All news with #path traversal tag

🔒 ABB published updates addressing a path traversal vulnerability (CWE-22, CVSS v3 7.1) affecting CoreSense HM and CoreSense M10. The flaw allowed unauthenticated local users to access restricted directories and could lead to full system compromise and sensitive data exposure. ABB fixed the issue in CoreSense HM v2.3.4 and CoreSense M10 v1.4.1.31 and recommends applying the update promptly. CISA republished the vendor advisory and advises network isolation, strict input validation, and restricting local host access to authorized users.

🔒 InfoGuard Labs disclosed multiple critical vulnerabilities in SEPPMail Secure E-Mail Gateway that allow unauthenticated remote code execution, path traversal, deserialization flaws, and exposure of sensitive server data. Researchers demonstrated an exploit chain leveraging the LFT path traversal (CVE-2026-2743) to overwrite syslog configuration and obtain a Perl reverse shell, enabling full appliance takeover and mail interception. SEPPmail has released fixes across versions 15.0.2.1, 15.0.3 and 15.0.4 and urges administrators to apply updates immediately.

🔒 A path traversal flaw exists in the ROS# file_server prior to 2.2.2, allowing attackers to read and write arbitrary files accessible to the account running the service. The issue arises from improper input sanitization and is tracked as CWE-23 with a CVSS v3 score of 9.1. Siemens released 2.2.2 as the vendor fix and recommends immediate updates. Temporary mitigations include running the service only on trusted networks and with restricted user rights.

⚠️ Hitachi Energy reported a directory traversal vulnerability (CVE-2018-1002208) affecting PCM600 product lines, including legacy 2.11 and several 3.x releases. The flaw resides in an affected SharpZipLib component (pre-1.0 RC1) and allows crafted ZIP archives to write files outside intended extraction directories, creating an integrity risk. Hitachi Energy recommends migrating to maintained 3.x builds, following vendor guidance and immediate mitigations such as network isolation, removal of default credentials, and secure remote access while awaiting a planned 3.1 SP4 update.

⚠️ A path traversal vulnerability in ABB PCM600 (CVE-2018-1002208) could allow an attacker to deliver specially crafted messages to a system node, resulting in insertion and execution of arbitrary code. Affected releases are PCM600 versions >=1.5 and <=2.13; ABB released a fix in PCM600 2.14 (note: RE_630 relays are incompatible with 2.14). CISA rates the issue CVSS 3.1 4.4 (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N), notes exploitation is not remotely trivial, and recommends applying the vendor update or, where immediate upgrade is impractical, applying system-level and network mitigations such as segmentation, firewalls, and updated VPNs.

⚠️ CISA warns of a critical path traversal vulnerability (CVE-2026-6074) in Intrado 911 Emergency Gateway that can expose the EGW management interface to unauthenticated access from an attacker with network access. The flaw enables reading, modifying, or deleting files and has a CVSS v3.1 base score of 9.8. Intrado released an update on March 2, 2026; organizations should apply the vendor patch immediately. Apply CISA guidance to minimize internet exposure and contact E911Support@intrado.com for vendor coordination.

🛡️ Cyera researchers warn that insufficient input validation in AI orchestration tools can expose sensitive enterprise data. A newly disclosed path traversal flaw in LangChain (CVE-2026-34070) lets crafted input resolve paths outside intended directories and read arbitrary host files. Cyera analyzed that alongside an earlier unsafe deserialization issue (CVE-2025-68664) and a SQL injection affecting LangGraph checkpointing (CVE-2025-67644), showing how each flaw maps to distinct data exposures. Maintainers have released fixes; organizations should apply patches and adopt allowlists, sandboxing, safe deserialization practices, and parameterized queries immediately.

🔒 Researchers disclosed three vulnerabilities in LangChain and LangGraph that can expose filesystem files, environment secrets, and conversation history. The flaws — a path traversal, insecure deserialization, and an SQL injection — provide independent attack paths enabling exfiltration of Docker configs, API keys, and stored chats. Patches are available for the affected packages and organizations are urged to update immediately and audit prompt templates, deserialization paths, and checkpoint metadata.

🔒 Ubiquiti has released patches for two vulnerabilities in the UniFi Network application, including a maximum-severity path traversal flaw tracked as CVE-2026-22557. The path traversal affects versions up to 10.1.85 and is addressed in 10.1.89 and later; a separate authenticated NoSQL injection that could enable privilege escalation has also been fixed. Administrators should update to 10.1.89 or later and apply vendor fixes to mitigate account takeover and escalation risks.

⚠️ Trend Micro has released patches for two critical Apex One management console vulnerabilities (CVE-2025-71210 and CVE-2025-71211) that enable path traversal leading to remote code execution on Windows systems. The fixes are included in SaaS updates and Critical Patch Build 14136, which also addresses high-severity agent issues on Windows and macOS. Exploitation requires access to the management console, so externally exposed consoles should apply source restrictions and other access controls. Customers are urged to install updates promptly to reduce risk.

🛡️ An unauthenticated attacker can exploit a path traversal vulnerability in Valmet DNA Engineering Web Tools (CVE-2025-15577) by manipulating the web maintenance services URL to obtain arbitrary file read access. The issue is an instance of Improper Limitation of a Pathname to a Restricted Directory (CWE-22) and is rated CVSS 3.1 8.6 (High). Valmet has released a fix and recommends customers contact their automation customer service for remediation assistance. CISA advises reducing internet exposure for control system devices, isolating networks behind firewalls, and applying defense-in-depth controls.

🔒OpenClaw has patched six vulnerabilities disclosed by Endor Labs, including SSRF, missing webhook authentication and a path traversal issue that range from moderate to high severity. The set includes CVE-2026-26322 (Gateway SSRF, CVSS 7.6), CVE-2026-26319 (Telnyx webhook auth bypass, CVSS 7.5) and several GitHub Security Advisories such as GHSA-56f2-hvwg-5743. Endor warns that agent frameworks’ multi-layered architectures mean vulnerabilities can span files and components, requiring data-flow analysis and layered validation to mitigate exploitation. SecurityScorecard also flagged many publicly exposed OpenClaw instances, raising enterprise risk.

🔒 GE Vernova released updates for Enervista UR Setup to address two vulnerabilities. The installer is vulnerable to DLL hijacking (CVE-2026-1762), which could allow administrative code execution when run in directories containing untrusted DLLs. A second issue is a path traversal (CVE-2026-1763) that can overwrite files as the logged-in user. Users should update to version 8.70 or later.

🔒 Check Point researchers say attackers rapidly weaponized CVE-2025-8088, a path traversal flaw in the Microsoft Windows version of WinRAR, to deliver crafted archives that execute arbitrary code and maintain persistence. The campaign used the open-source Havoc Framework and targeted government and law-enforcement organisations in Southeast Asia. Check Point attributes the activity to a group dubbed Amaranth-Dragon, whose tools and tactics resemble APT41. Organisations are advised to prioritise patching and monitor for suspicious archive files.

🔒Siemens has disclosed multiple vulnerabilities affecting RUGGEDCOM APE1808 devices, tied to cross-site scripting and a path traversal flaw (CVE-2025-40891, CVE-2025-40892, CVE-2025-40893, CVE-2025-40898). The issues include stored HTML/JavaScript injection in Time Machine Snapshot Diff, Reports, and Asset List features, and an authenticated path traversal in Arc data import that can enable arbitrary file writes. Siemens is preparing fixes and advises contacting Siemens ProductCERT, segregating and protecting device networks, and following Siemens operational security guidance until patches are available.

⚠️ CISA has added CVE-2025-8110 to its Known Exploited Vulnerabilities catalog after reports of active exploitation targeting Gogs. The high-severity (CVSS 8.7) flaw is a path traversal in the repository file editor's PutContents API that mishandles symbolic links and can lead to remote code execution. There is not yet an official upstream patch, though GitHub pull requests show fixes have been merged and maintainers say new images will include the correction once built. Until patched, users should disable default open-registration, restrict server access behind VPNs or allow-lists, and apply other access controls; FCEB agencies must implement mitigations by Feb 2, 2026.

⚠ The jsPDF library contains a critical local file inclusion and path traversal vulnerability (CVE-2025-68428) that can embed sensitive files from the local filesystem into generated PDFs when user-controlled input is passed to file-loading APIs. The issue affects Node.js builds (dist/jspdf.node.js and dist/jspdf.node.min.js) and functions such as loadFile, addImage, html, and addFont. The bug was addressed in jsPDF 4.0.0 by restricting filesystem access by default; maintainers recommend upgrading, sanitizing input paths, and using modern Node.js permission modes.

🚨 Maintainers of @adonisjs/bodyparser urge immediate updates after disclosure of CVE-2026-21440, a critical path traversal flaw that can enable attackers to write arbitrary files via unsanitized multipart filenames. The vulnerability stems from MultipartFile.move(location, options) defaulting to client-supplied names when the options.name is omitted. Exploitation requires a reachable upload endpoint and can lead to file overwrite and possible RCE depending on deployment, filesystem permissions, and overwrite settings.

🔒 CISA disclosed multiple vulnerabilities in Advantech WebAccess/SCADA affecting version 9.2.1 that could allow an authenticated attacker to read, modify, or delete remote database files. Reported issues include path traversal, unrestricted file upload, absolute path traversal, and SQL injection across several CVEs. Advantech has released WebAccess/SCADA 9.2.2 to address these flaws; operators should prioritize applying the update and hardening network access.

⚠️ An unpatched zero-day in Gogs enables remote code execution on Internet-facing instances by exploiting a path traversal weakness in the PutContents API (CVE-2025-8110). Attackers abuse symbolic links to overwrite files outside repositories and modify Git configuration values such as sshCommand, forcing arbitrary command execution. Researchers found over 1,400 exposed servers and more than 700 with compromise indicators. Administrators should disable open registration and restrict access immediately.