This page collects WhisperX intelligence signals tagged #path traversal. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security vulnerability has been identified in a student registration system's document upload feature. The system lacks fundamental security validations, including file type whitelisting, file size limits, and secure file naming conventions. This exposes the system to significant risks, such as malware uploa...
A critical security flaw has been confirmed in a test application, exposing its internal configuration to potential attackers. The vulnerability, classified with a severity of CRITICAL, allows for file path manipulation attacks. A test payload containing the path `../WEB-INF/web.xml` was successfully submitted to the a...
A critical security flaw in Tekton Pipelines' git resolver allows authenticated users to read any file from the underlying pod's filesystem, including sensitive ServiceAccount tokens. The vulnerability, tracked as CVE-2026-33211, stems from improper path validation in the `getFileContent()` function, enabling path trav...
A critical file path manipulation vulnerability has been confirmed in a staging environment, allowing unauthorized access to a sensitive server configuration file. The attack succeeded by submitting a simple payload containing '../WEB-INF/web.xml' through a user-controllable parameter, which the server then processed a...
WordPress용 PitchPrint 플러그인의 11.1.2 이하 버전에서 심각한 경로 탐색(Path Traversal) 취약점이 공개적으로 식별됐다. CVE-2026-22448로 지정된 이 취약점은 네트워크를 통해 원격으로 악용될 수 있으며, 공격자가 낮은 복잡성으로 시스템의 임의 파일을 삭제할 수 있는 위험을 초래한다. CVSS 3.1 기준 위험도 점수는 7.5(높음)로 평가되어 즉각적인 주의가 요구된다. 이 취약점은 플러그인 개발사인 flexcubed의 PitchPrint 제품에 영향을 미친다. 공격 벡터 분석에 따르면, 공격자는 특별한 권한이나 사용자 상호...
A critical security vulnerability has been identified in the widely used 'basic-ftp' npm package, exposing dependent applications to potential path traversal attacks. The flaw, discovered during a security audit on March 30, 2026, resides specifically within the package's `downloadToDir()` method. This vulnerability al...
A critical security flaw in the Moby BuildKit toolchain has been patched, exposing container build pipelines to potential file system compromise. The vulnerability, tracked as CVE-2026-33747, allows a malicious or compromised BuildKit frontend to write files outside the designated BuildKit state directory. This path tr...
A critical path traversal vulnerability exists within the Sethlans worker agent, allowing a maliciously crafted zip archive to write files anywhere on the host filesystem. The flaw resides in the agent's use of Python's `shutil.unpack_archive()` function, which does not validate member paths before extraction. An attac...
A critical path traversal vulnerability in the Sethlans worker agent's asset manager could allow a malicious or compromised manager to read from or write to arbitrary locations on the host filesystem. The flaw resides in how the agent constructs local file paths from URLs provided by the manager, failing to validate th...
A critical security flaw in the popular Animal Sounds and Ringtones app allows attackers to overwrite any file within the app's internal storage, creating a direct path to potential code execution and data theft. The vulnerability, found in version V1.3.0 of the app published by PEAKSEL D.O.O. NIS, stems from a complet...
A critical path traversal vulnerability in the admin panel's ingestion function allows authenticated users to copy and process sensitive system files from anywhere on the server. The flaw resides in the `_run_ingestion()` function within `src/ui/admin.py`, which accepts a `target_path` parameter and copies the specifie...
A critical security flaw in the character service's image upload function exposes servers to potential compromise. The vulnerability, identified in `character_service.py`, stems from inadequate validation that could allow attackers to bypass directory restrictions and upload files to arbitrary locations on the server. ...
A newly disclosed vulnerability in Kibana's archive extraction process allows a maliciously crafted tar archive to bypass directory constraints and write files to arbitrary locations on the host filesystem. The flaw, tracked as CVE-2026-26960, resides in the `tar.extract()` function, which fails to properly validate th...
A critical security vulnerability in Open Policy Agent (OPA) has been patched, exposing a path traversal flaw that could allow attackers to bypass policy enforcement and access unauthorized data. The vulnerability, tracked as CVE-2025-46569, resides in the HTTP Data API of OPA when run as a server. By crafting a specif...
A critical security flaw in the MCP (Model Context Protocol) server grants malicious clients unrestricted read access to the entire local filesystem. The vulnerability stems from a complete absence of path traversal containment or validation on tool parameters. Any MCP tool that accepts a `path` argument—including `ana...
A critical path traversal vulnerability has been identified in the Wanaku CLI's ZipHelper component, exposing systems to Zip Slip attacks. The flaw allows a maliciously crafted zip file to write arbitrary files outside the intended extraction directory, potentially leading to system compromise, data overwrite, or remot...
A critical security vulnerability has been disclosed in the ubiquitous Python `requests` library, exposing a path traversal and file hijack risk within its internal file extraction utility. The flaw, tracked as CVE-2026-25645, resides in the `requests.utils.extract_zipped_paths()` function. This utility uses a predicta...
A critical path traversal vulnerability has been identified in a document generation and download system, allowing attackers to read and write files outside the designated secure directory. The flaw, discovered during a code review, resides in the handling of user-supplied input for file format and file paths, enabling...
A critical security vulnerability in the popular Hono.js web framework allows attackers to write files outside the intended directory during static site generation, posing a severe risk of arbitrary file creation and potential server compromise. The flaw, tracked as CVE-2026-39408, resides in the `toSSG()` function and...
A critical security flaw in the popular Hono.js web framework's static site generation feature has been disclosed, posing a direct risk of arbitrary file writes on affected systems. The vulnerability, tracked as CVE-2026-39408, resides within the `toSSG()` function. It allows an attacker to craft malicious dynamic rout...