Total
7425 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-4868 | 2025-05-19 | 6.3 Medium | ||
| A vulnerability was found in merikbest ecommerce-spring-reactjs up to 464e610bb11cc2619cf6ce8212ccc2d1fd4277fd. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/v1/admin/ of the component File Upload Endpoint. The manipulation of the argument filename leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | ||||
| CVE-2025-47788 | 2025-05-19 | N/A | ||
| Atheos is a self-hosted browser-based cloud IDE. Prior to v602, similar to GHSA-rgjm-6p59-537v/CVE-2025-22152, the `$target` parameter in `/controller.php` was not properly validated, which could allow an attacker to execute arbitrary files on the server via path traversal. v602 contains a fix for the issue. | ||||
| CVE-2025-32820 | 1 Sonicwall | 12 Sma 100, Sma 100 Firmware, Sma 200 and 9 more | 2025-05-19 | 8.3 High |
| A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges can inject a path traversal sequence to make any directory on the SMA appliance writable. | ||||
| CVE-2025-27566 | 2025-05-19 | 3.8 Low | ||
| Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege. If this vulnerability is exploited, a remote authenticated attacker with the administrator privilege may obtain or delete any file on the server. | ||||
| CVE-2023-39506 | 1 Pdf-xchange | 2 Pdf-tools, Pdf-xchange Editor | 2025-05-19 | 7.8 High |
| PDF-XChange Editor createDataObject Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the createDataObject method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-20594. | ||||
| CVE-2025-4893 | 2025-05-19 | 6.3 Medium | ||
| A vulnerability classified as critical has been found in jammy928 CoinExchange_CryptoExchange_Java up to 8adf508b996020d3efbeeb2473d7235bd01436fa. This affects the function uploadLocalImage of the file /CoinExchange_CryptoExchange_Java-master/00_framework/core/src/main/java/com/bizzan/bitrade/util/UploadFileUtil.java of the component File Upload Endpoint. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | ||||
| CVE-2024-10708 | 1 Bowo | 1 System Dashboard | 2025-05-17 | 4.9 Medium |
| The System Dashboard WordPress plugin before 2.8.15 does not validate user input used in a path, which could allow high privilege users such as admin to perform path traversal attacks an read arbitrary files on the server | ||||
| CVE-2023-32137 | 2 D-link, Dlink | 6 Dap-1360f1 Firmware, Dap-2020 Firmware, Dap-1360 and 3 more | 2025-05-16 | 6.5 Medium |
| D-Link DAP-1360 webproc WEB_DisplayPage Directory Traversal Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-1360 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of requests to the /cgi-bin/webproc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of root. . Was ZDI-CAN-18415. | ||||
| CVE-2025-27409 | 1 Joplin Project | 1 Joplin | 2025-05-16 | 7.5 High |
| Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The `findLocalFile` function in the `default route` calls `localFileFromUrl` to check for special `pluginAssets` paths. If the function returns a path, the result is returned directly, without checking for path traversal. The vulnerability allows attackers to read files outside the intended directories. This issue has been patched in version 3.3.3. | ||||
| CVE-2025-46433 | 1 Jetbrains | 1 Teamcity | 2025-05-16 | 4.9 Medium |
| In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible | ||||
| CVE-2025-4564 | 2025-05-16 | 9.8 Critical | ||
| The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the 'delpdf' action in all versions up to, and including, 3.18. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-40629 | 2025-05-16 | N/A | ||
| PNETLab 4.2.10 does not properly sanitize user inputs in its file access mechanisms. This allows attackers to perform directory traversal by manipulating file paths in HTTP requests. Specifically, the application is vulnerable to requests that access sensitive files outside the intended directory. | ||||
| CVE-2021-20030 | 1 Sonicwall | 1 Global Management System | 2025-05-16 | 7.5 High |
| SonicWall GMS is vulnerable to file path manipulation resulting that an unauthenticated attacker can gain access to web directory containing application's binaries and configuration files. | ||||
| CVE-2022-34426 | 1 Dell | 1 Container Storage Modules | 2025-05-16 | 8.8 High |
| Dell Container Storage Modules 1.2 contains an Improper Limitation of a Pathname to a Restricted Directory in goiscsi and gobrick libraries which could lead to OS command injection. A remote unauthenticated attacker could exploit this vulnerability leading to unintentional access to path outside of restricted directory. | ||||
| CVE-2022-33937 | 1 Dell | 1 Geodrive | 2025-05-16 | 7.1 High |
| Dell GeoDrive, Versions 1.0 - 2.2, contain a Path Traversal Vulnerability in the reporting function. A local, low privileged attacker could potentially exploit this vulnerability, to gain unauthorized delete access to the files stored on the server filesystem, with the privileges of the GeoDrive service: NT AUTHORITY\SYSTEM. | ||||
| CVE-2024-24307 | 1 Prestalife | 1 Product Designer | 2025-05-15 | 7.5 High |
| Path Traversal vulnerability in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows a remote attacker to escalate privileges and obtain sensitive information via the ajaxProcessCropImage() method. | ||||
| CVE-2024-24940 | 1 Jetbrains | 1 Intellij Idea | 2025-05-15 | 2.8 Low |
| In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives | ||||
| CVE-2024-24398 | 1 Stimulsoft | 1 Dashboards.php | 2025-05-15 | 9.8 Critical |
| Directory Traversal vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the fileName parameter of the Save function. | ||||
| CVE-2023-7077 | 1 Sharp | 52 Nec E705, Nec E705 Firmware, Nec E805 and 49 more | 2025-05-15 | 9.8 Critical |
| Sharp NEC Displays (P403, P463, P553, P703, P801, X554UN, X464UN, X554UNS, X464UNV, X474HB, X464UNS, X554UNV, X555UNS, X555UNV, X754HB, X554HB, E705, E805, E905, UN551S, UN551VS, X551UHD, X651UHD, X841UHD, X981UHD, MD551C8) allows an attacker execute remote code by sending unintended parameters in http request. | ||||
| CVE-2023-40266 | 1 Mitel | 1 Unify Openscape Xpressions Webassistant | 2025-05-15 | 9.8 Critical |
| An issue was discovered in Atos Unify OpenScape Xpressions WebAssistant V7 before V7R1 FR5 HF42 P911. It allows path traversal. | ||||