Monthly
Arbitrary file write in the compliance-trestle Python library (versions 4.0.0-4.0.2 and any release below 3.12.2) lets an attacker who controls a referenced OSCAL artifact plant attacker-supplied content anywhere the trestle process can write. The HTTPSFetcher and SFTPFetcher cache layer builds the local cache file path directly from the URL path component, so when trestle imports a remote OSCAL profile whose href contains `../` traversal the fetched HTTP/SFTP response body escapes the .trestle cache directory; overwriting files such as /etc/cron.d entries, ~/.ssh/authorized_keys, or a module on sys.path turns the primitive into code execution. A reproducible public proof-of-concept exists in the GHSA advisory (GHSA-g3vg-vx23-3858); the flaw is not listed in CISA KEV and no CVSS or EPSS scoring is provided, but the maintainers have shipped fixes in 4.0.3 and 3.12.2.
Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets users who can control email content abuse the data-inline image attribute to supply file: URLs, causing the Jenkins controller to read local files and embed their contents as base64 inside outgoing emails. An authenticated attacker with rights to edit job email configuration or templates (CVSS PR:L) can exfiltrate controller secrets, credentials, and configuration. There is no public exploit identified at time of analysis and CISA's SSVC rates exploitation as none, but the CVSS 8.8 score and 'total' technical impact make controller secret theft a serious concern in shared Jenkins environments.
Arbitrary file read in the Xpro Elementor Addons - Pro WordPress plugin (versions ≤1.4.7) allows authenticated attackers with Contributor-level access to retrieve the contents of any file readable by the web server process, including credential-bearing files such as wp-config.php. The vulnerability originates in the Draw SVG widget, which passes user-controlled input to a server-side file read operation without adequate path restriction (CWE-73). No public exploit code has been identified at time of analysis, and CISA has not added this to the KEV catalog; however, successful exploitation fully compromises the confidentiality of server-side data.
OS command injection in Perl's HTTP::Daemon before 6.17 (libwww-perl) lets remote unauthenticated attackers execute commands as the daemon process UID when request-derived input reaches the send_file() method. The method opened its string argument with Perl's 2-argument open(), whose magic prefixes ('| cmd', 'cmd |', '> path', '>> path') spawn subprocesses or write/truncate files; the read-pipe form additionally leaks subprocess stdout into the HTTP response body. There is no public exploit identified at time of analysis and no CISA KEV listing, but the upstream fix is released (6.17) and the patch diff is public, so the root cause is fully disclosed.
Destructive file operations in the CI4MS Fileeditor module (composer/ci4-cms-erp/ci4ms ≤ v0.31.8.0) allow an authenticated backend user to delete or rename arbitrary framework files - including the front controller, routing config, and authentication filter pipeline - producing a persistent denial of service that requires filesystem-level redeployment to recover. The root cause is an inconsistent application of the existing extension allowlist: while saveFile and createFile correctly gate writes through allowedFileTypes(), the deleteFileOrFolder and renameFile endpoints apply no such check to the source path, meaning any file inside ROOTPATH not named in the narrow $hiddenItems blocklist is reachable. A working curl-based proof-of-concept is publicly available via GitHub advisory GHSA-245j-xjvr-xvm5; no CISA KEV listing is present at time of analysis.
Arbitrary file disclosure in HSC MailInspector v5.3.3-7 allows unauthenticated remote attackers to read sensitive files from the host via a path traversal flaw in the exposed /vendor/phpunit/phpunit.php endpoint. The CVSS 7.5 rating reflects high confidentiality impact with no required privileges or user interaction, though EPSS remains very low at 0.05% (15th percentile) and there is no public exploit identified at time of analysis. The exposure of a PHPUnit development artifact in a production path mirrors a long-standing class of PHP supply-chain misconfigurations.
Arbitrary directory deletion in phpMyFAQ before 4.1.2 allows authenticated admins with the INSTANCE_DELETE permission to recursively delete directories outside the multisite clientFolder by submitting path traversal sequences in the client URL parameter. The flaw stems from Client::deleteClientFolder() stripping only the https:// scheme without canonicalizing or validating ../ segments before passing the path to Filesystem::deleteDirectory(). Publicly available exploit code exists (VulnCheck advisory and GHSA write-up include a PoC), though EPSS remains low at 0.04% and the issue is not listed in CISA KEV.
External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
External control of file name or path in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Arbitrary file write in the compliance-trestle Python library (versions 4.0.0-4.0.2 and any release below 3.12.2) lets an attacker who controls a referenced OSCAL artifact plant attacker-supplied content anywhere the trestle process can write. The HTTPSFetcher and SFTPFetcher cache layer builds the local cache file path directly from the URL path component, so when trestle imports a remote OSCAL profile whose href contains `../` traversal the fetched HTTP/SFTP response body escapes the .trestle cache directory; overwriting files such as /etc/cron.d entries, ~/.ssh/authorized_keys, or a module on sys.path turns the primitive into code execution. A reproducible public proof-of-concept exists in the GHSA advisory (GHSA-g3vg-vx23-3858); the flaw is not listed in CISA KEV and no CVSS or EPSS scoring is provided, but the maintainers have shipped fixes in 4.0.3 and 3.12.2.
Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets users who can control email content abuse the data-inline image attribute to supply file: URLs, causing the Jenkins controller to read local files and embed their contents as base64 inside outgoing emails. An authenticated attacker with rights to edit job email configuration or templates (CVSS PR:L) can exfiltrate controller secrets, credentials, and configuration. There is no public exploit identified at time of analysis and CISA's SSVC rates exploitation as none, but the CVSS 8.8 score and 'total' technical impact make controller secret theft a serious concern in shared Jenkins environments.
Arbitrary file read in the Xpro Elementor Addons - Pro WordPress plugin (versions ≤1.4.7) allows authenticated attackers with Contributor-level access to retrieve the contents of any file readable by the web server process, including credential-bearing files such as wp-config.php. The vulnerability originates in the Draw SVG widget, which passes user-controlled input to a server-side file read operation without adequate path restriction (CWE-73). No public exploit code has been identified at time of analysis, and CISA has not added this to the KEV catalog; however, successful exploitation fully compromises the confidentiality of server-side data.
OS command injection in Perl's HTTP::Daemon before 6.17 (libwww-perl) lets remote unauthenticated attackers execute commands as the daemon process UID when request-derived input reaches the send_file() method. The method opened its string argument with Perl's 2-argument open(), whose magic prefixes ('| cmd', 'cmd |', '> path', '>> path') spawn subprocesses or write/truncate files; the read-pipe form additionally leaks subprocess stdout into the HTTP response body. There is no public exploit identified at time of analysis and no CISA KEV listing, but the upstream fix is released (6.17) and the patch diff is public, so the root cause is fully disclosed.
Destructive file operations in the CI4MS Fileeditor module (composer/ci4-cms-erp/ci4ms ≤ v0.31.8.0) allow an authenticated backend user to delete or rename arbitrary framework files - including the front controller, routing config, and authentication filter pipeline - producing a persistent denial of service that requires filesystem-level redeployment to recover. The root cause is an inconsistent application of the existing extension allowlist: while saveFile and createFile correctly gate writes through allowedFileTypes(), the deleteFileOrFolder and renameFile endpoints apply no such check to the source path, meaning any file inside ROOTPATH not named in the narrow $hiddenItems blocklist is reachable. A working curl-based proof-of-concept is publicly available via GitHub advisory GHSA-245j-xjvr-xvm5; no CISA KEV listing is present at time of analysis.
Arbitrary file disclosure in HSC MailInspector v5.3.3-7 allows unauthenticated remote attackers to read sensitive files from the host via a path traversal flaw in the exposed /vendor/phpunit/phpunit.php endpoint. The CVSS 7.5 rating reflects high confidentiality impact with no required privileges or user interaction, though EPSS remains very low at 0.05% (15th percentile) and there is no public exploit identified at time of analysis. The exposure of a PHPUnit development artifact in a production path mirrors a long-standing class of PHP supply-chain misconfigurations.
Arbitrary directory deletion in phpMyFAQ before 4.1.2 allows authenticated admins with the INSTANCE_DELETE permission to recursively delete directories outside the multisite clientFolder by submitting path traversal sequences in the client URL parameter. The flaw stems from Client::deleteClientFolder() stripping only the https:// scheme without canonicalizing or validating ../ segments before passing the path to Filesystem::deleteDirectory(). Publicly available exploit code exists (VulnCheck advisory and GHSA write-up include a PoC), though EPSS remains low at 0.04% and the issue is not listed in CISA KEV.
External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
External control of file name or path in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.