Total
7632 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-25848 | 1 Static-dev-server Project | 1 Static-dev-server | 2025-04-24 | 7.5 High |
| This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. | ||||
| CVE-2024-37547 | 1 Livemesh | 1 Elementor Addons | 2025-04-24 | 6.5 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Livemesh Livemesh Addons for Elementor.This issue affects Livemesh Addons for Elementor: from n/a through 8.4.0. | ||||
| CVE-2023-6294 | 2 Popup Builder, Sygnoos | 2 Popup Builder, Popup Builder | 2025-04-24 | 7.5 High |
| The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations. | ||||
| CVE-2025-43928 | 1 Infodraw | 2 Pmrs-102, Pmrs-102 Firmware | 2025-04-24 | 5.8 Medium |
| In Infodraw Media Relay Service (MRS) 7.1.0.0, the MRS web server (on port 12654) allows reading arbitrary files via ../ directory traversal in the username field. Reading ServerParameters.xml may reveal administrator credentials in cleartext or with MD5 hashing. | ||||
| CVE-2024-1433 | 1 Kde | 1 Plasma-workspace | 2025-04-24 | 3.1 Low |
| A vulnerability, which was classified as problematic, was found in KDE Plasma Workspace up to 5.93.0. This affects the function EventPluginsManager::enabledPlugins of the file components/calendar/eventpluginsmanager.cpp of the component Theme File Handler. The manipulation of the argument pluginId leads to path traversal. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The patch is named 6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-253407. NOTE: This requires write access to user's home or the installation of third party global themes. | ||||
| CVE-2022-44532 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2025-04-24 | 4.9 Medium |
| An authenticated path traversal vulnerability exists in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below. | ||||
| CVE-2022-43518 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2025-04-24 | 4.9 Medium |
| An authenticated path traversal vulnerability exists in the Aruba EdgeConnect Enterprise web interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below. | ||||
| CVE-2022-42706 | 1 Sangoma | 2 Asterisk, Certified Asterisk | 2025-04-24 | 4.9 Medium |
| An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal. | ||||
| CVE-2024-7263 | 2 Kingsoft, Microsoft | 2 Wps Office, Windows | 2025-04-24 | 7.8 High |
| Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.1.0.17119 to mitigate CVE-2024-7262 was not restrictive enough. Another parameter was not properly sanitized which leads to the execution of an arbitrary Windows library. | ||||
| CVE-2023-26687 | 1 Cs-cart | 1 Cs-cart Multivendor | 2025-04-24 | 8.8 High |
| Directory Traversal vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to obtain sensitive information via the product_data parameter in the PDF Add-on. | ||||
| CVE-2023-26691 | 1 Cs-cart | 1 Cs-cart Multivendor | 2025-04-24 | 7.2 High |
| Directory Traversal vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via crafted zip file when installing a new add-on. | ||||
| CVE-2021-36471 | 1 Adminlte.io | 1 Adminlte | 2025-04-23 | 9.8 Critical |
| Directory Traversal vulnerability in AdminLTE 3.1.0 allows remote attackers to gain escalated privilege and view sensitive information via /admin/index2.html, /admin/index3.html URIs. Note: AdminLTE developers dispute that this a weakness with AdminLTE and is instead a misconfiguration error on various websites by the website developers. | ||||
| CVE-2023-38366 | 1 Ibm | 1 Filenet Content Manager | 2025-04-23 | 5.3 Medium |
| IBM Filenet Content Manager Component 5.5.8.0, 5.5.10.0, and 5.5.11.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 261115. | ||||
| CVE-2021-21090 | 2 Adobe, Microsoft | 2 Incopy, Windows | 2025-04-23 | 8.8 High |
| Adobe InCopy version 16.0 (and earlier) is affected by an path traversal vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to achieve remote code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2021-21102 | 2 Adobe, Microsoft | 2 Illustrator, Windows | 2025-04-23 | 8.8 High |
| Adobe Illustrator version 25.2 (and earlier) is affected by a Path Traversal vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2021-40745 | 3 Adobe, Linux, Microsoft | 3 Campaign, Linux Kernel, Windows | 2025-04-23 | 7.5 High |
| Adobe Campaign version 21.2.1 (and earlier) is affected by a Path Traversal vulnerability that could lead to reading arbitrary server files. By leveraging an exposed XML file, an unauthenticated attacker can enumerate other files on the server. | ||||
| CVE-2022-21675 | 1 Bytecode Viewer Project | 1 Bytecode Viewer | 2025-04-23 | 9.9 Critical |
| Bytecode Viewer (BCV) is a Java/Android reverse engineering suite. Versions of the package prior to 2.11.0 are vulnerable to Arbitrary File Write via Archive Extraction (AKA "Zip Slip"). The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The Zip Slip vulnerability can affect numerous archive formats, including zip, jar, tar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The impact of a Zip Slip vulnerability would allow an attacker to create or overwrite existing files on the filesystem. In the context of a web application, a web shell could be placed within the application directory to achieve code execution. All users should upgrade to BCV v2.11.0 when possible to receive a patch. There are no recommended workarounds aside from upgrading. | ||||
| CVE-2022-21693 | 1 Onionshare | 1 Onionshare | 2025-04-23 | 6.3 Medium |
| OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions an adversary with a primitive that allows for filesystem access from the context of the Onionshare process can access sensitive files in the entire user home folder. This could lead to the leaking of sensitive data. Due to the automatic exclusion of hidden folders, the impact is reduced. This can be mitigated by usage of the flatpak release. | ||||
| CVE-2022-23609 | 1 Itunesrpc-remastered Project | 1 Itunesrpc-remastered | 2025-04-23 | 8.3 High |
| iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows utility. In affected versions iTunesRPC-Remastered did not properly sanitize user input used to remove files leading to file deletion only limited by the process permissions. Users are advised to upgrade as soon as possible. | ||||
| CVE-2022-23620 | 1 Xwiki | 1 Xwiki | 2025-04-23 | 6.8 Medium |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions AbstractSxExportURLFactoryActionHandler#processSx does not escape anything from SSX document references when serializing it on filesystem, it is possible to for the HTML export process to contain reference elements containing filesystem syntax like "../", "./". or "/" in general. The referenced elements are not properly escaped. This issue has been resolved in version 13.6-rc-1. This issue can be worked around by limiting or disabling document export. | ||||