Monthly
Path traversal in OpenWrt's cgi-io cgi-download handler (prior to 25.12.5) allows an authenticated administrator to read arbitrary root-readable files - including /etc/shadow - by exploiting a TOCTOU-style authorization flaw where ACL checks occur before path canonicalization. The rpcd session.c ACL matcher uses fnmatch() without FNM_PATHNAME, meaning a wildcard-prefixed ACL entry (e.g., /etc/config/*) can be defeated by appending ../ sequences that pass the ACL check but resolve to an out-of-scope file when open() is called. No public exploit identified at time of analysis; vendor-released patch is available in v25.12.5.
Arbitrary file write in Splunk Enterprise (versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, 9.3.14) and Splunk Cloud Platform lets a privileged user with the edit_local_apps and install_apps capabilities abuse the app-installation workflow to write files outside the target app directory into $SPLUNK_HOME/etc/ and its subdirectories. The flaw is a path traversal (CWE-22) that can be leveraged to overwrite Splunk configuration and system files, yielding high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Path traversal in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows a remote, authenticated attacker with administrative credentials to read or delete arbitrary files on the underlying operating system via crafted HTTP requests. Successful exploitation could expose sensitive configuration or credential files, or trigger destructive deletion of system files. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the high confidentiality impact and the critical role ISE plays in enterprise network access control make this notable for environments running affected versions.
Zip-slip path traversal in File Browser 2.63.6–2.63.16 allows a low-privileged user with upload permission to plant a POSIX backslash-named file that the archive builder incorrectly normalizes into a directory traversal sequence, enabling arbitrary file write on any victim who downloads and extracts the generated archive. The root cause is the server-side conversion of `\` to `/` in archive entry names, which manufactures paths like `../../evil.sh` from the legal POSIX filename `..\..\evil.sh`. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the attack chain is straightforward for any user with upload access.
Path traversal in F5 NGINX Agent via the config_dirs directive enables a remotely authenticated low-privileged attacker to read and write files outside of the directories designated as secure in the agent's configuration. The config_dirs directive can be set directly in the NGINX Agent configuration or through NGINX Instance Manager, expanding the attack surface across both products. No public exploit code or active exploitation has been identified at time of analysis, and a vendor patch is available per F5 advisory K000161971.
Arbitrary file write in Cornac's dataset-download utility (all versions before 2.6.0) lets an attacker who controls a downloaded TAR archive place files anywhere the Python process can write, because the _extract_archive() helper in cornac/utils/download.py calls archive.extractall() without validating member paths. Since Cornac's built-in dataset loaders automatically fetch and unpack archives, a poisoned or MITM'd dataset archive containing ../ traversal, absolute paths, or symlink/hardlink entries can overwrite sensitive files and potentially achieve code execution. VulnCheck reported the issue; no public exploit identified at time of analysis and it is not in CISA KEV.
Path-traversal remote code execution in PraisonAI (mervinpraison/praisonai) before 1.6.78 lets an authenticated agent user abuse SkillTools.run_skill_script(), which executes skill scripts without validating that the supplied path stays inside the intended working directory. Because absolute file paths are accepted, a low-privileged attacker can point the skill runner at any executable script on the host and run it. No public exploit code has been identified and it is not in CISA KEV, but the flaw was reported by VulnCheck and a GitHub Security Advisory (GHSA-c44f-37qr-gw3f) confirms the fix.
File path restriction bypass in n8n before 2.19.3 allows authenticated users with workflow creation or modification rights to circumvent the N8N_RESTRICT_FILE_ACCESS_TO security boundary via a legacy REST API code path, enabling arbitrary file existence disclosure on the host filesystem. Where a targeted path contains valid workflow JSON, that file can additionally be loaded and executed by the n8n engine, potentially triggering downstream actions on all systems connected to that workflow. No public exploit or active exploitation has been identified at time of analysis, but the low complexity and broad impact on connected downstream systems make this a meaningful risk in multi-tenant or partially-trusted deployments.
Path traversal in mastergo-magic-mcp versions up to 0.2.0 allows local low-privileged attackers to read and write files outside the intended working directory by supplying manipulated path sequences via the `rootPath` argument of the `mcp__getComponentGenerator` component's `execute` function. A public proof-of-concept exploit has been disclosed (CVSS 4.0 E:P), and the vendor has not responded to the issue report, leaving no patch available at time of analysis. No public exploitation (CISA KEV) has been confirmed, and the local-only attack vector significantly constrains the realistic threat surface.
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path, allowing an authenticated user to include .. in a request such as //..//config and read, overwrite, or delete another user's private repository on backends that clean path components. This issue is fixed in version 1.74.4.
Path traversal in OpenWrt's cgi-io cgi-download handler (prior to 25.12.5) allows an authenticated administrator to read arbitrary root-readable files - including /etc/shadow - by exploiting a TOCTOU-style authorization flaw where ACL checks occur before path canonicalization. The rpcd session.c ACL matcher uses fnmatch() without FNM_PATHNAME, meaning a wildcard-prefixed ACL entry (e.g., /etc/config/*) can be defeated by appending ../ sequences that pass the ACL check but resolve to an out-of-scope file when open() is called. No public exploit identified at time of analysis; vendor-released patch is available in v25.12.5.
Arbitrary file write in Splunk Enterprise (versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, 9.3.14) and Splunk Cloud Platform lets a privileged user with the edit_local_apps and install_apps capabilities abuse the app-installation workflow to write files outside the target app directory into $SPLUNK_HOME/etc/ and its subdirectories. The flaw is a path traversal (CWE-22) that can be leveraged to overwrite Splunk configuration and system files, yielding high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Path traversal in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows a remote, authenticated attacker with administrative credentials to read or delete arbitrary files on the underlying operating system via crafted HTTP requests. Successful exploitation could expose sensitive configuration or credential files, or trigger destructive deletion of system files. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the high confidentiality impact and the critical role ISE plays in enterprise network access control make this notable for environments running affected versions.
Zip-slip path traversal in File Browser 2.63.6–2.63.16 allows a low-privileged user with upload permission to plant a POSIX backslash-named file that the archive builder incorrectly normalizes into a directory traversal sequence, enabling arbitrary file write on any victim who downloads and extracts the generated archive. The root cause is the server-side conversion of `\` to `/` in archive entry names, which manufactures paths like `../../evil.sh` from the legal POSIX filename `..\..\evil.sh`. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the attack chain is straightforward for any user with upload access.
Path traversal in F5 NGINX Agent via the config_dirs directive enables a remotely authenticated low-privileged attacker to read and write files outside of the directories designated as secure in the agent's configuration. The config_dirs directive can be set directly in the NGINX Agent configuration or through NGINX Instance Manager, expanding the attack surface across both products. No public exploit code or active exploitation has been identified at time of analysis, and a vendor patch is available per F5 advisory K000161971.
Arbitrary file write in Cornac's dataset-download utility (all versions before 2.6.0) lets an attacker who controls a downloaded TAR archive place files anywhere the Python process can write, because the _extract_archive() helper in cornac/utils/download.py calls archive.extractall() without validating member paths. Since Cornac's built-in dataset loaders automatically fetch and unpack archives, a poisoned or MITM'd dataset archive containing ../ traversal, absolute paths, or symlink/hardlink entries can overwrite sensitive files and potentially achieve code execution. VulnCheck reported the issue; no public exploit identified at time of analysis and it is not in CISA KEV.
Path-traversal remote code execution in PraisonAI (mervinpraison/praisonai) before 1.6.78 lets an authenticated agent user abuse SkillTools.run_skill_script(), which executes skill scripts without validating that the supplied path stays inside the intended working directory. Because absolute file paths are accepted, a low-privileged attacker can point the skill runner at any executable script on the host and run it. No public exploit code has been identified and it is not in CISA KEV, but the flaw was reported by VulnCheck and a GitHub Security Advisory (GHSA-c44f-37qr-gw3f) confirms the fix.
File path restriction bypass in n8n before 2.19.3 allows authenticated users with workflow creation or modification rights to circumvent the N8N_RESTRICT_FILE_ACCESS_TO security boundary via a legacy REST API code path, enabling arbitrary file existence disclosure on the host filesystem. Where a targeted path contains valid workflow JSON, that file can additionally be loaded and executed by the n8n engine, potentially triggering downstream actions on all systems connected to that workflow. No public exploit or active exploitation has been identified at time of analysis, but the low complexity and broad impact on connected downstream systems make this a meaningful risk in multi-tenant or partially-trusted deployments.
Path traversal in mastergo-magic-mcp versions up to 0.2.0 allows local low-privileged attackers to read and write files outside the intended working directory by supplying manipulated path sequences via the `rootPath` argument of the `mcp__getComponentGenerator` component's `execute` function. A public proof-of-concept exploit has been disclosed (CVSS 4.0 E:P), and the vendor has not responded to the issue report, leaving no patch available at time of analysis. No public exploitation (CISA KEV) has been confirmed, and the local-only attack vector significantly constrains the realistic threat surface.
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path, allowing an authenticated user to include .. in a request such as //..//config and read, overwrite, or delete another user's private repository on backends that clean path components. This issue is fixed in version 1.74.4.