Common Weakness Enumeration

CWE-23

Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

CVE-2026-2818 (GCVE-0-2026-2818)

Vulnerability from cvelistv5 – Published: 2026-02-20 16:03 – Updated: 2026-07-15 01:12 Unsupported When Assigned X_Open Source
VLAI
Title
Zip Slip Path Traversal in Snapshot Archive Extraction (Windows-Specific)
Summary
A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
Impacted products
Vendor Product Version
VMware Spring Data Geode Affected: 2.0.0.RELEASE , ≤ 2.7.18 (maven)
Create a notification for this product.
VMware Spring Data Gemfire Affected: 1.7.0.RELEASE , ≤ 2.2.13.RELEASE (maven)
Create a notification for this product.
Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2818",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-20T20:12:17.872342Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-20T20:12:35.205Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_fuse:7"
            ],
            "defaultStatus": "unaffected",
            "packageName": "spring-data-geode",
            "product": "Red Hat Fuse 7",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-02-20T16:03:21.032Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Spring Data Geode. This zip-slip path traversal vulnerability in the import snapshot functionality allows attackers to write files outside the intended extraction directory. This can lead to unauthorized modification of system files or the introduction of malicious content. This vulnerability primarily affects systems running on Windows operating systems."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-22",
                "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T01:12:00.937Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-2818"
          },
          {
            "name": "RHBZ#2441384",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441384"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2818.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-02-20T17:03:16.830Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-02-20T16:03:21.032Z",
            "value": "Made public."
          }
        ],
        "title": "org.springframework.data/spring-data-geode: Spring Data Geode: Path traversal vulnerability allows arbitrary file write via import snapshot functionality.",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "org.springframework.data:spring-data-geode",
          "product": "Spring Data Geode",
          "repo": "https://github.com/spring-attic/spring-data-geode",
          "vendor": "VMware",
          "versions": [
            {
              "lessThanOrEqual": "2.7.18",
              "status": "affected",
              "version": "2.0.0.RELEASE",
              "versionType": "maven"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "packageName": "org.springframework.data:spring-data-gemfire",
          "product": "Spring Data Gemfire",
          "repo": "https://github.com/spring-attic/spring-data-gemfire",
          "vendor": "VMware",
          "versions": [
            {
              "lessThanOrEqual": "2.2.13.RELEASE",
              "status": "affected",
              "version": "1.7.0.RELEASE",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A zip-slip path traversal vulnerability in Spring Data Geode\u0027s import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.\u003cbr\u003e"
            }
          ],
          "value": "A zip-slip path traversal vulnerability in Spring Data Geode\u0027s import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-126 Path Traversal"
            }
          ]
        },
        {
          "capecId": "CAPEC-139",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-139 Relative Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23 Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-20T16:03:21.032Z",
        "orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
        "shortName": "HeroDevs"
      },
      "references": [
        {
          "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-2818"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "unsupported-when-assigned",
        "x_open-source"
      ],
      "title": "Zip Slip Path Traversal in Snapshot Archive Extraction (Windows-Specific)",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
    "assignerShortName": "HeroDevs",
    "cveId": "CVE-2026-2818",
    "datePublished": "2026-02-20T16:03:21.032Z",
    "dateReserved": "2026-02-19T17:07:41.627Z",
    "dateUpdated": "2026-07-15T01:12:00.937Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29098 (GCVE-0-2026-29098)

Vulnerability from cvelistv5 – Published: 2026-03-19 22:43 – Updated: 2026-03-20 17:45
VLAI
Title
SuiteCRM has Relative Path Traversal via ModuleBuilder Modules ExportCustom Action
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Vendor Product Version
SuiteCRM SuiteCRM Affected: < 7.15.1
Affected: >= 8.0.0, < 8.9.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29098",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T17:43:50.482877Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T17:45:30.519Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SuiteCRM",
          "vendor": "SuiteCRM",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.15.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.9.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-19T22:47:11.424Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-6858-fhw5-56gf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-6858-fhw5-56gf"
        },
        {
          "name": "https://docs.suitecrm.com/admin/releases/7.15.x",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.suitecrm.com/admin/releases/7.15.x"
        }
      ],
      "source": {
        "advisory": "GHSA-6858-fhw5-56gf",
        "discovery": "UNKNOWN"
      },
      "title": "SuiteCRM has Relative Path Traversal via ModuleBuilder Modules ExportCustom Action"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29098",
    "datePublished": "2026-03-19T22:43:58.568Z",
    "dateReserved": "2026-03-03T21:54:06.708Z",
    "dateUpdated": "2026-03-20T17:45:30.519Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29101 (GCVE-0-2026-29101)

Vulnerability from cvelistv5 – Published: 2026-03-19 22:51 – Updated: 2026-03-20 18:09
VLAI
Title
SuiteCRM Vulnerable to Directory Traversal to DoS in Modules
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Vendor Product Version
SuiteCRM SuiteCRM Affected: < 7.15.1
Affected: >= 8.0.0, < 8.9.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29101",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T16:59:10.693199Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T18:09:29.978Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SuiteCRM",
          "vendor": "SuiteCRM",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.15.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.9.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-19T22:51:47.718Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg"
        },
        {
          "name": "https://docs.suitecrm.com/admin/releases/7.15.x",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.suitecrm.com/admin/releases/7.15.x"
        }
      ],
      "source": {
        "advisory": "GHSA-24pf-9cvh-ppcg",
        "discovery": "UNKNOWN"
      },
      "title": "SuiteCRM Vulnerable to Directory Traversal to DoS in Modules"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29101",
    "datePublished": "2026-03-19T22:51:47.718Z",
    "dateReserved": "2026-03-03T21:54:06.708Z",
    "dateUpdated": "2026-03-20T18:09:29.978Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29201 (GCVE-0-2026-29201)

Vulnerability from cvelistv5 – Published: 2026-05-08 18:51 – Updated: 2026-05-13 21:59
VLAI
Summary
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
Impacted products
Vendor Product Version
WebPros cPanel Affected: 11.136.0.0 , < 11.136.0.9 (semver)
Affected: 11.134.0.0 , < 11.134.0.25 (semver)
Affected: 11.132.0.0 , < 11.132.0.31 (semver)
Affected: 11.130.0.0 , < 11.130.0.22 (semver)
Affected: 11.126.0.0 , < 11.126.0.58 (semver)
Affected: 11.124.0.0 , < 11.124.0.37 (semver)
Affected: 11.118.0.0 , < 11.118.0.66 (semver)
Affected: 11.110.0.0 , < 11.110.0.117 (semver)
Affected: 11.102.0.0 , < 11.102.0.41 (semver)
Affected: 11.94.0.0 , < 11.94.0.30 (semver)
Affected: 11.86.0.0 , < 11.86.0.43 (semver)
Create a notification for this product.
WebPros WP Squared Affected: 11.136.1.0 , < 11.136.1.11 (semver)
Create a notification for this product.
WebPros cPanel (CloudLinux 6, CentOS 6) Affected: 11.110.0.0 , < 11.110.0.116 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-29201",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T19:52:34.386985Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T19:52:40.780Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "cPanel",
          "vendor": "WebPros",
          "versions": [
            {
              "lessThan": "11.136.0.9",
              "status": "affected",
              "version": "11.136.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.134.0.25",
              "status": "affected",
              "version": "11.134.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.132.0.31",
              "status": "affected",
              "version": "11.132.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.130.0.22",
              "status": "affected",
              "version": "11.130.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.126.0.58",
              "status": "affected",
              "version": "11.126.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.124.0.37",
              "status": "affected",
              "version": "11.124.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.118.0.66",
              "status": "affected",
              "version": "11.118.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.110.0.117",
              "status": "affected",
              "version": "11.110.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.102.0.41",
              "status": "affected",
              "version": "11.102.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.94.0.30",
              "status": "affected",
              "version": "11.94.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.86.0.43",
              "status": "affected",
              "version": "11.86.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "WP Squared",
          "vendor": "WebPros",
          "versions": [
            {
              "lessThan": "11.136.1.11",
              "status": "affected",
              "version": "11.136.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "cPanel (CloudLinux 6, CentOS 6)",
          "vendor": "WebPros",
          "versions": [
            {
              "lessThan": "11.110.0.116",
              "status": "affected",
              "version": "11.110.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23 Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T21:59:09.469Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2026-29201",
    "datePublished": "2026-05-08T18:51:05.803Z",
    "dateReserved": "2026-03-04T15:00:09.267Z",
    "dateUpdated": "2026-05-13T21:59:09.469Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29778 (GCVE-0-2026-29778)

Vulnerability from cvelistv5 – Published: 2026-03-07 15:28 – Updated: 2026-03-09 18:26
VLAI
Title
pyLoad: Arbitrary File Write via Path Traversal in edit_package()
Summary
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Vendor Product Version
pyload pyload Affected: >= 0.5.0b3.dev13, < 0.5.0b3.dev97
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29778",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T17:52:31.612889Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T18:26:46.896Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pyload",
          "vendor": "pyload",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.5.0b3.dev13, \u003c 0.5.0b3.dev97"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of \"../\", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-07T15:28:36.919Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw"
        }
      ],
      "source": {
        "advisory": "GHSA-6px9-j4qr-xfjw",
        "discovery": "UNKNOWN"
      },
      "title": "pyLoad: Arbitrary File Write via Path Traversal in edit_package()"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29778",
    "datePublished": "2026-03-07T15:28:36.919Z",
    "dateReserved": "2026-03-04T16:26:02.898Z",
    "dateUpdated": "2026-03-09T18:26:46.896Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31831 (GCVE-0-2026-31831)

Vulnerability from cvelistv5 – Published: 2026-03-30 19:42 – Updated: 2026-03-31 19:09
VLAI
Title
Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint
Summary
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Vendor Product Version
Tautulli Tautulli Affected: < 2.17.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31831",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T18:39:50.406586Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T19:09:40.491Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Tautulli",
          "vendor": "Tautulli",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.17.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server\u0027s filesystem. This issue has been patched in version 2.17.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T19:42:23.002Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m"
        },
        {
          "name": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0"
        }
      ],
      "source": {
        "advisory": "GHSA-xp55-2pf4-fv8m",
        "discovery": "UNKNOWN"
      },
      "title": "Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-31831",
    "datePublished": "2026-03-30T19:42:23.002Z",
    "dateReserved": "2026-03-09T17:41:56.077Z",
    "dateUpdated": "2026-03-31T19:09:40.491Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31927 (GCVE-0-2026-31927)

Vulnerability from cvelistv5 – Published: 2026-04-17 19:24 – Updated: 2026-07-10 22:35
VLAI
Title
Anviz CX7 Firmware Relative Path Traversal
Summary
Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug‑setting changes.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Anviz Anviz CX7 Firmware Affected: All versions
Create a notification for this product.
Credits
An anonymous researcher reported this vulnerability to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31927",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-17T20:34:19.788440Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-17T20:34:41.679Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Anviz CX7 Firmware",
          "vendor": "Anviz",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "An anonymous researcher reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Anviz CX7 Firmware\u0026nbsp;is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug\u2011setting changes."
            }
          ],
          "value": "Anviz CX7 Firmware\u00a0is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug\u2011setting changes."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T22:35:14.120Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.anviz.com/contact-us.html"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json"
        }
      ],
      "source": {
        "advisory": "ICSA-26-106-03",
        "discovery": "EXTERNAL"
      },
      "title": "Anviz CX7 Firmware Relative Path Traversal",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Anviz did not respond to CISA\u0027s attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at \u003ca href=\"https://www.anviz.com/contact-us.html\"\u003ehttps://www.anviz.com/contact-us.html\u003c/a\u003e."
            }
          ],
          "value": "Anviz did not respond to CISA\u0027s attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at  https://www.anviz.com/contact-us.html ."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-31927",
    "datePublished": "2026-04-17T19:24:53.893Z",
    "dateReserved": "2026-04-14T15:42:14.030Z",
    "dateUpdated": "2026-07-10T22:35:14.120Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32725 (GCVE-0-2026-32725)

Vulnerability from cvelistv5 – Published: 2026-03-31 17:01 – Updated: 2026-04-03 16:14
VLAI
Title
SciTokens C++: Relative Path Traversal Vulnerability
Summary
SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses ".." path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Vendor Product Version
scitokens scitokens-cpp Affected: < 1.4.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32725",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-03T16:14:03.357530Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-03T16:14:20.163Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "scitokens-cpp",
          "vendor": "scitokens",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses \"..\" path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T17:01:46.776Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-rqcx-mc9w-pjxp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-rqcx-mc9w-pjxp"
        },
        {
          "name": "https://github.com/scitokens/scitokens-cpp/commit/7951ed809967d88c00c20de414b1ff74df8c3e08",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/scitokens/scitokens-cpp/commit/7951ed809967d88c00c20de414b1ff74df8c3e08"
        }
      ],
      "source": {
        "advisory": "GHSA-rqcx-mc9w-pjxp",
        "discovery": "UNKNOWN"
      },
      "title": "SciTokens C++: Relative Path Traversal Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32725",
    "datePublished": "2026-03-31T17:01:46.776Z",
    "dateReserved": "2026-03-13T15:02:00.625Z",
    "dateUpdated": "2026-04-03T16:14:20.163Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33206 (GCVE-0-2026-33206)

Vulnerability from cvelistv5 – Published: 2026-03-27 13:53 – Updated: 2026-03-27 14:48
VLAI
Title
calibre has a path traversal vulnerability
Summary
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Vendor Product Version
kovidgoyal calibre Affected: < 9.6.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33206",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T14:48:39.922938Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T14:48:44.155Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "calibre",
          "vendor": "kovidgoyal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre\u0027 handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T13:53:22.833Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6"
        }
      ],
      "source": {
        "advisory": "GHSA-h3p4-m74f-43g6",
        "discovery": "UNKNOWN"
      },
      "title": "calibre has a path traversal vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33206",
    "datePublished": "2026-03-27T13:53:22.833Z",
    "dateReserved": "2026-03-17T23:23:58.312Z",
    "dateUpdated": "2026-03-27T14:48:44.155Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33435 (GCVE-0-2026-33435)

Vulnerability from cvelistv5 – Published: 2026-04-15 18:13 – Updated: 2026-04-15 18:40
VLAI
Title
Weblate: Remote code execution during backup restoration
Summary
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
Vendor Product Version
WeblateOrg weblate Affected: < 5.17
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33435",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-15T18:40:18.548374Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-15T18:40:27.204Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "weblate",
          "vendor": "WeblateOrg",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.17"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn\u0027t filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T18:13:07.568Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33"
        },
        {
          "name": "https://github.com/WeblateOrg/weblate/pull/18549",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WeblateOrg/weblate/pull/18549"
        }
      ],
      "source": {
        "advisory": "GHSA-558g-h753-6m33",
        "discovery": "UNKNOWN"
      },
      "title": "Weblate: Remote code execution during backup restoration"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33435",
    "datePublished": "2026-04-15T18:13:07.568Z",
    "dateReserved": "2026-03-19T18:45:22.436Z",
    "dateUpdated": "2026-04-15T18:40:27.204Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation ID: MIT-5.1

Phase: Implementation

Strategy: Input Validation

Description:

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation ID: MIT-20.1

Phase: Implementation

Strategy: Input Validation

Description:

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation ID: MIT-29

Phase: Operation

Strategy: Firewall

Description:

  • Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-139: Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Back to CWE stats page