 – Updated: 2023-10-24 01:35
VLAI
Summary
Parse Server may crash when uploading file without extension
Details

Impact

Parse Server crashes when uploading a file without extension.

Patches

A permanent fix has been implemented to prevent the server from crashing.

Workarounds

There are no known workarounds.

References

  • GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579
  • Patched in Parse Server 6: https://github.com/parse-community/parse-server/releases/tag/6.3.1
  • Patched in Parse Server 5 (LTS): https://github.com/parse-community/parse-server/releases/tag/5.5.6
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "5.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46119"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-24T01:35:17Z",
    "nvd_published_at": "2023-10-25T18:17:36Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nParse Server crashes when uploading a file without extension.\n\n### Patches\n\nA permanent fix has been implemented to prevent the server from crashing.\n\n### Workarounds\n\nThere are no known workarounds.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579\n- Patched in Parse Server 6: https://github.com/parse-community/parse-server/releases/tag/6.3.1\n- Patched in Parse Server 5 (LTS): https://github.com/parse-community/parse-server/releases/tag/5.5.6",
  "id": "GHSA-792q-q67h-w579",
  "modified": "2023-10-24T01:35:17Z",
  "published": "2023-10-24T01:35:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46119"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/6.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Parse Server may crash when uploading file without extension"
}

GHSA-79JV-P4W2-QGX9

Vulnerability from github – Published: 2025-10-24 00:30 – Updated: 2025-10-24 00:30
VLAI
Details

A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and create arbitrary directories on the target machine.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59776"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-23T23:15:37Z",
    "severity": "MODERATE"
  },
  "details": "A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and create arbitrary directories on the target machine.",
  "id": "GHSA-79jv-p4w2-qgx9",
  "modified": "2025-10-24T00:30:53Z",
  "published": "2025-10-24T00:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59776"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json"
    },
    {
      "type": "WEB",
      "url": "https://support.automationdirect.com/docs/securityconsiderations.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.automationdirect.com/support/software-downloads"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-139: Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.