Total
7800 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-41277 | 1 Metabase | 1 Metabase | 2025-10-24 | 10 Critical |
| Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application. | ||||
| CVE-2023-32315 | 1 Igniterealtime | 1 Openfire | 2025-10-24 | 8.6 High |
| Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice. | ||||
| CVE-2024-8963 | 1 Ivanti | 1 Endpoint Manager Cloud Services Appliance | 2025-10-24 | 9.4 Critical |
| Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality. | ||||
| CVE-2019-3396 | 1 Atlassian | 1 Confluence Server | 2025-10-24 | 9.8 Critical |
| The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection. | ||||
| CVE-2019-3398 | 1 Atlassian | 1 Confluence Server | 2025-10-24 | 8.8 High |
| Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability. | ||||
| CVE-2021-26086 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2025-10-24 | 5.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1. | ||||
| CVE-2022-41328 | 1 Fortinet | 1 Fortios | 2025-10-24 | 6.5 Medium |
| A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands. | ||||
| CVE-2018-13379 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-10-24 | 9.1 Critical |
| An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. | ||||
| CVE-2025-4517 | 2 Python, Redhat | 7 Cpython, Enterprise Linux, Rhel Aus and 4 more | 2025-10-24 | 9.4 Critical |
| Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links. | ||||
| CVE-2024-57777 | 1 Lanproxy Project | 1 Lanproxy | 2025-10-23 | 5.1 Medium |
| Directory Traversal vulnerability in Ianproxy v.0.1 and before allows a remote attacker to obtain sensitive information | ||||
| CVE-2025-60217 | 1 Wordpress | 1 Wordpress | 2025-10-23 | 7.7 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ypromo PT Luxa Addons pt-luxa-addons allows Path Traversal.This issue affects PT Luxa Addons: from n/a through <= 1.2.2. | ||||
| CVE-2025-6866 | 1 Fabian | 1 Simple Forum | 2025-10-23 | 4.3 Medium |
| A vulnerability has been found in code-projects Simple Forum 1.0 and classified as critical. This vulnerability affects unknown code of the file /forum_downloadfile.php. The manipulation of the argument filename leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-34517 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-10-23 | 7.5 High |
| Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an absolute path traversal vulnerability in get_file_content.php that allows an attacker to read arbitrary files. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet. | ||||
| CVE-2025-34518 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-10-23 | 7.5 High |
| Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a relative path traversal vulnerability in get_file_content.php that allows an attacker to read arbitrary files. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet. | ||||
| CVE-2025-60227 | 2 Thimpress, Wordpress | 2 Wp Pipes, Wordpress | 2025-10-23 | 8.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes wp-pipes allows Path Traversal.This issue affects WP Pipes: from n/a through <= 1.4.3. | ||||
| CVE-2025-58959 | 1 Wordpress | 1 Wordpress | 2025-10-23 | 7.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Taskbot taskbot allows Path Traversal.This issue affects Taskbot: from n/a through <= 6.4. | ||||
| CVE-2024-32113 | 1 Apache | 1 Ofbiz | 2025-10-23 | 9.1 Critical |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue. | ||||
| CVE-2023-39912 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2025-10-23 | 4.9 Medium |
| Zoho ManageEngine ADManager Plus before 7203 allows Help Desk Technician users to read arbitrary files on the machine where this product is installed. | ||||
| CVE-2025-21048 | 1 Samsung | 2 Android, Mobile Devices | 2025-10-23 | 6.7 Medium |
| Relative path traversal in Knox Enterprise prior to SMR Oct-2025 Release 1 allows local attackers to execute arbitrary code. | ||||
| CVE-2025-22167 | 1 Atlassian | 3 Jira, Jira Server, Jira Software Data Center | 2025-10-23 | N/A |
| This High severity Path Traversal (Arbitrary Write) vulnerability was introduced in versions: 9.12.0, 10.3.0 and remain present in 11.0.0 of Jira Software Data Center and Server. This Path Traversal (Arbitrary Write) vulnerability, with a CVSS Score of 8.7, allows an attacker to modify any filesystem path writable by the Jira JVM process. Atlassian recommends that Jira Software Data Center and Server customers upgrade to the latest version; if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.28 Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.12 Jira Software Data Center and Server 11.0: Upgrade to a release greater than or equal to 11.1.0 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. This vulnerability was reported via our Atlassian (Internal) program. | ||||