#path-traversal

[ follow ]
#remote-code-execution #winrar #active-exploitation #fortiweb #nlweb #microsoft #jspdf #cve-2025-68428
fromBleepingComputer
2 days ago

Critical jsPDF flaw lets hackers steal secrets via generated PDFs

The jsPDF library for generating PDF documents in JavaScript applications is vulnerable to a critical vulnerability that allows an attacker to steal sensitive data from the local filesystem by including it in generated files. The flaw is a local file inclusion and path traversal that allows passing unsanitized paths to the file loading mechanism (loadFile) in jsPDF versions before 4.0. It is tracked as CVE-2025-68428 and received a severity score of 9.2.
Information security
fromThe Hacker News
3 days ago

Critical AdonisJS Bodyparser Flaw (CVSS 9.2) Enables Arbitrary File Write on Servers

If a developer uses MultipartFile.move() without the second options argument or without explicitly sanitizing the filename, an attacker can supply a crafted filename value containing traversal sequences, writing to a destination path outside the intended upload directory," the project maintainers said in an advisory released last week. "This can lead to arbitrary file write on the server. However, successful exploitation hinges on a reachable upload endpoint.
Information security
#winrar
fromThe Hacker News
1 month ago
Information security

Warning: WinRAR Vulnerability CVE-2025-6218 Under Active Attack by Multiple Threat Groups

A WinRAR path traversal vulnerability (CVE-2025-6218) enabling code execution has been actively exploited and was patched in WinRAR 7.12 for Windows.
fromThe Hacker News
4 months ago
Privacy professionals

WinRAR Zero-Day Under Active Exploitation - Update to Latest Version Immediately

WinRAR released an update addressing CVE-2025-8088, a zero-day vulnerability causing path traversal and allowing arbitrary code execution.
more#winrar
#fortiweb
more#fortiweb
Information security
fromTheregister
2 months ago

Docker Compose vulnerability opens door to host-level writes

Docker Compose's OCI artifact handling had a path traversal vulnerability (CVE-2025-62725) allowing arbitrary host file writes; upgrade to Compose v2.40.
fromTheregister
4 months ago

Commvault releases patches for two pre-auth RCE bug chains

The first chain involves two vulnerabilities ( CVE-2025-57791 and CVE-2025-57790), an argument injection in CommServe and a path traversal bug respectively. The severity scores for the flaws are not especially concerning on their own, but chained together they become more dangerous. In Commvault's advisory, it describes CVE-2025-57791 as a vulnerability that allows attackers to retrieve a valid user session for a low-privilege role, assigning it a CVSS score of 6.9 (medium severity).
Information security
Privacy technologies
fromIT Pro
5 months ago

Microsoft patched a critical vulnerability in its NLWeb AI search tool - but there's no CVE (yet)

A critical flaw in NLWeb enables remote users to read sensitive files without authorization.
Privacy professionals
fromThe Verge
5 months ago

Microsoft's plan to fix the web with AI has already hit an embarrassing security flaw

A critical vulnerability in Microsoft's NLWeb protocol allows remote users to access sensitive files.
[ Load more ]