By weakness (CWE)

CWE-36: related vulnerabilities

CVEs classified under CWE-36. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

2 published vulnerabilities

  • CVE-2026-10044HIGH 7.5

    Usagi-org's ai-goofish-monitor application contains a critical flaw that allows anyone on the network to read files from an affected Windows server without authentication. By crafting a specially-formed request to the GET /api/prompts/{filename} endpoint, an attacker can bypass the application's path-checking logic and access sensitive files stored on the system—such as configuration files, credentials, or other sensitive data accessible to the application process. The vulnerability exploits a weakness in how the application validates file paths, specifically by allowing absolute Windows paths and backslash characters that the incomplete validation routine fails to detect.

  • CVE-2026-10075MEDIUM 5.3

    DreamMaker, a product from Interinfo, contains a path traversal flaw that lets unauthenticated attackers list or read filenames from any directory on the affected system without requiring authentication or user interaction. An attacker can craft requests using absolute path manipulation to traverse the filesystem and discover file structures that should remain hidden. While this does not allow direct file content theft or system modification, it exposes the directory layout and naming conventions, which can aid reconnaissance in a broader attack chain.