Total
415 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-24161 | 1 Mrcms | 1 Mrcms | 2025-06-12 | 7.5 High |
| MRCMS 3.0 contains an Arbitrary File Read vulnerability in /admin/file/edit.do as the incoming path parameter is not filtered. | ||||
| CVE-2024-48019 | 1 Apache | 1 Doris | 2025-06-09 | 5.4 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris. Application administrators can read arbitrary files from the server filesystem through path traversal. Users are recommended to upgrade to version 2.1.8, 3.0.3 or later, which fixes the issue. | ||||
| CVE-2025-0620 | 1 Redhat | 2 Enterprise Linux, Openshift | 2025-06-09 | 6.6 Medium |
| A flaw was found in Samba. The smbd service daemon does not pick up group membership changes when re-authenticating an expired SMB session. This issue can expose file shares until clients disconnect and then connect again. | ||||
| CVE-2024-51058 | 1 Tcpdf Project | 1 Tcpdf | 2025-06-03 | 6.2 Medium |
| Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through <img> src tag, potentially exposing sensitive information. | ||||
| CVE-2025-4634 | 2025-05-30 | 4.1 Medium | ||
| The web portal on airpointer 2.4.107-2 was vulnerable local file inclusion. A malicious user with administrative privileges in the web portal would be able to manipulate requests to view files on the filesystem | ||||
| CVE-2025-5273 | 2025-05-29 | 6.5 Medium | ||
| All versions of the package mcp-markdownify-server are vulnerable to Files or Directories Accessible to External Parties via the get-markdown-file tool. An attacker can craft a prompt that, once accessed by the MCP host, will allow it to read arbitrary files from the host running the server. | ||||
| CVE-2025-4134 | 2025-05-28 | 7.3 High | ||
| Lack of file validation in do_update_vps in Avast Business Antivirus for Linux 4.5 on Linux allows local user to spoof or tamper with the update file via an unverified file write. | ||||
| CVE-2025-4807 | 1 Senior-walter | 1 Online Student Clearance System | 2025-05-28 | 5.3 Medium |
| A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. This affects an unknown part. The manipulation leads to exposure of information through directory listing. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-4909 | 1 Lerouxyxchire | 1 Client Database Management System | 2025-05-28 | 7.3 High |
| A vulnerability classified as critical was found in SourceCodester Client Database Management System 1.0. This vulnerability affects unknown code. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-38952 | 1 Zkteco | 1 Biotime | 2025-05-27 | 7.5 High |
| Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints. | ||||
| CVE-2023-5907 | 1 Bitapps | 1 File Manager | 2025-05-27 | 6.5 Medium |
| The File Manager WordPress plugin before 6.3 does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites files. | ||||
| CVE-2021-21343 | 7 Apache, Debian, Fedoraproject and 4 more | 21 Activemq, Jmeter, Debian Linux and 18 more | 2025-05-23 | 5.3 Medium |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | ||||
| CVE-2022-41343 | 1 Dompdf Project | 1 Dompdf | 2025-05-22 | 7.5 High |
| registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule. | ||||
| CVE-2022-40126 | 1 Clash Project | 1 Clash | 2025-05-21 | 7.8 High |
| A misconfiguration in the Service Mode profile directory of Clash for Windows v0.19.9 allows attackers to escalate privileges and execute arbitrary commands when Service Mode is activated. | ||||
| CVE-2022-3287 | 2 Fwupd, Redhat | 3 Fwupd, Enterprise Linux, Rhel Eus | 2025-05-20 | 6.5 Medium |
| When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file. | ||||
| CVE-2024-22240 | 1 Vmware | 1 Aria Operations For Networks | 2025-05-15 | 4.9 Medium |
| Aria Operations for Networks contains a local file read vulnerability. A malicious actor with admin privileges may exploit this vulnerability leading to unauthorized access to sensitive information. | ||||
| CVE-2025-2651 | 1 Oretnom23 | 1 Online Eyewear Shop | 2025-05-14 | 5.3 Medium |
| A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /oews/admin/. The manipulation leads to exposure of information through directory listing. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected. | ||||
| CVE-2022-42234 | 1 Ucms Project | 1 Ucms | 2025-05-14 | 8.8 High |
| There is a file inclusion vulnerability in the template management module in UCMS 1.6 | ||||
| CVE-2025-21609 | 1 B3log | 1 Siyuan | 2025-05-14 | 9.1 Critical |
| SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19. | ||||
| CVE-2024-45627 | 1 Apache | 1 Linkis | 2025-05-13 | 5.9 Medium |
| In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.7.0 will be affected. We recommend users upgrade the version of Linkis to version 1.7.0. | ||||