Tag

#path-traversal

2 posts tagged #path-traversal.

Analysis · May 8, 2026 · The Field Notes Desk

Mitel MiCollab keeps shipping the same path-traversal bug class

watchTowr published a working unauth file-read chain on December 5, 2024 with one of the two CVEs still a 0-day. The pattern across NPM, ReconcileWizard, and AWV is structural, and operators tolerate it because UC is the most upgrade-averse tier in the enterprise.
Analysis · May 5, 2026 · The Field Notes Desk

TeamCity's path traversal took two years to reach KEV. That's a long time to leave a CI server exposed.

CVE-2024-27199, a path traversal in JetBrains TeamCity On-Premises, was patched in March 2024 and exploited by BianLian ransomware within days. CISA added it to KEV in April 2026 with a May 4 federal deadline. If you're still below 2023.11.4, this is two years overdue.