Threats Tagged 'cwe-36'

DreamMaker developed by Interinfo has a Path Traversal vulnerability, allowing unauthenticated remote attackers to read file names under arbitrary path by exploiting an Absolute Path Traversal vulnerability.

Usagi-org ai-goofish-monitor has an unauthenticated absolute path traversal vulnerability in its GET /api/prompts/{filename} endpoint on Windows systems. This flaw allows remote attackers to read arbitrary files by supplying absolute Windows paths or backslash-based traversal sequences, bypassing the incomplete path traversal protections. The vulnerability arises because the application improperly handles path joining, allowing attackers to access files outside the intended directory. No official patch or remediation guidance is currently available. The vulnerability has a high severity score of 7. 5 CVSS and does not require user interaction or privileges to exploit.

CVE-2026-32997 is a high-severity vulnerability in Veeam Backup and Replication version 13 that allows an authenticated user with the Backup Administrator role to write arbitrary files on a Linux-based server. This is due to an absolute path traversal issue (CWE-36). The vulnerability does not require user interaction and has a high impact on confidentiality, integrity, and availability. No official patch or remediation guidance is currently provided by the vendor, and no known exploits are reported in the wild.

The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of the 'fusion_section_separator' shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability was partially patched in version 3.15.2 and fully patched in version 3.15.3.

A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories. To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system. The security update fixes the vulnerability by ensuring .NET Core properly handles files.

An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files. When the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application's account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running.

CVE-2026-44029 is an absolute path traversal vulnerability in NixOS Nix versions prior to 2. 34. 7. It allows writing to arbitrary files via directory traversal when using the commands "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack. " The issue affects multiple versions starting from 2. 24. 7 up to 2. 34. 0. The vulnerability has a medium severity with a CVSS score of 5.

SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Server can achieve code execution on the Client's virtual machine (sd-app) by exploiting improper filename validation in gzip archive extraction, which permits absolute paths and enables overwriting critical files like the SQLite database. Exploitation requires prior compromise of the dedicated SecureDrop Server, which itself is hardened and only accessible via Tor hidden services. Despite the high attack complexity, the vulnerability is rated High severity due to its significant impact on confidentiality, integrity, and availability of decrypted source submissions. This issue is similar to CVE-2025-24888 but occurs through a different code path, and a more robust fix has been implemented in the replacement SecureDrop Inbox codebase. The issue has been fixed in version 0.17.5.

CVE-2026-34515 is a medium severity vulnerability in aiohttp versions prior to 3. 13. 4 on Windows. It involves an absolute path traversal issue in the static resource handler that may expose information about an NTLMv2 remote path. This vulnerability has been patched in aiohttp version 3. 13. 4.

The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload without validating that the path belongs to the WordPress uploads directory. Combined with an insufficient same-file check in 'File_Tools::is_same_file' that only compares basenames, this makes it possible for unauthenticated attackers to exfiltrate arbitrary local files as email attachments by submitting a crafted form request when the form is configured with a Media Field and a Send Email action with file attachment.