Siewer

**Name of the Vulnerable Software and Affected Versions** ConvertX versions prior to 0.17.0 **Description** ConvertX is a self-hosted online file converter. The `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via the `unlink` function without sufficient validation. An attacker can supply path traversal sequences (e.g., `../`) in the `filename` parameter to delete arbitrary files outside the intended uploads directory, limited by the permissions of the server process. The vulnerable parameter is `filename`. **Recommendations** Update to version 0.17.0 or later.

**Name of the Vulnerable Software and Affected Versions** LangChain versions prior to 0.3.37 @langchain/core versions prior to 0.3.80 LangChain versions prior to 1.2.3 @langchain/core versions prior to 1.1.8 **Description** LangChain is a framework designed for building applications powered by Large Language Models (LLMs). A serialization issue exists in the `toJSON()` method of LangChain JS, impacting versions prior to 0.3.37 and 1.2.3 for LangChain, and prior to 0.3.80 and 1.1.8 for @langchain/core. This issue arises because the method does not properly escape objects containing 'lc' keys when serializing data using `JSON.stringify()`. The 'lc' key is used internally by LangChain to identify serialized objects. If user-supplied data includes this key structure, it may be incorrectly interpreted as a legitimate LangChain object during deserialization instead of being treated as plain user data. This could potentially lead to unauthorized access or manipulation of data. **Recommendations** Update to LangChain version 0.3.37 or later. Update to @langchain/core version 0.3.80 or later. Update to LangChain version 1.2.3 or later. Update to @langchain/core version 1.1.8 or later.