Total
7612 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-2215 | 1 Doufox | 1 Doufox | 2025-07-12 | 4.7 Medium |
| A vulnerability classified as critical was found in Doufox up to 0.2.0. Affected by this vulnerability is an unknown functionality of the file /?s=doudou&c=file&a=list. The manipulation of the argument dir leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-2749 | 1 Kentico | 1 Xperience | 2025-07-12 | 7.2 High |
| An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178. | ||||
| CVE-2025-30567 | 2 Wordpress, Wp01ru | 2 Wordpress, Wp01 | 2025-07-12 | 7.5 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wp01ru WP01 allows Path Traversal. This issue affects WP01: from n/a through 2.6.2. | ||||
| CVE-2025-30882 | 2 Joomsky, Wordpress | 2 Js Help Desk, Wordpress | 2025-07-12 | 7.5 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in JoomSky JS Help Desk allows Path Traversal. This issue affects JS Help Desk: from n/a through 2.9.1. | ||||
| CVE-2024-10100 | 1 Binary-husky | 1 Gpt Academic | 2025-07-11 | 7.5 High |
| A path traversal vulnerability exists in binary-husky/gpt_academic version 3.83. The vulnerability is due to improper handling of the file parameter, which is open to path traversal through URL encoding. This allows attackers to view any file on the host system, including sensitive files such as critical application files, SSH keys, API keys, and configuration values. | ||||
| CVE-2024-8647 | 1 Gitlab | 1 Gitlab | 2025-07-11 | 5.4 Medium |
| An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled. | ||||
| CVE-2025-47176 | 1 Microsoft | 5 365 Apps, Office, Office 2024 and 2 more | 2025-07-11 | 7.8 High |
| '.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally. | ||||
| CVE-2024-38292 | 1 Extremenetworks | 1 Xiq-se | 2025-07-11 | 9.8 Critical |
| In Extreme Networks XIQ-SE before 24.2.11, due to a missing access control check, a path traversal is possible, which may lead to privilege escalation. | ||||
| CVE-2024-39332 | 1 Webswing | 1 Webswing | 2025-07-10 | 9.8 Critical |
| Webswing 23.2.2 allows remote attackers to modify client-side JavaScript code to achieve path traversal, likely leading to remote code execution via modification of shell scripts on the server. | ||||
| CVE-2018-17828 | 2 Gdraheim, Redhat | 2 Zziplib, Enterprise Linux | 2025-07-10 | N/A |
| Directory traversal vulnerability in ZZIPlib 0.13.69 allows attackers to overwrite arbitrary files via a .. (dot dot) in a zip file, because of the function unzzip_cat in the bins/unzzipcat-mem.c file. | ||||
| CVE-2025-37098 | 1 Hpe | 1 Insight Remote Support | 2025-07-10 | 7.5 High |
| A path traversal vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646. | ||||
| CVE-2024-44867 | 1 Phpok | 1 Phpok | 2025-07-10 | 7.5 High |
| phpok v3.0 was discovered to contain an arbitrary file read vulnerability via the component /autoload/file.php. | ||||
| CVE-2025-4857 | 1 Tribulant | 1 Newsletters | 2025-07-10 | 7.2 High |
| The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2024-38824 | 1 Saltstack | 1 Salt | 2025-07-10 | 9.6 Critical |
| Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory. | ||||
| CVE-2025-6280 | 1 Superagi | 1 Superagi | 2025-07-09 | 5.5 Medium |
| A vulnerability, which was classified as critical, was found in TransformerOptimus SuperAGI up to 0.0.14. Affected is the function download_attachment of the file SuperAGI/superagi/helper/read_email.py of the component EmailToolKit. The manipulation of the argument filename leads to path traversal. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3295 | 1 Benjaminrojas | 1 Wp Editor | 2025-07-09 | 4.9 Medium |
| The WP Editor plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the affected site's server which may reveal sensitive information. | ||||
| CVE-2025-3294 | 1 Benjaminrojas | 1 Wp Editor | 2025-07-09 | 7.2 High |
| The WP Editor plugin for WordPress is vulnerable to arbitrary file update due to missing file path validation in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to overwrite arbitrary files on the affected site's server which may make remote code execution possible assuming the files can be written to by the web server. | ||||
| CVE-2025-34031 | 1 Geoffrowland | 1 Jmol | 2025-07-09 | 7.5 High |
| A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. | ||||
| CVE-2025-1973 | 1 Webtoffee | 1 Import Export Wordpress Users | 2025-07-09 | 4.9 Medium |
| The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.6.2 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information. | ||||
| CVE-2025-1769 | 1 Webtoffee | 1 Product Import Export For Woocommerce | 2025-07-09 | 4.9 Medium |
| The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information. | ||||