Total
7425 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-5029 | 2025-05-21 | 5.4 Medium | ||
| A vulnerability has been found in Kingdee Cloud Galaxy Private Cloud BBC System up to 9.0 Patch April 2025 and classified as critical. Affected by this vulnerability is the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file fileUpload/deleteFileAction.jhtml of the component File Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2025-4524 | 2025-05-21 | 9.8 Critical | ||
| The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2025-48017 | 2025-05-21 | 9 Critical | ||
| Improper limitation of pathname in Circuit Provisioning and File Import applications allows modification and uploading of files | ||||
| CVE-2025-27920 | 1 Srimax | 1 Output Messenger | 2025-05-21 | 7.2 High |
| Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access. | ||||
| CVE-2025-4898 | 1 Munyweki | 1 Student Result Management System | 2025-05-21 | 5.4 Medium |
| A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been declared as critical. This vulnerability affects the function unlink of the file update_system.php of the component Logo File Handler. The manipulation of the argument old_logo leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-40199 | 1 Ec-cube | 1 Ec-cube | 2025-05-21 | 2.7 Low |
| Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information. | ||||
| CVE-2023-38950 | 1 Zkteco | 1 Biotime | 2025-05-21 | 7.5 High |
| A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. | ||||
| CVE-2025-4912 | 1 Munyweki | 1 Student Result Management System | 2025-05-21 | 5.4 Medium |
| A vulnerability has been found in SourceCodester Student Result Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/core/update_student.php of the component Image File Handler. The manipulation of the argument old_photo leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-2926 | 1 Adobe | 1 Download Manager | 2025-05-21 | 4.9 Medium |
| The Download Manager WordPress plugin before 3.2.55 does not validate one of its settings, which could allow high privilege users such as admin to list and read arbitrary files and folders outside of the blog directory | ||||
| CVE-2022-40082 | 2 Cloudwego, Microsoft | 2 Hertz, Windows | 2025-05-21 | 7.5 High |
| Hertz v0.3.0 ws discovered to contain a path traversal vulnerability via the normalizePath function. | ||||
| CVE-2022-39033 | 1 Lcnet | 1 Smart Evision | 2025-05-21 | 9.8 Critical |
| Smart eVision’s file acquisition function has a path traversal vulnerability due to insufficient filtering for special characters in the URL parameter. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication, access restricted paths to download and delete arbitrary system files to disrupt service. | ||||
| CVE-2022-39034 | 1 Lcnet | 1 Smart Evision | 2025-05-21 | 6.5 Medium |
| Smart eVision has a path traversal vulnerability in the Report API function due to insufficient filtering for special characters in URLs. A remote attacker with general user privilege can exploit this vulnerability to bypass authentication, access restricted paths and download system files. | ||||
| CVE-2023-48373 | 1 Itpison | 1 Omicard Edm | 2025-05-21 | 7.5 High |
| ITPison OMICARD EDM has a path traversal vulnerability within its parameter “FileName” in a specific function. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and download arbitrary system files. | ||||
| CVE-2022-28814 | 1 Gavazziautomation | 3 Cpy Car Park Server, Uwp 3.0 Monitoring Gateway And Controller, Uwp 3.0 Monitoring Gateway And Controller Firmware | 2025-05-20 | 9.8 Critical |
| Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 was discovered to be vulnerable to a relative path traversal vulnerability which enables remote attackers to read arbitrary files and gain full control of the device. | ||||
| CVE-2021-33354 | 1 Htmly | 1 Htmly | 2025-05-20 | 8.1 High |
| Directory Traversal vulnerability in htmly before 2.8.1 allows remote attackers to perform arbitrary file deletions via modified file parameter. | ||||
| CVE-2022-2922 | 1 Dnnsoftware | 1 Dotnetnuke | 2025-05-20 | 4.9 Medium |
| Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to 9.11.0. | ||||
| CVE-2025-43566 | 1 Adobe | 1 Coldfusion | 2025-05-19 | 6.8 Medium |
| ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. A high-privileged attacker could leverage this vulnerability to bypass security protections and gain unauthorized read access. Exploitation of this issue does not require user interaction and scope is changed. | ||||
| CVE-2024-2045 | 1 Opft | 1 Session | 2025-05-19 | 5.5 Medium |
| Session version 1.17.5 allows obtaining internal application files and public files from the user's device without the user's consent. This is possible because the application is vulnerable to Local File Read via chat attachments. | ||||
| CVE-2024-0849 | 1 Leanote | 1 Desktop | 2025-05-19 | 5 Medium |
| Leanote version 2.7.0 allows obtaining arbitrary local files. This is possible because the application is vulnerable to LFR. | ||||
| CVE-2022-34430 | 1 Dell | 1 Hybrid Client | 2025-05-19 | 7.1 High |
| Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification. | ||||