Total
430 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11959 | 2025-11-12 | N/A | 8.1 HIGH | ||
|
Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc. Excavation Management Information System allows Footprinting, Functionality Misuse.This issue affects Excavation Management Information System: before v.10.2025.01.
|
|||||
| CVE-2022-34464 | 1 Siemens | 4 Sicam Gridedge Essential Arm, Sicam Gridedge Essential Gds Arm, Sicam Gridedge Essential Gds Intel and 1 more | 2025-11-12 | 2.1 LOW | 6.3 MEDIUM |
|
A vulnerability has been identified in SICAM GridEdge (Classic) (All versions < V2.7.3). The affected application uses an improperly protected file to import SSH keys. This could allow attackers with access to the filesystem of the host on which SICAM GridEdge runs to inject a custom SSH key to that file.
|
|||||
| CVE-2024-53649 | 2025-11-11 | N/A | 6.5 MEDIUM | ||
|
A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V9.80), SIPROTEC 5 6MD85 (CP300) (All versions >= V7.80 < V9.80), SIPROTEC 5 6MD86 (CP300) (All versions >= V7.80 < V9.80), SIPROTEC 5 6MD89 (CP300) (All versions >= V7.80 < V9.68), SIPROTEC 5 6MU85 (CP300) (All versions >= V7.80 < V9.80), SIPROTEC 5 7KE85 (CP300) (All versions >= V7.80 < V9.80), SIPROTEC 5 7SA82 (CP100) (All versions >= V7.80 < V8.90), SIPROTEC 5 7SA82 (CP150) (All versions < V9.80), SIPROTEC 5 7SA8 ...
Show More |
|||||
| CVE-2025-48928 | 1 Smarsh | 1 Telemessage | 2025-11-05 | N/A | 4.0 MEDIUM |
|
The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump, as exploited in the wild in May 2025.
|
|||||
| CVE-2025-11371 | 1 Gladinet | 2 Centrestack, Triofox | 2025-11-05 | N/A | 7.5 HIGH |
|
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild.
This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
|
|||||
| CVE-2025-61734 | 1 Apache | 1 Kylin | 2025-11-04 | N/A | 7.5 HIGH |
|
Files or Directories Accessible to External Parties vulnerability in Apache Kylin.
You are fine as long as the Kylin's system and project admin access is well protected.
This issue affects Apache Kylin: from 4.0.0 through 5.0.2.
Users are recommended to upgrade to version 5.0.3, which fixes the issue.
|
|||||
| CVE-2024-40767 | 1 Openstack | 1 Nova | 2025-11-04 | N/A | 6.5 MEDIUM |
|
In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 a ...
Show More |
|||||
| CVE-2024-32498 | 1 Openstack | 3 Cinder, Glance, Nova | 2025-11-04 | N/A | 6.5 MEDIUM |
|
An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conver ...
Show More |
|||||
| CVE-2025-58152 | 2025-11-04 | N/A | 5.3 MEDIUM | ||
|
FutureNet MA and IP-K series provided by Century Systems Co., Ltd. put the firmware version and the garbage collection information on the internal web page. With some crafted HTTP request, they can be accessed without authentication.
|
|||||
| CVE-2024-38876 | 1 Siemens | 6 Omnivise T3000 Application Server, Omnivise T3000 Domain Controller, Omnivise T3000 Product Data Management and 3 more | 2025-11-03 | N/A | 7.8 HIGH |
|
A vulnerability has been identified in Omnivise T3000 Application Server R9.2 (All versions), Omnivise T3000 Domain Controller R9.2 (All versions), Omnivise T3000 Product Data Management (PDM) R9.2 (All versions), Omnivise T3000 R8.2 SP3 (All versions), Omnivise T3000 R8.2 SP4 (All versions), Omnivise T3000 Terminal Server R9.2 (All versions), Omnivise T3000 Thin Client R9.2 (All versions), Omnivise T3000 Whitelisting Server R9.2 (All versions). The affected application regularly executes user m ...
Show More |
|||||
| CVE-2023-29450 | 1 Zabbix | 1 Zabbix | 2025-11-03 | N/A | 8.5 HIGH |
|
JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data.
|
|||||
| CVE-2024-51058 | 1 Tcpdf Project | 1 Tcpdf | 2025-11-03 | N/A | 6.2 MEDIUM |
|
Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through <img> src tag, potentially exposing sensitive information.
|
|||||
| CVE-2020-17519 | 1 Apache | 1 Flink | 2025-10-27 | 5.0 MEDIUM | 7.5 HIGH |
|
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.
|
|||||
| CVE-2017-16651 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2025-10-22 | 4.6 MEDIUM | 7.8 HIGH |
|
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
|
|||||
| CVE-2016-3715 | 6 Canonical, Imagemagick, Opensuse and 3 more | 30 Ubuntu Linux, Imagemagick, Leap and 27 more | 2025-10-22 | 5.8 MEDIUM | 5.5 MEDIUM |
|
The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image.
|
|||||
| CVE-2025-31996 | 1 Hcltech | 1 Unica | 2025-10-21 | N/A | 5.3 MEDIUM |
|
HCL Unica Platform is affected by unprotected files due to improper access controls. These files may contain sensitive information such as private or system information that can be exploited by attackers to compromise the application, infrastructure, or users.
|
|||||
| CVE-2024-0949 | 2025-10-14 | N/A | 9.8 CRITICAL | ||
|
Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before v17.0.68.
|
|||||
| CVE-2024-47518 | 1 Arista | 1 Ng Firewall | 2025-09-29 | N/A | 6.4 MEDIUM |
|
Specially constructed queries targeting ETM could discover active remote access sessions
|
|||||
| CVE-2025-51818 | 1 Chshcms | 1 Mccms | 2025-09-24 | N/A | 5.4 MEDIUM |
|
MCCMS 2.7.0 is vulnerable to Arbitrary file deletion in the Backups.php component. This allows an attacker to execute arbitrary commands
|
|||||
| CVE-2025-25266 | 1 Siemens | 1 Tecnomatix Plant Simulation | 2025-09-23 | N/A | 6.8 MEDIUM |
|
A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). The affected application does not properly restrict access to the file deletion functionality.
This could allow an unauthorized attacker to delete files even when access to the system should be prohibited, resulting in potential data loss or unauthorized modification of system files.
|
|||||
| CVE-2025-25267 | 1 Siemens | 1 Tecnomatix Plant Simulation | 2025-09-23 | N/A | 6.2 MEDIUM |
|
A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). The affected application does not properly restrict the scope of files accessible to the simulation model. This could allow an unauthorized attacker to compromise the confidentiality of the system.
|
|||||
| CVE-2024-49359 | 1 Zimaspace | 1 Zimaos | 2025-09-22 | N/A | 7.5 HIGH |
|
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Zima_Server_IP:PORT>/v2_1/file` in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on the server. By manipulating the path parameter, attackers can access sensitive system directories such as `/etc`, potentially exposing critical configuration files and increasing ...
Show More |
|||||
| CVE-2024-48864 | 1 Qnap | 1 File Station | 2025-09-19 | N/A | 9.1 CRITICAL |
|
A files or directories accessible to external parties vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers to read/write files or directories.
We have already fixed the vulnerability in the following versions:
File Station 5 5.5.6.4741 and later
|
|||||
| CVE-2025-58753 | 1 9001 | 1 Copyparty | 2025-09-18 | N/A | 7.5 HIGH |
|
Copyparty is a portable file server. In versions prior to 1.19.8, there was a missing permission-check in the shares feature (the `shr` global-option). When a share was created for just one file inside a folder, it was possible to access the other files inside that folder by guessing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This issue did not affect filekeys or dirkeys. Version 1.19.8 fixes the issue.
|
|||||
| CVE-2024-54099 | 1 Huawei | 2 Emui, Harmonyos | 2025-09-18 | N/A | 6.7 MEDIUM |
|
File replacement vulnerability on some devices
Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
|
|||||
| CVE-2025-37130 | 2025-09-17 | N/A | 6.5 MEDIUM | ||
|
A vulnerability in the command-line interface of EdgeConnect SD-WAN could allow an authenticated attacker to read arbitrary files within the system. Successful exploitation could allow an attacker to read sensitive data from the underlying file system.
|
|||||
| CVE-2025-53536 | 1 Roocode | 1 Roo Code | 2025-09-15 | N/A | 8.1 HIGH |
|
Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a ...
Show More |
|||||
| CVE-2025-3025 | 2025-09-15 | N/A | 7.3 HIGH | ||
|
Elevation of Privileges in the cleaning feature of Gen Digital CCleaner version 6.33.11465 on Windows allows a local user to gain SYSTEM privileges via exploiting insecure file delete operations. Reported in CCleaner v. 6.33.11465. This issue affects CCleaner: before < 6.36.11508.
|
|||||
| CVE-2023-3712 | 1 Honeywell | 2 Pm43, Pm43 Firmware | 2025-09-12 | N/A | 6.6 MEDIUM |
|
Files or Directories Accessible to External Parties vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Privilege Escalation.This issue affects PM43 versions prior to P10.19.050004.
Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006).
|
|||||
| CVE-2024-9945 | 2025-08-29 | N/A | 5.3 MEDIUM | ||
|
An information-disclosure vulnerability exists in Fortra's GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders.
|
|||||
| CVE-2025-52460 | 2025-08-29 | N/A | 5.3 MEDIUM | ||
|
Files or directories accessible to external parties issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). If exploited, uploaded files and SS1 configuration files may be accessed by a remote unauthenticated attacker.
|
|||||
| CVE-2009-10005 | 2025-08-22 | N/A | N/A | ||
|
ContentKeeper Web Appliance (now maintained by Impero Software) versions prior to 125.10 expose the mimencode binary via a CGI endpoint, allowing unauthenticated attackers to retrieve arbitrary files from the filesystem. By crafting a POST request to /cgi-bin/ck/mimencode with traversal and output parameters, attackers can read sensitive files such as /etc/passwd outside the webroot.
|
|||||
| CVE-2024-6421 | 1 Pepperl-fuchs | 8 Oit1500-f113-b12-cb, Oit1500-f113-b12-cb Firmware, Oit200-f113-b12-cb and 5 more | 2025-08-22 | N/A | 7.5 HIGH |
|
An unauthenticated remote attacker can read out sensitive device information through a incorrectly configured FTP service.
|
|||||
| CVE-2024-56731 | 1 Gogs | 1 Gogs | 2025-08-21 | N/A | 10.0 CRITICAL |
|
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version ...
Show More |
|||||
| CVE-2025-49797 | 2025-08-19 | N/A | 7.8 HIGH | ||
|
Multiple Brother driver installers for Windows contain a privilege escalation vulnerability. If exploited, an arbitrary program may be executed with the administrative privilege. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].
|
|||||
| CVE-2025-44779 | 1 Ollama | 1 Ollama | 2025-08-14 | N/A | 6.6 MEDIUM |
|
An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull.
|
|||||
| CVE-2023-39479 | 1 Softing | 1 Secure Integration Server | 2025-08-12 | N/A | 8.8 HIGH |
|
Softing Secure Integration Server OPC UA Gateway Directory Creation Vulnerability. This vulnerability allows remote attackers to create directories on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the handling of FileDirectory OPC UA Objects. The issue results from allowing unauthorized access to the filesystem. An attacker can ...
Show More |
|||||
| CVE-2023-39480 | 1 Softing | 1 Secure Integration Server | 2025-08-12 | N/A | 6.5 MEDIUM |
|
Softing Secure Integration Server FileDirectory OPC UA Object Arbitrary File Creation Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the handling of FileDirectory OPC UA Objects. The issue results from allowing unauthorized access to the filesy ...
Show More |
|||||
| CVE-2023-20039 | 1 Cisco | 1 Industrial Network Director | 2025-08-11 | N/A | 5.5 MEDIUM |
|
A vulnerability in Cisco IND could allow an authenticated, local attacker to read application data.
This vulnerability is due to insufficient default file permissions that are applied to the application data directory. An attacker could exploit this vulnerability by accessing files in the application data directory. A successful exploit could allow the attacker to view sensitive information.
Cisco has released software updates that address this vulnerability. There are no workarounds that ad ...
Show More |
|||||
| CVE-2025-26525 | 1 Moodle | 1 Moodle | 2025-08-08 | N/A | 8.6 HIGH |
|
Insufficient sanitizing in the TeX notation filter resulted in an
arbitrary file read risk on sites where pdfTeX is available (such as
those with TeX Live installed).
|
|||||