Arbitrary-File-Write

Zarf is vulnerable to path traversal due to insufficient sanitization of the Metadata.Name field in package manifests when using the `zarf package inspect sbom` or `zarf package inspect documentation` commands, potentially leading to arbitrary file write.

A path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root by manipulating the relativePath parameter in GraphQL mutations, leading to potential arbitrary code execution.

Gigabyte Control Center has an Arbitrary File Write vulnerability (CVE-2026-4415) that allows unauthenticated remote attackers to write arbitrary files to any location on the underlying operating system, leading to arbitrary code execution or privilege escalation.

A path traversal vulnerability exists in the `fetch` command of `@evomap/evolver` due to insufficient validation of the `--out` flag, allowing attackers to write files to arbitrary locations on the filesystem, potentially leading to overwriting critical system files and privilege escalation.

i18next-fs-backend versions before 2.6.4 are vulnerable to path traversal due to insufficient sanitization of the lng and ns values, potentially allowing attackers to read arbitrary files, overwrite files, or execute code if .js or .ts locale files are in use.