Total
7713 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6283 | 1 Xata | 1 Agent | 2025-09-30 | 3.5 Low |
| A vulnerability was found in xataio Xata Agent up to 0.3.0. It has been classified as problematic. This affects the function GET of the file apps/dbagent/src/app/api/evals/route.ts. The manipulation of the argument passed leads to path traversal. Upgrading to version 0.3.1 is able to address this issue. The patch is named 03f27055e0cf5d4fa7e874d34ce8c74c7b9086cc. It is recommended to upgrade the affected component. | ||||
| CVE-2024-2654 | 1 Filemanagerpro | 1 File Manager | 2025-09-29 | 6.8 Medium |
| The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.2.5 via the fm_download_backup function. This makes it possible for authenticated attackers, with administrator access and above, to read the contents of arbitrary zip files on the server, which can contain sensitive information. | ||||
| CVE-2025-11034 | 1 Dibo | 1 Data Decision Making System | 2025-09-29 | 4.3 Medium |
| A vulnerability was found in Dibo Data Decision Making System up to 2.7.0. The affected element is the function downloadImpTemplet of the file /common/dep/common_dep.action.jsp. The manipulation of the argument filePath results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. | ||||
| CVE-2025-59002 | 2 Seatheme, Wordpress | 2 Bm Content Builder, Wordpress | 2025-09-29 | 7.7 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder allows Path Traversal. This issue affects BM Content Builder: from n/a through n/a. | ||||
| CVE-2025-53375 | 1 Dokploy | 1 Dokploy | 2025-09-29 | 6.5 Medium |
| Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated attacker can read any file that the Traefik process user can access (e.g., /etc/passwd, application source, environment variable files containing credentials and secrets). This may lead to full compromise of other services or lateral movement. This vulnerability is fixed in 0.23.7. | ||||
| CVE-2025-10307 | 2 Softaculous, Wordpress | 2 Backuply, Wordpress | 2025-09-29 | 6.5 Medium |
| The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete backup functionality in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-11016 | 1 Kalcaddle | 1 Kodbox | 2025-09-29 | 4.3 Medium |
| A security vulnerability has been detected in kalcaddle kodbox up to 1.61.09. The affected element is the function fileOut of the file app/controller/explorer/index.class.php. Such manipulation of the argument path leads to path traversal. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2009-4449 | 1 Mybb | 1 Mybb | 2025-09-26 | 6.5 Medium |
| Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php. | ||||
| CVE-2025-31174 | 1 Huawei | 1 Harmonyos | 2025-09-26 | 6.8 Medium |
| Path traversal vulnerability in the DFS module Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2025-10951 | 1 Geyang | 1 Ml-logger | 2025-09-26 | 7.3 High |
| A vulnerability was identified in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Affected by this vulnerability is the function log_handler of the file ml_logger/server.py. Such manipulation of the argument File leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | ||||
| CVE-2025-58320 | 2 Delta Electronics, Deltaww | 2 Dialink, Dialink | 2025-09-26 | 7.3 High |
| Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability. | ||||
| CVE-2025-58321 | 2 Delta Electronics, Deltaww | 2 Dialink, Dialink | 2025-09-26 | 10 Critical |
| Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability. | ||||
| CVE-2025-10449 | 2025-09-26 | 8.6 High | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saysis Computer Systems Trade Ltd. Co. Saysis Web Portal allows Path Traversal.This issue affects Saysis Web Portal: from 3.1.9 & 3.2.0 before 3.2.1. | ||||
| CVE-2025-22601 | 1 Discourse | 1 Discourse | 2025-09-25 | 3.1 Low |
| Discourse is an open source platform for community discussion. In affected versions an attacker can trick a target user to make changes to their own username via carefully crafted link using the `activate-account` route. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-9079 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-25 | 8 High |
| Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory | ||||
| CVE-2024-6127 | 1 Bcsecurity | 1 Empire | 2025-09-25 | 9.8 Critical |
| BC Security Empire before 5.9.3 is vulnerable to a path traversal issue that can lead to remote code execution. A remote, unauthenticated attacker can exploit this vulnerability over HTTP by acting as a normal agent, completing all cryptographic handshakes, and then triggering an upload of payload data containing a malicious path. | ||||
| CVE-2014-0780 | 1 Indusoft | 1 Web Studio | 2025-09-25 | 9.8 Critical |
| Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests. | ||||
| CVE-2025-34185 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-09-25 | 7.5 High |
| Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains a pre-authentication file disclosure vulnerability via the 'db_log' POST parameter. Remote attackers can retrieve arbitrary files from the server, exposing sensitive system information and credentials. | ||||
| CVE-2023-24836 | 1 Sun.net | 1 Ehrd Ctms | 2025-09-25 | 8.8 High |
| SUNNET CTMS has vulnerability of path traversal within its file uploading function. An authenticated remote attacker with general user privilege can exploit this vulnerability to upload and execute scripts onto arbitrary directories to perform arbitrary system operation or disrupt service. | ||||
| CVE-2025-9963 | 1 Novakon | 1 P Series | 2025-09-25 | N/A |
| A path traversal vulnerability in Novakon P series allows to expose the root file system "/" and modify all files with root permissions. This way the system can also be compromized.This issue affects P series: P – V2001.A.C518o2. | ||||