Total
260 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-49738 | 1 Wwbn | 1 Avideo | 2025-06-17 | 7.5 High |
| An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read. | ||||
| CVE-2023-47862 | 1 Wwbn | 1 Avideo | 2025-06-17 | 9.8 Critical |
| A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send a series of HTTP requests to trigger this vulnerability. | ||||
| CVE-2023-47171 | 1 Wwbn | 1 Avideo | 2025-06-17 | 6.5 Medium |
| An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read. | ||||
| CVE-2025-36506 | 2025-06-16 | N/A | ||
| External control of file name or path issue exists in RICOH Streamline NX V3 PC Client versions 3.5.0 to 3.242.0. If an attacker sends a specially crafted request, arbitrary files in the file system can be overwritten with log data. | ||||
| CVE-2024-1243 | 2025-06-12 | N/A | ||
| Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks. | ||||
| CVE-2024-1244 | 2025-06-12 | N/A | ||
| Improper input validation in the OSSEC HIDS agent for Windows prior to version 3.8.0 allows an attacker in with control over the OSSEC server or in possession of the agent's key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks. | ||||
| CVE-2024-0265 | 1 Oretnom23 | 1 Clinic Queuing System | 2025-06-09 | 6.3 Medium |
| A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /index.php of the component GET Parameter Handler. The manipulation of the argument page leads to file inclusion. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249821 was assigned to this vulnerability. | ||||
| CVE-2025-48781 | 2025-06-06 | N/A | ||
| An external control of file name or path vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to obtain partial files by specifying arbitrary file paths. | ||||
| CVE-2025-48783 | 2025-06-06 | N/A | ||
| An external control of file name or path vulnerability in the delete file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to delete partial files by specifying arbitrary file paths. | ||||
| CVE-2025-3419 | 1 Themewinter | 1 Eventin | 2025-06-04 | 7.5 High |
| The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2025-3431 | 1 Digitalzoomstudio | 1 Zoomsounds | 2025-06-04 | 7.5 High |
| The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_download' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2024-55371 | 1 Wallosapp | 1 Wallos | 2025-06-03 | 9.8 Critical |
| Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authenticated users to restore backups by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an authenticated attacker (being an administrator is not required) to upload malicious files to the server. Once a web shell is installed, the attacker gains the ability to execute arbitrary commands. | ||||
| CVE-2024-55372 | 1 Wallosapp | 1 Wallos | 2025-06-03 | 9.8 Critical |
| Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unauthenticated users to restore database by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an unauthenticated attacker to upload malicious files to the server. Once a web shell is installed, the attacker gains the ability to execute arbitrary commands. | ||||
| CVE-2024-20652 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2025-06-03 | 8.1 High |
| Windows HTML Platforms Security Feature Bypass Vulnerability | ||||
| CVE-2020-36772 | 1 Cloudlinux | 1 Cagefs | 2025-05-30 | 4.4 Medium |
| CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths supplied to the sendmail proxy command. This allows local users to read and write arbitrary files of certain file formats outside the CageFS environment. | ||||
| CVE-2025-32802 | 1 Redhat | 1 Enterprise Linux | 2025-05-29 | 6.1 Medium |
| Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. | ||||
| CVE-2023-6618 | 1 Oretnom23 | 1 Simple Student Attendance System | 2025-05-27 | 5.5 Medium |
| A vulnerability was found in SourceCodester Simple Student Attendance System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file index.php. The manipulation of the argument page leads to file inclusion. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247255. | ||||
| CVE-2021-21343 | 7 Apache, Debian, Fedoraproject and 4 more | 21 Activemq, Jmeter, Debian Linux and 18 more | 2025-05-23 | 5.3 Medium |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | ||||
| CVE-2023-6569 | 1 H2o | 1 H2o | 2025-05-22 | 8.2 High |
| External Control of File Name or Path in h2oai/h2o-3 | ||||
| CVE-2024-0849 | 1 Leanote | 1 Desktop | 2025-05-19 | 5 Medium |
| Leanote version 2.7.0 allows obtaining arbitrary local files. This is possible because the application is vulnerable to LFR. | ||||