Total
387 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-26202 | 2 Kaleidos, Penpot | 2 Penpot, Penpot | 2026-02-20 | 7.5 High |
| Penpot is an open-source design tool for design and code collaboration. Prior to version 2.13.2, an authenticated user can read arbitrary files from the server by supplying a local file path (e.g. `/etc/passwd`) as a font data chunk in the `create-font-variant` RPC endpoint, resulting in the file contents being stored and retrievable as a "font" asset. This is an arbitrary file read vulnerability. Any authenticated user with team edit permissions can read arbitrary files accessible to the Penpot backend process on the host filesystem. This can lead to exposure of sensitive system files, application secrets, database credentials, and private keys, potentially enabling further compromise of the server. In containerized deployments, the blast radius may be limited to the container filesystem, but environment variables, mounted secrets, and application configuration are still at risk. Version 2.13.2 contains a patch for the issue. | ||||
| CVE-2024-25965 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | 6.1 Medium |
| Dell PowerScale OneFS versions 8.2.x through 9.7.0.2 contains an external control of file name or path vulnerability. A local high privilege attacker could potentially exploit this vulnerability, leading to denial of service. | ||||
| CVE-2026-27008 | 1 Openclaw | 1 Openclaw | 2026-02-20 | 6.7 Medium |
| OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installation allowed `targetDir` values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only `skills.install` flow, this could write files outside the intended install sandbox. Version 2026.2.15 contains a fix for the issue. | ||||
| CVE-2025-47956 | 1 Microsoft | 1 Windows Security App | 2026-02-20 | 5.5 Medium |
| External control of file name or path in Windows Security App allows an authorized attacker to perform spoofing locally. | ||||
| CVE-2026-25628 | 1 Qdrant | 1 Qdrant | 2026-02-19 | 8.6 High |
| Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_file path. Minimal privileges are required (read-only access). This vulnerability is fixed in 1.16.0. | ||||
| CVE-2025-61879 | 1 Infoblox | 1 Nios | 2026-02-19 | 7.7 High |
| In Infoblox NIOS through 9.0.7, a High-Privileged User Can Trigger an Arbitrary File Write via the Account Creation Mechanism. | ||||
| CVE-2026-25636 | 2 Calibre-ebook, Kovidgoyal | 2 Calibre, Calibre | 2026-02-17 | 8.2 High |
| calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0. | ||||
| CVE-2026-25964 | 2 Tandoor, Tandoorrecipes | 2 Recipes, Recipes | 2026-02-17 | 4.9 Medium |
| Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This vulnerability stems from a lack of input validation in the file_path parameter and insufficient checks in the Local storage backend, enabling an attacker to bypass storage directory restrictions and access sensitive system files (e.g., /etc/passwd) or application configuration files (e.g., settings.py), potentially leading to full system compromise. This vulnerability is fixed in 2.5.1. | ||||
| CVE-2026-2604 | 1 Gnome | 1 Evolution-data-server | 2026-02-17 | 5.6 Medium |
| No description is available for this CVE. | ||||
| CVE-2025-24054 | 1 Microsoft | 23 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 20 more | 2026-02-13 | 6.5 Medium |
| External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-21377 | 1 Microsoft | 24 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 21 more | 2026-02-13 | 6.5 Medium |
| NTLM Hash Disclosure Spoofing Vulnerability | ||||
| CVE-2025-24996 | 1 Microsoft | 23 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 20 more | 2026-02-13 | 6.5 Medium |
| External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-29819 | 1 Microsoft | 2 Azure Portal Windows Admin Center, Windows Admin Center | 2026-02-13 | 6.2 Medium |
| External control of file name or path in Azure Portal Windows Admin Center allows an unauthorized attacker to disclose information locally. | ||||
| CVE-2025-26684 | 1 Microsoft | 1 Defender For Endpoint | 2026-02-13 | 6.7 Medium |
| External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-49760 | 1 Microsoft | 19 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 16 more | 2026-02-13 | 3.5 Low |
| External control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2025-53769 | 1 Microsoft | 1 Windows Security App | 2026-02-13 | 5.5 Medium |
| External control of file name or path in Windows Security App allows an authorized attacker to perform spoofing locally. | ||||
| CVE-2025-54162 | 2 Qnap, Qnap Systems | 2 File Station, File Station 5 | 2026-02-12 | 4.9 Medium |
| A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5068 and later | ||||
| CVE-2024-38049 | 1 Microsoft | 23 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 20 more | 2026-02-10 | 6.6 Medium |
| Windows Distributed Transaction Coordinator Remote Code Execution Vulnerability | ||||
| CVE-2025-62842 | 2 Qnap, Qnap Systems Inc. | 2 Hybrid Backup Sync, Hbs 3 Hybrid Backup Sync | 2026-02-05 | 7.8 High |
| An external control of file name or path vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read or modify files or directories. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 26.2.0.938 and later | ||||
| CVE-2020-37078 | 1 I-doit | 1 I-doit | 2026-02-04 | 8.8 High |
| i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from the server's filesystem. | ||||