Total
337 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-47051 | 2 Acquia, Mautic | 2 Mautic, Mautic | 2025-10-16 | 9.1 Critical |
| This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be exploited by authenticated users. * Remote Code Execution (RCE) via Asset Upload: A Remote Code Execution vulnerability has been identified in the asset upload functionality. Insufficient enforcement of allowed file extensions allows an attacker to bypass restrictions and upload executable files, such as PHP scripts. * Path Traversal File Deletion: A Path Traversal vulnerability exists in the upload validation process. Due to improper handling of path components, an authenticated user can manipulate the file deletion process to delete arbitrary files on the host system. | ||||
| CVE-2024-40588 | 1 Fortinet | 6 Forticamera, Forticamera Firmware, Fortimail and 3 more | 2025-10-16 | 4.2 Medium |
| Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiMail version 7.6.0 through 7.6.1 and before 7.4.3, FortiVoice version 7.0.0 through 7.0.5 and before 7.4.9, FortiRecorder version 7.2.0 through 7.2.1 and before 7.0.4, FortiCamera & FortiNDR version 7.6.0 and before 7.4.6 may allow a privileged attacker to read files from the underlying filesystem via crafted CLI requests. | ||||
| CVE-2024-8551 | 1 Modelscope | 1 Agentscope | 2025-10-15 | 9.1 Critical |
| A path traversal vulnerability exists in the save-workflow and load-workflow functionality of modelscope/agentscope versions prior to the fix. This vulnerability allows an attacker to read and write arbitrary JSON files on the filesystem, potentially leading to the exposure or modification of sensitive information such as configuration files, API keys, and hardcoded passwords. | ||||
| CVE-2025-46002 | 1 Simogeo | 1 Filemanager | 2025-10-14 | 6.5 Medium |
| An issue in Filemanager v2.5.0 and below allows attackers to execute a directory traversal via sending a crafted HTTP request to the filemanager.php endpoint. | ||||
| CVE-2025-62187 | 3 Ankitects, Linux, Microsoft | 3 Anki, Linux, Windows | 2025-10-10 | 2.9 Low |
| In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file pathnames are not necessarily relative to the media folder). | ||||
| CVE-2025-55115 | 1 Bmc | 2 Control-m/agent, Control-m\/agent | 2025-10-10 | 8.8 High |
| A path traversal in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions. This vulnerability was fixed in 9.0.20.100 and above. | ||||
| CVE-2025-10249 | 2 Revolution Slider, Wordpress | 2 Slider Revolution, Wordpress | 2025-10-10 | 6.5 Medium |
| The Slider Revolution plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions in all versions up to, and including, 6.7.37. This makes it possible for authenticated attackers, with Contributor-level access and above, to install and activate plugin add-ons, create sliders, and download arbitrary files. | ||||
| CVE-2023-5189 | 1 Redhat | 7 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside and 4 more | 2025-10-09 | 6.3 Medium |
| A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten. | ||||
| CVE-2025-51052 | 2 Vedo, Vedo Suite Project | 2 Vedo Suite, Vedo Suite | 2025-10-09 | 6.5 Medium |
| A path traversal vulnerability in Vedo Suite 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'file_get_contents()' function call in '/api_vedo/template'. | ||||
| CVE-2025-59835 | 1 Langbot | 1 Langbot | 2025-10-06 | N/A |
| LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5. | ||||
| CVE-2025-43016 | 1 Jetbrains | 1 Rider | 2025-10-01 | 5.4 Medium |
| In JetBrains Rider before 2025.1.2 custom archive unpacker allowed arbitrary file overwrite during remote debug session | ||||
| CVE-2025-9570 | 2 Sun.net, Sunnet | 2 Ehrd Ctms, Ehrd Ctms | 2025-09-25 | 4.9 Medium |
| The eHRD CTMS developed by Sunnet has an Arbitrary File Reading vulnerability, allowing remote attackers with administrator privileges to exploit Relative Path Traversal to download arbitrary system files. | ||||
| CVE-2025-60020 | 1 Nncp | 1 Nncp | 2025-09-25 | 6.4 Medium |
| nncp before 8.12.0 allows path traversal (for reading or writing) during freqing and file saving via a crafted path in packet data. | ||||
| CVE-2025-23360 | 4 Apple, Linux, Microsoft and 1 more | 4 Macos, Linux Kernel, Windows and 1 more | 2025-09-23 | 7.1 High |
| NVIDIA Nemo Framework contains a vulnerability where a user could cause a relative path traversal issue by arbitrary file write. A successful exploit of this vulnerability may lead to code execution and data tampering. | ||||
| CVE-2025-59456 | 1 Jetbrains | 1 Teamcity | 2025-09-22 | 5.5 Medium |
| In JetBrains TeamCity before 2025.07.2 path traversal was possible during project archive upload | ||||
| CVE-2025-32017 | 1 Umbraco | 1 Umbraco Cms | 2025-09-22 | 8.8 High |
| Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1. | ||||
| CVE-2025-23011 | 1 Fedorarepository | 1 Fcrepo | 2025-09-19 | 8.8 High |
| Fedora Repository 3.8.1 allows path traversal when extracting uploaded archives ("Zip Slip"). A remote, authenticated attacker can upload a specially crafted archive that will extract an arbitrary JSP file to a location that can be executed by an unauthenticated GET request. Fedora Repository 3.8.1 was released on 2015-06-11 and is no longer maintained. Migrate to a currently supported version (6.5.1 as of 2025-01-23). | ||||
| CVE-2025-58760 | 1 Tautulli | 1 Tautulli | 2025-09-18 | 8.6 High |
| Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `/image` API endpoint in Tautulli v2.15.3 and earlier is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. In Tautulli, the `/image` API endpoint is used to serve static images from the application's data directory to users. This endpoint can be accessed without authentication, and its intended purpose is for server background images and icons within the user interface. Attackers can exfiltrate files from the application file system, including the `tautulli.db` SQLite database containing active JWT tokens, as well as the `config.ini` file which contains the hashed admin password, the JWT token secret, and the Plex Media Server token and connection details. If the password is cracked, or if a valid JWT token is present in the database, an unauthenticated attacker can escalate their privileges to obtain administrative control over the application. Version 2.16.0 contains a fix for the issue. | ||||
| CVE-2025-59341 | 1 Esm-dev | 1 Esmsh | 2025-09-18 | N/A |
| esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources). | ||||
| CVE-2025-58752 | 1 Vitejs | 1 Vite | 2025-09-17 | 5.3 Medium |
| Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue. | ||||