All news with #local file inclusion tag

⚠️ A newly disclosed vulnerability, dubbed Pack2TheRoot (CVE-2026-41651), permits local Linux users to install or remove system packages and obtain root privileges by abusing the PackageKit daemon. The bug dates back to 2014 and affects PackageKit versions 1.0.2 through 1.3.4; it is resolved in PackageKit 1.3.5. Administrators should upgrade immediately, verify if packagekit is running, and monitor logs for assertion failures or crashes as likely indicators of attempted exploitation.

⚠ A local privilege escalation vulnerability (CVE-2026-3888) affects default installations of Ubuntu Desktop 24.04 and later, enabling attackers with low-level access to obtain full root privileges. The flaw stems from an interaction between snap-confine and systemd-tmpfiles that enables a timing-based attack leveraging automated temporary-file cleanup. Exploitation requires patience due to a built-in 10–30 day cleanup window, but no user interaction is needed; Qualys rated the issue CVSS 7.8 and urges immediate upgrade to patched snapd releases.

🔒 A critical vulnerability in jsPDF (CVE-2025-68428) affected Node.js deployments and allowed untrusted input passed to file-handling APIs to produce arbitrary file reads and local file inclusion. Endor Labs found that methods like addImage, html, and addFont relied on an insecure loadFile() call, enabling attackers to embed sensitive files into generated PDFs. Maintainers released jsPDF 4.0.0 to restrict filesystem access via Node.js permission mode, but researchers warn upgrading alone may not fully mitigate risk in environments without properly configured runtime permissions.

⚠ The jsPDF library contains a critical local file inclusion and path traversal vulnerability (CVE-2025-68428) that can embed sensitive files from the local filesystem into generated PDFs when user-controlled input is passed to file-loading APIs. The issue affects Node.js builds (dist/jspdf.node.js and dist/jspdf.node.min.js) and functions such as loadFile, addImage, html, and addFont. The bug was addressed in jsPDF 4.0.0 by restricting filesystem access by default; maintainers recommend upgrading, sanitizing input paths, and using modern Node.js permission modes.

⚠️ The JumpCloud Remote Assist for Windows agent contains a critical local privilege escalation vulnerability (CVE-2025-34352) that can be exploited during uninstall or update flows. The uninstaller runs with NT AUTHORITY\SYSTEM and performs file operations in a user-writable %TEMP% subdirectory without validating or securing the path. Attackers with a local foothold can abuse link-following techniques (mount points and symlinks) to overwrite or delete protected files, yielding full system compromise or denial-of-service. Systems running Remote Assist before version 0.317.0 should be updated immediately.

⚠️ Rockwell Automation disclosed two local vulnerabilities in Studio 5000 Simulation Interface (version 2.02 and earlier) that allow path traversal–based local code execution (CVE-2025-11696) and a local SSRF that can trigger outbound SMB requests for NTLM hash capture (CVE-2025-11697). Both issues carry high severity (CVSS v4: 9.3 and 8.8) and are exploitable by low-complexity local attackers. Rockwell recommends upgrading to version 3.0.0 or later; CISA advises isolating control system networks, minimizing exposure, and following secure remote-access practices.

🔒 Gladinet released an urgent update for its CentreStack business solution to fix a local file inclusion flaw tracked as CVE-2025-11371, which was abused in the wild as a zero-day. The LFI allowed attackers to read Web.config, extract the ASP.NET machine key, and then leverage a prior deserialization RCE (CVE-2025-30406) to achieve remote code execution. Administrators should upgrade to CentreStack version 16.10.10408.56683 immediately; if patching is not possible, disable the temp handler in Web.config for the UploadDownloadProxy component as a temporary mitigation.

⚠️ Huntress has observed criminals exploiting a new zero-day (CVE-2025-11371) in Gladinet CentreStack and Triofox file-sharing servers that enables unauthenticated local file inclusion. The flaw can expose the application's Web.config machineKey, effectively re-enabling a prior ViewState deserialization RCE (CVE-2025-30406). Gladinet has not yet released a patch; Huntress advises disabling the UploadDownloadProxy temp handler as a mitigation. Huntress detected misuse across multiple customers and notes that SOC telemetry flagged irregular base64 payloads; administrators should assume 'fully patched' may not equal secure and isolate or disable vulnerable handlers until a vendor patch is available.

⚠️ Researchers report an actively exploited zero-day (CVE-2025-11371) in Gladinet's CentreStack and Triofox that permits unauthenticated Local File Inclusion (LFI) on default installs, exposing system files and allowing machine-key disclosure. Huntress observed exploitation on Sept 27 with at least three companies targeted. No patch is available yet; Gladinet has issued a workaround to disable a temp handler in the UploadDownloadProxy Web.config, though this may affect some functionality.