| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only the lexical path before Node reads the file, so a Git app store that contains metadata/logo.jpg as a symbolic link can cause Runtipi to read and return the symlink target. Because the endpoint is public and the symlink target may point outside the cloned repository, this can expose local files from the Runtipi container such as /data/.env, /data/state/seed, logs, or application files. This can disclose JWT secrets, service credentials, local configuration, and operational logs depending on the instance. The issue has been fixed in version 4.10.0. |
| Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions. |
| Unauthenticated PHP Object Injection in Behold <= 1.5 versions. |
| Unauthenticated PHP Object Injection in Esmée <= 1.4 versions. |
| Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions. |
| Unauthenticated PHP Object Injection in TechLink <= 1.3 versions. |
| Unauthenticated PHP Object Injection in Roisin <= 1.4 versions. |
| Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions. |
| Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions. |
| Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions. |
| Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions. |
| Unauthenticated PHP Object Injection in Valiance <= 1.2 versions. |
| Unauthenticated PHP Object Injection in Playroom <= 1.4.1 versions. |
| Unauthenticated PHP Object Injection in Santé <= 1.5.1 versions. |
| Unauthenticated PHP Object Injection in NeoBeat <= 1.7 versions. |
| Unauthenticated PHP Object Injection in Fidalgo <= 1.2.2 versions. |
| Unauthenticated PHP Object Injection in Alloggio - Hotel Booking <= 2.1.2 versions. |
| Unauthenticated PHP Object Injection in Elementra <= 1.0.9 versions. |
| Unauthenticated PHP Object Injection in Kapee < 1.7.0 versions. |
| Unauthenticated PHP Object Injection in EmallShop <= 2.4.21 versions. |