Total
7631 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-4912 | 1 Munyweki | 1 Student Result Management System | 2025-05-21 | 5.4 Medium |
| A vulnerability has been found in SourceCodester Student Result Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/core/update_student.php of the component Image File Handler. The manipulation of the argument old_photo leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-2926 | 1 Adobe | 1 Download Manager | 2025-05-21 | 4.9 Medium |
| The Download Manager WordPress plugin before 3.2.55 does not validate one of its settings, which could allow high privilege users such as admin to list and read arbitrary files and folders outside of the blog directory | ||||
| CVE-2022-40082 | 2 Cloudwego, Microsoft | 2 Hertz, Windows | 2025-05-21 | 7.5 High |
| Hertz v0.3.0 ws discovered to contain a path traversal vulnerability via the normalizePath function. | ||||
| CVE-2022-39033 | 1 Lcnet | 1 Smart Evision | 2025-05-21 | 9.8 Critical |
| Smart eVision’s file acquisition function has a path traversal vulnerability due to insufficient filtering for special characters in the URL parameter. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication, access restricted paths to download and delete arbitrary system files to disrupt service. | ||||
| CVE-2022-39034 | 1 Lcnet | 1 Smart Evision | 2025-05-21 | 6.5 Medium |
| Smart eVision has a path traversal vulnerability in the Report API function due to insufficient filtering for special characters in URLs. A remote attacker with general user privilege can exploit this vulnerability to bypass authentication, access restricted paths and download system files. | ||||
| CVE-2023-48373 | 1 Itpison | 1 Omicard Edm | 2025-05-21 | 7.5 High |
| ITPison OMICARD EDM has a path traversal vulnerability within its parameter “FileName” in a specific function. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and download arbitrary system files. | ||||
| CVE-2022-28814 | 1 Gavazziautomation | 3 Cpy Car Park Server, Uwp 3.0 Monitoring Gateway And Controller, Uwp 3.0 Monitoring Gateway And Controller Firmware | 2025-05-20 | 9.8 Critical |
| Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 was discovered to be vulnerable to a relative path traversal vulnerability which enables remote attackers to read arbitrary files and gain full control of the device. | ||||
| CVE-2021-33354 | 1 Htmly | 1 Htmly | 2025-05-20 | 8.1 High |
| Directory Traversal vulnerability in htmly before 2.8.1 allows remote attackers to perform arbitrary file deletions via modified file parameter. | ||||
| CVE-2022-2922 | 1 Dnnsoftware | 1 Dotnetnuke | 2025-05-20 | 4.9 Medium |
| Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to 9.11.0. | ||||
| CVE-2025-43566 | 1 Adobe | 1 Coldfusion | 2025-05-19 | 6.8 Medium |
| ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. A high-privileged attacker could leverage this vulnerability to bypass security protections and gain unauthorized read access. Exploitation of this issue does not require user interaction and scope is changed. | ||||
| CVE-2024-2045 | 1 Opft | 1 Session | 2025-05-19 | 5.5 Medium |
| Session version 1.17.5 allows obtaining internal application files and public files from the user's device without the user's consent. This is possible because the application is vulnerable to Local File Read via chat attachments. | ||||
| CVE-2024-0849 | 1 Leanote | 1 Desktop | 2025-05-19 | 5 Medium |
| Leanote version 2.7.0 allows obtaining arbitrary local files. This is possible because the application is vulnerable to LFR. | ||||
| CVE-2022-34430 | 1 Dell | 1 Hybrid Client | 2025-05-19 | 7.1 High |
| Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification. | ||||
| CVE-2025-4868 | 2025-05-19 | 6.3 Medium | ||
| A vulnerability was found in merikbest ecommerce-spring-reactjs up to 464e610bb11cc2619cf6ce8212ccc2d1fd4277fd. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/v1/admin/ of the component File Upload Endpoint. The manipulation of the argument filename leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | ||||
| CVE-2025-32820 | 1 Sonicwall | 12 Sma 100, Sma 100 Firmware, Sma 200 and 9 more | 2025-05-19 | 8.3 High |
| A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges can inject a path traversal sequence to make any directory on the SMA appliance writable. | ||||
| CVE-2025-27566 | 2025-05-19 | 3.8 Low | ||
| Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege. If this vulnerability is exploited, a remote authenticated attacker with the administrator privilege may obtain or delete any file on the server. | ||||
| CVE-2023-39506 | 1 Pdf-xchange | 2 Pdf-tools, Pdf-xchange Editor | 2025-05-19 | 7.8 High |
| PDF-XChange Editor createDataObject Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the createDataObject method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-20594. | ||||
| CVE-2025-4893 | 2025-05-19 | 6.3 Medium | ||
| A vulnerability classified as critical has been found in jammy928 CoinExchange_CryptoExchange_Java up to 8adf508b996020d3efbeeb2473d7235bd01436fa. This affects the function uploadLocalImage of the file /CoinExchange_CryptoExchange_Java-master/00_framework/core/src/main/java/com/bizzan/bitrade/util/UploadFileUtil.java of the component File Upload Endpoint. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | ||||
| CVE-2024-10708 | 1 Bowo | 1 System Dashboard | 2025-05-17 | 4.9 Medium |
| The System Dashboard WordPress plugin before 2.8.15 does not validate user input used in a path, which could allow high privilege users such as admin to perform path traversal attacks an read arbitrary files on the server | ||||
| CVE-2023-32137 | 2 D-link, Dlink | 6 Dap-1360f1 Firmware, Dap-2020 Firmware, Dap-1360 and 3 more | 2025-05-16 | 6.5 Medium |
| D-Link DAP-1360 webproc WEB_DisplayPage Directory Traversal Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-1360 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of requests to the /cgi-bin/webproc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of root. . Was ZDI-CAN-18415. | ||||