Yahia Hamza

4 exploits Active since Mar 2026
CVE-2026-5027 NOMISEC HIGH WORKING POC
Langflow - Path Traversal Arbitrary File Write via upload_user_file
The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').
1 stars
CVSS 8.8
CVE-2026-5027 NOMISEC HIGH WORKING POC
Langflow - Path Traversal Arbitrary File Write via upload_user_file
The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').
CVSS 8.8
CVE-2026-5027 NOMISEC HIGH WORKING POC
Langflow - Path Traversal Arbitrary File Write via upload_user_file
The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').
CVSS 8.8
CVE-2026-25099 NOMISEC HIGH WORKING POC
Remote Code Execution via Unrestricted File Upload in Bludit
Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.
CVSS 8.8