Approved changes feed: RSS · Atom
cpe:2.3:a:allure-framework:allure2:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Allure Framework (1b982c1e-e262-50e9-bbdf-4584a2a71eea) |
|---|---|
| Product | Allure2 (9a160571-b4c4-5c10-a1f6-7a5b0a1be6ca) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-33166 |
vulnerable | 2026-06-08 07:59:09.272085 |
Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)
HIGH (8.6)
Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report. Version 2.38.0 fixes the issue.
Published: 2026-03-20T21:38:23.475Z
Updated: 2026-03-24T02:04:09.955Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-52888 |
vulnerable | 2026-06-08 07:31:13.145296 |
Allure 2's xunit-xml-plugin Vulnerable to Improper XXE Restriction
HIGH (7.5)
Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.
Published: 2025-06-24T19:45:22.854Z
Updated: 2025-06-24T19:56:50.479Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.