All news with #arbitrary file read tag

🔒 The Avada Builder WordPress plugin contained two serious vulnerabilities impacting an estimated one million active installations. One flaw (CVE-2026-4782) allows authenticated users with subscriber access to read arbitrary server files via the plugin’s shortcode-rendering and the custom_svg parameter, exposing sensitive files like wp-config.php. The other issue (CVE-2026-4798) is a time-based blind SQL injection exploitable without authentication if WooCommerce was previously installed and then deactivated. Administrators are urged to update to Avada Builder 3.15.3 immediately.

⚠ The Siemens Ruggedcom Rox product contains an improper access control vulnerability in its web server JSON‑RPC interface that can allow an authenticated remote attacker to read arbitrary files on the underlying operating system with root privileges. Siemens has released updates and advises customers to upgrade to V2.17.1 or later. The issue is tracked as CWE-88 and CISA has republished the vendor advisory to increase visibility. Administrators should restrict network access and follow Siemens' operational security guidance.

🔒 A path traversal flaw exists in the ROS# file_server prior to 2.2.2, allowing attackers to read and write arbitrary files accessible to the account running the service. The issue arises from improper input sanitization and is tracked as CWE-23 with a CVSS v3 score of 9.1. Siemens released 2.2.2 as the vendor fix and recommends immediate updates. Temporary mitigations include running the service only on trusted networks and with restricted user rights.

⚠️ Two newly disclosed flaws in the Avada Builder WordPress plugin place roughly one million sites at risk of arbitrary file read (CVE-2026-4782, CVSS 6.5) and unauthenticated time-based SQL injection (CVE-2026-4798, CVSS 7.5). The issues were reported to Wordfence in March and fixed in 3.15.2 and fully resolved in 3.15.3. Site owners are urged to update immediately and audit subscriber accounts and wp-config.php for signs of compromise.

🔒 A file-read vulnerability in Smart Slider 3 allows authenticated users with minimal privileges, including subscribers, to download arbitrary server files. The flaw (CVE-2026-3098) stems from missing capability checks and improper validation in the plugin's AJAX export actions, letting attackers export wp-config.php and other sensitive files. Researcher Dmitrii Ignatyev reported the issue and Wordfence validated the proof-of-concept. Nextendweb released a patch in version 3.5.1.34; site owners should update immediately.

⚠️ OX Security researchers disclosed multiple high-severity vulnerabilities in four widely used VS Code extensions — Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview — collectively installed more than 125 million times. The flaws can enable local-file exfiltration, arbitrary JavaScript execution, and settings-based code execution; three remain unpatched while Microsoft fixed an XSS-style issue in Live Preview in version 0.4.16 (September 2025). Researchers advise disabling or uninstalling non-essential or untrusted extensions, avoiding untrusted configurations, keeping extensions updated, and hardening local networks and firewalls.

🔒 OX Security disclosed critical and high-severity vulnerabilities in four widely used Visual Studio Code extensions with a combined 128 million downloads, exposing developers to file theft, remote code execution, and local network reconnaissance. Three CVEs were published; Microsoft privately patched Live Preview. The flaws also affected AI-powered IDEs Cursor and Windsurf, and OX Security said three maintainers did not respond to notifications. Researchers urge immediate updates, disabling unused extensions, and avoiding untrusted sites while localhost servers run.

⚠️ Siemens NX contains multiple file-parsing vulnerabilities in its handling of CGM files that can cause application crashes or enable arbitrary code execution when a malicious file is opened. Siemens has released fixes and advises updating to V2512 or later. Do not open untrusted CGM files and apply vendor updates promptly. Follow CISA guidance on network isolation and secure remote access.

🔒 Chainlit, a widely used open-source framework for building conversational AI, contained two high-severity flaws that enable arbitrary file reads and server-side request forgery without user interaction. Zafran Labs labeled the issues CVE-2026-22218 and CVE-2026-22219, which together can expose API keys, cloud credentials, source code, and internal services. The defects were fixed in v2.9.4; organizations should upgrade to 2.9.4 or later immediately and inspect for potential data exfiltration.

⚠️ Security researchers disclosed two critical vulnerabilities in the Python-based AI app framework Chainlit that allow unauthenticated attackers to read arbitrary server files and trigger SSRF requests. The flaws (CVE-2026-22218 and CVE-2026-22219), fixed in Chainlit 2.9.4, stem from an unvalidated custom Element type exposing path and URL properties. Exploits can leak environment variables, API keys, LLM prompts, and cloud credentials, enabling lateral movement and broader compromise.

🔒 Chainlit, a widely used framework for building conversational AI applications, contained two server-side vulnerabilities (CVE-2026-22218 and CVE-2026-22219) that allow authenticated users to read arbitrary files and trigger SSRF in affected deployments. The flaws stem from insufficient validation of user-controlled properties in custom elements and SQLAlchemy-backed storage. Combined, they can expose environment variables, cached prompts, API keys and cloud metadata, enabling lateral movement beyond the app layer. Chainlit released 2.9.4 on 24 December 2025 and users are advised to apply the patch immediately; temporary WAF signatures were published as mitigation.

⚠️ A trio of vulnerabilities in mcp-server-git, the official MCP Git server maintained by Anthropic, can be chained to read or delete arbitrary files and, in certain scenarios, achieve remote code execution. Cyata researcher Yarden Porat showed these issues are exploitable via prompt injection when an AI assistant ingests attacker-controlled content such as a malicious README or poisoned issue text. Fixes were released in 2025.9.25 and 2025.12.18; users should update the Python package promptly to mitigate risk.

🔒 Siemens has released a security update for SINEC Security Monitor addressing two vulnerabilities (CVE-2025-40830, CVE-2025-40831) in versions before V4.10.0. The flaws allow an authenticated user to read or write arbitrary files via the ssmctl-client file_transfer feature and to cause a report-generation denial-of-service. Siemens recommends updating to V4.10.0 or later and reducing network exposure per operational guidance.

🔒 A critical vulnerability in jsPDF (CVE-2025-68428) affected Node.js deployments and allowed untrusted input passed to file-handling APIs to produce arbitrary file reads and local file inclusion. Endor Labs found that methods like addImage, html, and addFont relied on an insecure loadFile() call, enabling attackers to embed sensitive files into generated PDFs. Maintainers released jsPDF 4.0.0 to restrict filesystem access via Node.js permission mode, but researchers warn upgrading alone may not fully mitigate risk in environments without properly configured runtime permissions.

⚠️ Researchers at Cyera disclosed a critical vulnerability in n8n (CVE-2026-21858) that allows unauthenticated attackers to read arbitrary local files via content-type parsing confusion and then recreate session cookies to assume any user’s identity. Exploitation can yield administrator privileges and remote code execution through the Execute Command node. The bug was patched in version 1.121.0 on Nov. 18; administrators should update immediately.

⚠️ The Anti-Malware Security and Brute-Force Firewall WordPress plugin (versions up to 4.23.81) contains a vulnerability (CVE-2025-11705) that allows low-privileged subscribers to read arbitrary files on the server. The issue is caused by missing capability checks in the GOTMLS_ajax_scan() AJAX handler, enabling attackers who can obtain a nonce to access sensitive files like wp-config.php. The developer released v4.23.83 on October 15, which adds a proper capability check via a new GOTMLS_kill_invalid_user() function; administrators of membership sites should update immediately.

⚠ A critical Arbitrary File Read vulnerability (CVE-2025-9217) was found in the widely used Slider Revolution WordPress plugin, affecting versions up to 6.7.36. The bug allowed authenticated users with contributor-level access or higher to read arbitrary files on the server by abusing two export parameters, used_svg and used_images. ThemePunch released a patch (6.7.37) on August 28 after a report to Wordfence; administrators should update immediately to protect site data.