Total
8266 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-23899 | 1 Jenkins | 1 Git Server | 2025-06-04 | N/A | 6.5 MEDIUM |
|
Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.
|
|||||
| CVE-2025-41428 | 2025-06-04 | N/A | 5.3 MEDIUM | ||
|
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in TimeWorks 10.0 to 10.3. If exploited, arbitrary JSON files on the server may be viewed by a remote unauthenticated attacker.
|
|||||
| CVE-2022-40713 | 1 Nokia | 1 1350 Optical Management System | 2025-06-03 | N/A | 6.5 MEDIUM |
|
An issue was discovered in NOKIA 1350OMS R14.2. Multiple Relative Path Traversal issues exist in different specific endpoints via the file parameter, allowing a remote authenticated attacker to read files on the filesystem arbitrarily.
|
|||||
| CVE-2022-23767 | 2 Hanssak, Microsoft | 3 Securegate, Weblink, Windows | 2025-06-03 | N/A | 8.8 HIGH |
|
This vulnerability of SecureGate is SQL-Injection using login without password. A path traversal vulnerability is also identified during file transfer. An attacker can take advantage of these vulnerabilities to perform various attacks such as obtaining privileges and executing remote code, thereby taking over the victim’s system.
|
|||||
| CVE-2022-39001 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2025-06-03 | N/A | 7.5 HIGH |
|
The number identification module has a path traversal vulnerability. Successful exploitation of this vulnerability may cause data disclosure.
|
|||||
| CVE-2025-5160 | 1 H3c | 1 Seccenter Smp-1114p02 | 2025-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic has been found in H3C SecCenter SMP-E1114P02 up to 20250513. Affected is the function Download of the file /packetCaptureStrategy/download. The manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-5159 | 1 H3c | 1 Seccenter Smp-1114p02 | 2025-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in H3C SecCenter SMP-E1114P02 up to 20250513. It has been rated as problematic. This issue affects the function Download of the file /cfgFile/1/download. The manipulation of the argument Name leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-5158 | 1 H3c | 1 Seccenter Smp-1114p02 | 2025-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in H3C SecCenter SMP-E1114P02 up to 20250513. It has been declared as problematic. This vulnerability affects the function downloadSoftware of the file /cfgFile/downloadSoftware. The manipulation of the argument filename leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-5157 | 1 H3c | 1 Seccenter Smp-1114p02 | 2025-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in H3C SecCenter SMP-E1114P02 up to 20250513. It has been classified as critical. This affects the function fileContent of the file /cfgFile/fileContent. The manipulation of the argument filePath leads to path traversal. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-5161 | 1 H3c | 1 Seccenter Smp-1114p02 | 2025-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic was found in H3C SecCenter SMP-E1114P02 up to 20250513. Affected by this vulnerability is the function operationDailyOut of the file /safeEvent/download. The manipulation of the argument filename leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-20805 | 1 Samsung | 2 Android, Myfiles | 2025-06-03 | N/A | 3.3 LOW |
|
Path traversal vulnerability in ZipCompressor of MyFiles prior to SMR Jan-2024 Release 1 in Android 11 and Android 12, and version 14.5.00.21 in Android 13 allows local attackers to write arbitrary file.
|
|||||
| CVE-2023-50916 | 1 Kyocera | 1 Device Manager | 2025-06-03 | N/A | 7.2 HIGH |
|
Kyocera Device Manager before 3.1.1213.0 allows NTLM credential exposure during UNC path authentication via a crafted change from a local path to a UNC path. It allows administrators to configure the backup location of the database used by the application. Attempting to change this location to a UNC path via the GUI is rejected due to the use of a \ (backslash) character, which is supposed to be disallowed in a pathname. Intercepting and modifying this request via a proxy, or sending the request ...
Show More |
|||||
| CVE-2023-47890 | 1 Pyload | 1 Pyload | 2025-06-03 | N/A | 8.8 HIGH |
|
pyLoad 0.5.0 is vulnerable to Unrestricted File Upload.
|
|||||
| CVE-2023-45722 | 1 Hcltech | 1 Dryice Myxalytics | 2025-06-03 | N/A | 8.8 HIGH |
|
HCL DRYiCE MyXalytics is impacted by path traversal arbitrary file read vulnerability because it uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory. The product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Potential exploits can completely disrupt or take over the application.
|
|||||
| CVE-2023-37607 | 1 Automaticsystems | 2 Soc Fl9600 Firstlane, Soc Fl9600 Firstlane Firmware | 2025-06-03 | N/A | 7.5 HIGH |
|
Directory Traversal in Automatic Systems SOC FL9600 FirstLane V06 lego_T04E00 allows a remote attacker to obtain sensitive information via csvServer.php?file= with a .. in the dir parameter.
|
|||||
| CVE-2023-29962 | 1 S-cms | 1 S-cms | 2025-06-03 | N/A | 6.5 MEDIUM |
|
S-CMS v5.0 was discovered to contain an arbitrary file read vulnerability.
|
|||||
| CVE-2024-41511 | 1 4pace | 1 Cadclick | 2025-06-02 | N/A | 3.9 LOW |
|
A Path Traversal (Local File Inclusion) vulnerability in "BinaryFileRedirector.ashx" in CADClick v1.11.0 and before allows remote attackers to retrieve arbitrary local files via the "path" parameter.
|
|||||
| CVE-2025-5380 | 2025-06-02 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability, which was classified as critical, has been found in ashinigit 天青一白 XueShengZhuSu 学生住宿管理系统 up to 4d3f0ada0e71482c1e51fd5f5615e5a3d8bcbfbb. This issue affects some unknown processing of the file /upload/ of the component Image File Upload. The manipulation of the argument File leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery ...
Show More |
|||||
| CVE-2023-2252 | 1 Wpwax | 1 Directorist | 2025-06-02 | N/A | 2.7 LOW |
|
The Directorist WordPress plugin before 7.5.4 is vulnerable to Local File Inclusion as it does not validate the file parameter when importing CSV files.
|
|||||
| CVE-2024-27199 | 1 Jetbrains | 1 Teamcity | 2025-05-30 | N/A | 7.3 HIGH |
|
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
|
|||||
| CVE-2021-32018 | 1 Jump-technology | 1 Asset Management | 2025-05-30 | 4.0 MEDIUM | 8.5 HIGH |
|
An issue was discovered in JUMP AMS 3.6.0.04.009-2487. The JUMP SOAP API was vulnerable to arbitrary file reading due to an improper limitation of file loading on the server filesystem, aka directory traversal.
|
|||||
| CVE-2021-32016 | 1 Jump-technology | 1 Asset Management | 2025-05-30 | 6.5 MEDIUM | 9.9 CRITICAL |
|
An issue was discovered in JUMP AMS 3.6.0.04.009-2487. A JUMP SOAP endpoint permitted the writing of arbitrary files to a user-controlled location on the remote filesystem (with user-controlled content) via directory traversal, potentially leading to remote code and command execution.
|
|||||
| CVE-2024-23768 | 1 Dremio | 1 Dremio | 2025-05-30 | N/A | 8.8 HIGH |
|
Dremio before 24.3.1 allows path traversal. An authenticated user who has no privileges on certain folders (and the files and datasets in these folders) can access these folders, files, and datasets. To be successful, the user must have access to the source and at least one folder in the source. Affected versions are: 24.0.0 through 24.3.0, 23.0.0 through 23.2.3, and 22.0.0 through 22.2.2. Fixed versions are: 24.3.1 and later, 23.2.4 and later, and 22.2.3 and later.
|
|||||
| CVE-2024-23182 | 1 Appleple | 1 A-blog Cms | 2025-05-30 | N/A | 8.1 HIGH |
|
Relative path traversal vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to delete arbitrary files on the server.
|
|||||
| CVE-2024-36795 | 1 Netgear | 2 Wnr614, Wnr614 Firmware | 2025-05-29 | N/A | 4.0 MEDIUM |
|
Insecure permissions in Netgear WNR614 JNR1010V2/N300-V1.1.0.54_1.0.1 allows attackers to access URLs and directories embedded within the firmware via unspecified vectors.
|
|||||
| CVE-2022-38340 | 1 Safe | 1 Fme Server | 2025-05-29 | N/A | 9.1 CRITICAL |
|
Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a Path Traversal vulnerability via the component fmedataupload.
|
|||||
| CVE-2023-37888 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-29 | N/A | 7.6 HIGH |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in By Averta Shortcodes and extra features for Phlox theme allows PHP Local File Inclusion.This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.14.0.
|
|||||
| CVE-2024-10625 | 1 Vanquish | 1 Woocommerce Support Ticket System | 2025-05-28 | N/A | 9.8 CRITICAL |
|
The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_tmp_uploaded_file() function in all versions up to, and including, 17.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
|
|||||
| CVE-2024-10626 | 1 Vanquish | 1 Woocommerce Support Ticket System | 2025-05-28 | N/A | 8.8 HIGH |
|
The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_uploaded_file() function in all versions up to, and including, 17.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
|
|||||
| CVE-2024-5709 | 1 Wpbakery | 1 Page Builder | 2025-05-28 | N/A | 8.8 HIGH |
|
The WPBakery Visual Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.7 via the 'layout_name' parameter. This makes it possible for authenticated attackers, with Author-level access and above, and with post permissions granted by an Administrator, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code ex ...
Show More |
|||||
| CVE-2023-46307 | 1 Buddho | 1 Etcd Browser | 2025-05-28 | N/A | 7.5 HIGH |
|
An issue was discovered in server.js in etcd-browser 87ae63d75260. By supplying a /../../../ Directory Traversal input to the URL's GET request while connecting to the remote server port specified during setup, an attacker can retrieve local operating system files from the remote system.
|
|||||
| CVE-2024-7774 | 1 Langchain | 1 Langchain.js | 2025-05-28 | N/A | 9.1 CRITICAL |
|
A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.
|
|||||
| CVE-2022-41231 | 1 Jenkins | 1 Build-publisher | 2025-05-28 | N/A | 5.7 MEDIUM |
|
Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint.
|
|||||
| CVE-2025-48370 | 2025-05-28 | N/A | N/A | ||
|
auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.69.1, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in versi ...
Show More |
|||||
| CVE-2025-4807 | 1 Senior-walter | 1 Online Student Clearance System | 2025-05-28 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. This affects an unknown part. The manipulation leads to exposure of information through directory listing. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2022-29799 | 1 Microsoft | 1 Windows Defender For Endpoint | 2025-05-27 | N/A | 5.5 MEDIUM |
|
A vulnerability was found in networkd-dispatcher. This flaw exists because no functions are sanitized by the OperationalState or the AdministrativeState of networkd-dispatcher. This attack leads to a directory traversal to escape from the “/etc/networkd-dispatcher” base directory.
|
|||||
| CVE-2023-38951 | 1 Zkteco | 1 Biotime | 2025-05-27 | N/A | 9.8 CRITICAL |
|
ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM.
|
|||||
| CVE-2022-28981 | 1 Liferay | 1 Liferay Portal | 2025-05-27 | N/A | 7.5 HIGH |
|
Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter.
|
|||||
| CVE-2022-40444 | 1 Zzcms | 1 Zzcms | 2025-05-27 | N/A | 5.3 MEDIUM |
|
ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server.
|
|||||
| CVE-2022-40443 | 1 Zzcms | 1 Zzcms | 2025-05-27 | N/A | 5.3 MEDIUM |
|
An absolute path traversal vulnerability in ZZCMS 2022 allows attackers to obtain sensitive information via a crafted GET request sent to /one/siteinfo.php.
|
|||||