jekkos def0c27a0e fix(security): Path traversal vulnerability in getPicThumb (#4545) ...

Security impact:
- Authenticated attackers could read arbitrary files on the server
- Path traversal via unsanitized pic_filename parameter
- Could read .env, config files, encryption keys

Fix:
- Apply basename() to strip directory components
- Validate file extension to allowlist image types only
- Add explicit error response for invalid file types

CVE: Pending
Affected: <= 3.4.2
Reported by: Kamran Saifullah (VulDB)

Co-authored-by: Ollama <ollama@steganos.dev>

2026-05-15 22:04:29 +02:00

..

Config

fix(docker): correct permissions and fix migration barcode_type error (#4546)

2026-05-13 20:55:59 +02:00

Controllers

fix(security): Path traversal vulnerability in getPicThumb (#4545)

2026-05-15 22:04:29 +02:00

Database

chore: sync project files to match upstream templates (#4537)

2026-05-12 15:55:36 +02:00

Events

[Feature]: Case-sensitive attribute updates and CSV Import attribute deletion capability (#4384)

2026-04-09 11:13:22 +04:00

Filters

Upgrade to CodeIgniter 4.1.3

2024-06-15 17:19:15 +02:00

Helpers

feat: Bank transfer and wallet payment option added #4540 (#4547)

2026-05-15 20:50:34 +02:00

Language

feat: Bank transfer and wallet payment option added #4540 (#4547)

2026-05-15 20:50:34 +02:00

Libraries

Assignable Keyboard Shortcuts Updates (#4532)

2026-05-07 22:53:25 +04:00

Models

feat: Bank transfer and wallet payment option added #4540 (#4547)

2026-05-15 20:50:34 +02:00

ThirdParty

Improve code style and PSR-12 compliance (#4204)

2025-05-02 19:37:06 +02:00

Views

chore: sync project files to match upstream templates (#4537)

2026-05-12 15:55:36 +02:00

.htaccess

Improve code style and PSR-12 compliance (#4204)

2025-05-02 19:37:06 +02:00

Common.php

Upgrade CI to 4.4.3

2024-06-15 17:19:15 +02:00

index.html

Corrected link in README.md

2024-06-15 17:19:15 +02:00