New directory traversal CVE!
CVE-2026-43965
https://ghcr.io - gleam-lang/gleam
https://github.com - gleam-lang/gleam
Gleam - Gleam
Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content.
Package keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to paths.build_packages_package(), which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to fs::delete_directory (which calls remove_dir_all). No check is performed to ensure the path remains within the intended build/packages/ directory. Both absolute paths and relative traversal sequences (e.g. ../) are accepted as package keys, allowing deletion of arbitrary directories.
An attacker who can cause a victim to run gleam deps download on a project containing a malicious build/packages/packages.toml (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim's system to be recursively deleted.
This issue affects Gleam from 0.18.0-rc1 until 1.17.0.
New directory traversal CVE!
CVE-2026-44885
portainer - portainer
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, Portainer's backup restore feature accepts a .tar.gz archive and extracts it to a target directory on the server. The extraction function (ExtractTarGz in api/archive/targz.go) constructed output paths using filepath.Clean(filepath.Join(outputDirPath, header.Name)). This combination does not prevent directory traversal — a tar entry named ../../etc/cron.d/evil resolves to a path outside the extraction root, so a crafted archive can write files to arbitrary locations on the server filesystem. This vulnerability is fixed in 2.33.8.
New directory traversal CVE!
CVE-2018-25421
Openstamanager - Open STA Manager
Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Attackers can send GET requests to modules/backup/actions.php with op=getfile and traverse directories using ../ sequences to access sensitive system files.
New directory traversal CVE!
CVE-2018-25393
Navigatecms - Navigate CMS
Navigate CMS 2.8.5 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by injecting directory traversal sequences in the id parameter. Attackers can send GET requests to navigate_download.php with path traversal payloads ../../../cfg/globals.php to access sensitive configuration files and system files outside the intended directory.
New directory traversal CVE!
CVE-2026-47179
getarcaneapp - arcane
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because ProjectService.CreateProject writes attacker-supplied compose content to disk without validating include paths, an authenticated user can create a project whose compose file declares include: ['../../../../etc/passwd'], then read the include via the project file API. The result is arbitrary read of any file readable by the Arcane backend process, including /app/data/arcane.db (the SQLite database containing every user's password hash and API key), enabling escalation to admin and, via Arcane's Docker control plane, RCE on the host. This vulnerability is fixed in 1.19.4.
New directory traversal CVE!
CVE-2026-45668
TriliumNext - Trilium
Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled achieves RCE via
#docName path traversal and XSS by combining a payload note (type: code, mime: text/plain) containing raw HTML/JS and a trigger note (type: doc or type: launcher) with a
#docName label that uses ../ path traversal to point at the payload note's API endpoint. The desktop client Electron renderer runs with nodeIntegration enabled, so an RCE is triggered once the payload is executed. This vulnerability is fixed in 0.102.2.
New directory traversal CVE!
CVE-2026-3366
IBM - InfoSphere Optim Test Data Fabrication
IBM InfoSphere Optim Test Data Fabrication 1.0.0, 1.0.0.1, 1.0.0.2, 1.0.2, 1.0.2.2, 1.0.2.3, 1.0.2.4, 1.0.2.5, 1.0.2.6, 1.0.2.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system
New directory traversal CVE!
CVE-2018-25408
Openises - Open ISES Project
The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. Attackers can supply directory traversal sequences ../ in the filename parameter to access files outside the intended directory, including configuration files and system files.
RE: https://infosec.exchange/@nyanbinary/116657208551961003
pls no shouty, turns out I accidentally turned off the server running the bots for my break, too. Woke it up again, there maaaaay be a few delayed posts 
@dotdotslash_bot hm, I might need to tweak the bot to go for ../ + CWE I guess?
Edit: Given we now have two: Putting the bot on pause for now, sowwy
nyanbinary