Total
7227 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-45866 | 2 Fedoraproject, Qpress Project | 2 Fedora, Qpress | 2025-04-25 | 5.3 Medium |
| qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file. | ||||
| CVE-2022-43748 | 1 Synology | 1 Presto File Server | 2025-04-25 | 5.8 Medium |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in file operation management in Synology Presto File Server before 2.1.2-1601 allows remote attackers to write arbitrary files via unspecified vectors. | ||||
| CVE-2023-49960 | 2 Indo Sol, Indu-sol | 3 Profinet Inspektor Nt, Profinet-inspektor Nt, Profinet-inspektor Nt Firmware | 2025-04-25 | 7.5 High |
| In Indo-Sol PROFINET-INspektor NT through 2.4.0, a path traversal vulnerability in the httpuploadd service of the firmware allows remote attackers to write to arbitrary files via a crafted filename parameter in requests to the /upload endpoint. | ||||
| CVE-2022-44748 | 1 Knime | 1 Knime Server | 2025-04-25 | 7.1 High |
| A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Server since 4.3.0 can result in arbitrary files being overwritten on the server's file system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being uploaded, can overwrite arbitrary files that the operating system user running the KNIME Server process has write access to. The user must be authenticated and have permissions to upload files to KNIME Server. This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the KNIME Server process user. In all cases the attacker has to know the location of files on the server's file system, though. Note that users that have permissions to upload workflows usually also have permissions to run them on the KNIME Server and can therefore already execute arbitrary code in the context of the KNIME Executor's operating system user. There is no workaround to prevent this vulnerability from being exploited. Updates to fixed versions 4.13.6, 4.14.3, or 4.15.3 are advised. | ||||
| CVE-2022-40976 | 2 Pilz, Pliz | 6 Pas 4000, Pss 4000, Pascal and 3 more | 2025-04-25 | 5.5 Medium |
| A path traversal vulnerability was discovered in multiple Pilz products. An unauthenticated local attacker could use a zipped, malicious configuration file to trigger arbitrary file writes ('zip-slip'). File writes do not affect confidentiality or availability. | ||||
| CVE-2025-29213 | 1 Jeewms | 1 Jeewms | 2025-04-25 | 5.5 Medium |
| A zip slip vulnerability in the component \service\migrate\MigrateForm.java of JEEWMS v3.7 allows attackers to execute arbitrary code via a crafted Zip file. | ||||
| CVE-2025-32950 | 2025-04-25 | 6.5 Medium | ||
| Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the `/files` endpoint of the generic REST API. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website. | ||||
| CVE-2022-44635 | 1 Apache | 1 Fineract | 2025-04-25 | 8.8 High |
| Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1. | ||||
| CVE-2023-39810 | 1 Busybox | 1 Busybox | 2025-04-24 | 7.8 High |
| An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. | ||||
| CVE-2022-29837 | 1 Westerndigital | 6 My Cloud Home, My Cloud Home Duo, My Cloud Home Duo Firmware and 3 more | 2025-04-24 | 4.7 Medium |
| A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution. | ||||
| CVE-2022-40977 | 1 Pilz | 15 Pasvisu, Pmi V507, Pmi V507 Firmware and 12 more | 2025-04-24 | 7.5 High |
| A path traversal vulnerability was discovered in Pilz PASvisu Server before 1.12.0. An unauthenticated remote attacker could use a zipped, malicious configuration file to trigger arbitrary file writes ('zip-slip'). File writes do not affect confidentiality or availability. | ||||
| CVE-2023-2745 | 1 Wordpress | 1 Wordpress | 2025-04-24 | 5.4 Medium |
| WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. | ||||
| CVE-2022-44749 | 1 Knime | 1 Knime Analytics Platform | 2025-04-24 | 5.5 Medium |
| A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Analytics Platform 3.2.0 and above can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an error is being reported but only after the files have already been written. This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the user. In all cases the attacker has to know the location of files on the user's system, though. | ||||
| CVE-2022-25848 | 1 Static-dev-server Project | 1 Static-dev-server | 2025-04-24 | 7.5 High |
| This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. | ||||
| CVE-2024-37547 | 1 Livemesh | 1 Elementor Addons | 2025-04-24 | 6.5 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Livemesh Livemesh Addons for Elementor.This issue affects Livemesh Addons for Elementor: from n/a through 8.4.0. | ||||
| CVE-2023-6294 | 2 Popup Builder, Sygnoos | 2 Popup Builder, Popup Builder | 2025-04-24 | 7.5 High |
| The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations. | ||||
| CVE-2025-43928 | 1 Infodraw | 2 Pmrs-102, Pmrs-102 Firmware | 2025-04-24 | 5.8 Medium |
| In Infodraw Media Relay Service (MRS) 7.1.0.0, the MRS web server (on port 12654) allows reading arbitrary files via ../ directory traversal in the username field. Reading ServerParameters.xml may reveal administrator credentials in cleartext or with MD5 hashing. | ||||
| CVE-2024-1433 | 1 Kde | 1 Plasma-workspace | 2025-04-24 | 3.1 Low |
| A vulnerability, which was classified as problematic, was found in KDE Plasma Workspace up to 5.93.0. This affects the function EventPluginsManager::enabledPlugins of the file components/calendar/eventpluginsmanager.cpp of the component Theme File Handler. The manipulation of the argument pluginId leads to path traversal. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The patch is named 6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-253407. NOTE: This requires write access to user's home or the installation of third party global themes. | ||||
| CVE-2022-44532 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2025-04-24 | 4.9 Medium |
| An authenticated path traversal vulnerability exists in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below. | ||||
| CVE-2022-43518 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2025-04-24 | 4.9 Medium |
| An authenticated path traversal vulnerability exists in the Aruba EdgeConnect Enterprise web interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below. | ||||