Total
394 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-22240 | 1 Vmware | 1 Aria Operations For Networks | 2025-05-15 | 4.9 Medium |
| Aria Operations for Networks contains a local file read vulnerability. A malicious actor with admin privileges may exploit this vulnerability leading to unauthorized access to sensitive information. | ||||
| CVE-2025-21264 | 2025-05-15 | 7.1 High | ||
| Files or directories accessible to external parties in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally. | ||||
| CVE-2025-2651 | 1 Oretnom23 | 1 Online Eyewear Shop | 2025-05-14 | 5.3 Medium |
| A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /oews/admin/. The manipulation leads to exposure of information through directory listing. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected. | ||||
| CVE-2022-42234 | 1 Ucms Project | 1 Ucms | 2025-05-14 | 8.8 High |
| There is a file inclusion vulnerability in the template management module in UCMS 1.6 | ||||
| CVE-2025-21609 | 1 B3log | 1 Siyuan | 2025-05-14 | 9.1 Critical |
| SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19. | ||||
| CVE-2024-45627 | 1 Apache | 1 Linkis | 2025-05-13 | 5.9 Medium |
| In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.7.0 will be affected. We recommend users upgrade the version of Linkis to version 1.7.0. | ||||
| CVE-2025-2038 | 1 Code-projects | 1 Blood Bank Management System | 2025-05-13 | 7.3 High |
| A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /upload/. The manipulation leads to exposure of information through directory listing. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-2834 | 1 Helpful Project | 1 Helpful | 2025-05-13 | 5.3 Medium |
| The Helpful WordPress plugin before 4.5.26 puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them and retrieve sensitive information such as IP, Names and Email Address depending on the plugin's settings | ||||
| CVE-2024-57452 | 1 1000mz | 1 Chestnutcms | 2025-05-13 | 7.5 High |
| ChestnutCMS <=1.5.0 has an arbitrary file deletion vulnerability in contentcore.controller.FileController, which allows attackers to delete any file and folder. | ||||
| CVE-2024-4981 | 2025-05-13 | 7.6 High | ||
| A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo. | ||||
| CVE-2025-32819 | 2025-05-13 | 8.8 High | ||
| A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. | ||||
| CVE-2024-21403 | 1 Microsoft | 1 Azure Kubernetes Service | 2025-05-09 | 9 Critical |
| Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability | ||||
| CVE-2024-4098 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | 9.8 Critical |
| The Shariff Wrapper plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.6.13 via the shariff3uu_fetch_sharecounts function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2022-43414 | 1 Jenkins | 1 Nunit | 2025-05-08 | 5.3 Medium |
| Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller. | ||||
| CVE-2022-23738 | 1 Github | 1 Enterprise Server | 2025-05-06 | 5.7 Medium |
| An improper cache key vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to access private repository files through a public repository. To exploit this, an actor would need to already be authorized on the GitHub Enterprise Server instance, be able to create a public repository, and have a site administrator visit a specially crafted URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.6 and was fixed in versions 3.2.20, 3.3.15, 3.4.10, 3.5.7, 3.6.3. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2023-38952 | 1 Zkteco | 1 Biotime | 2025-05-05 | 7.5 High |
| Insecure access control in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read sensitive backup files and access sensitive information such as user credentials via sending a crafted HTTP request to the static files resources of the system. | ||||
| CVE-2021-39316 | 1 Digitalzoomstudio | 1 Zoomsounds | 2025-05-05 | 7.5 High |
| The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal in the `link` parameter. | ||||
| CVE-2022-41710 | 1 Markdownify Project | 1 Markdownify | 2025-05-05 | 5.5 Medium |
| Markdownify version 1.4.1 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Markdownify. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them. | ||||
| CVE-2022-43449 | 1 Openharmony | 1 Openharmony | 2025-05-02 | 6.2 Medium |
| OpenHarmony-v3.1.2 and prior versions had an Arbitrary file read vulnerability via download_server. Local attackers can install an malicious application on the device and reveal any file from the filesystem that is accessible to download_server service which run with UID 1000. | ||||
| CVE-2022-45129 | 1 Payara | 1 Payara | 2025-05-01 | 7.5 High |
| Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0. | ||||