Total
337 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-48817 | 1 Microsoft | 17 Remote Desktop Client, Windows 10 1507, Windows 10 1607 and 14 more | 2025-08-23 | 8.8 High |
| Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2025-8464 | 2025-08-18 | 5.3 Medium | ||
| The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder. | ||||
| CVE-2024-48892 | 1 Fortinet | 1 Fortisoar | 2025-08-14 | 6.4 Medium |
| A relative path traversal vulnerability [CWE-23] in FortiSOAR 7.6.0, 7.5.0 through 7.5.1, 7.4 all versions, 7.3 all versions may allow an authenticated attacker to read arbitrary files via uploading a malicious solution pack. | ||||
| CVE-2025-55013 | 1 Assemblyline Project | 1 Assemblyline | 2025-08-12 | 4.2 Medium |
| The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as `../../../etc/cron.d/evil` and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138. | ||||
| CVE-2025-47445 | 1 Themewinter | 1 Eventin | 2025-08-12 | 7.5 High |
| Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.26. | ||||
| CVE-2025-53082 | 1 Samsung | 2 Data Management Server, Data Management Server Firmware | 2025-08-11 | 6.1 Medium |
| An 'Arbitrary File Deletion' in Samsung DMS(Data Management Server) allows attackers to delete arbitrary files from unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses. | ||||
| CVE-2024-20310 | 1 Cisco | 1 Unified Communications Manager Im And Presence Service | 2025-08-01 | 6.1 Medium |
| A vulnerability in the web-based interface of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an authenticated user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | ||||
| CVE-2025-54531 | 1 Jetbrains | 1 Teamcity | 2025-07-31 | 7.7 High |
| In JetBrains TeamCity before 2025.07 path traversal was possible via plugin unpacking on Windows | ||||
| CVE-2025-54317 | 1 Logpoint | 1 Logpoint | 2025-07-30 | 8.4 High |
| An issue was discovered in Logpoint before 7.6.0. An attacker with operator privileges can exploit a path traversal vulnerability when creating a Layout Template, which can lead to remote code execution (RCE). | ||||
| CVE-2024-54461 | 1 Flutter | 1 File Selector Android | 2025-07-30 | 7.1 High |
| The file names constructed within file_selector are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select a document file from that provider while using your app and could potentially override internal files in your app cache. Issue patched in 0.5.1+12. It is recommended to update to the latest version of file_selector_android that contains the changes to address this vulnerability. | ||||
| CVE-2024-54462 | 1 Flutter | 1 Image Picker Android | 2025-07-30 | 7.1 High |
| The file names constructed within image_picker are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select an image file from that provider while using your app and could potentially override internal files in your app cache. Issue patched in 0.8.12+18. It is recommended to update to the latest version of image_picker_android that contains the changes to address this vulnerability. | ||||
| CVE-2024-6483 | 1 Aimstack | 1 Aim | 2025-07-23 | N/A |
| A vulnerability in the `runs/delete-batch` endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion. This can be exploited to delete arbitrary files or directories, potentially causing denial of service or data loss. | ||||
| CVE-2025-22859 | 1 Fortinet | 2 Forticlientems, Forticlientems Cloud | 2025-07-16 | 5 Medium |
| A Relative Path Traversal vulnerability [CWE-23] in FortiClientEMS 7.4.0 through 7.4.1 and FortiClientEMS Cloud 7.4.0 through 7.4.1 may allow a remote unauthenticated attacker to perform a limited arbitrary file write on the system via upload requests. | ||||
| CVE-2023-40714 | 1 Fortinet | 1 Fortisiem | 2025-07-15 | 9.7 Critical |
| A relative path traversal in Fortinet FortiSIEM versions 7.0.0, 6.7.0 through 6.7.2, 6.6.0 through 6.6.3, 6.5.1, 6.5.0 allows attacker to escalate privilege via uploading certain GUI elements | ||||
| CVE-2024-6583 | 1 Quivr | 1 Quivr | 2025-07-15 | N/A |
| A path traversal vulnerability exists in the latest version of stangirard/quivr. This vulnerability allows an attacker to upload files to arbitrary paths in an S3 bucket by manipulating the file path in the upload request. | ||||
| CVE-2024-5547 | 1 Stitionai | 1 Devika | 2025-07-15 | N/A |
| A directory traversal vulnerability exists in the /api/download-project-pdf endpoint of the stitionai/devika repository, affecting the latest version. The vulnerability arises due to insufficient sanitization of the 'project_name' parameter in the download_project_pdf function. Attackers can exploit this flaw by manipulating the 'project_name' parameter in a GET request to traverse the directory structure and download arbitrary PDF files from the system. This issue allows attackers to access sensitive information that could be stored in PDF format outside the intended directory. | ||||
| CVE-2025-7619 | 1 Wellchoose | 1 Batchsigncs | 2025-07-15 | 8.8 High |
| BatchSignCS, a background Windows application developed by WellChoose, has an Arbitrary File Write vulnerability. If a user visits a malicious website while the application is running, remote attackers can write arbitrary files to any path and potentially lead to arbitrary code execution. | ||||
| CVE-2024-12019 | 1 Logicaldoc | 1 Logicaldoc | 2025-07-15 | N/A |
| The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read the contents of files on the underlying operating system. An account with ‘read’ and ‘download’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to read the contents of any file available within the privileges of the system user running the application. | ||||
| CVE-2024-10513 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-14 | N/A |
| A path traversal vulnerability exists in the 'document uploads manager' feature of mintplex-labs/anything-llm, affecting the latest version prior to 1.2.2. This vulnerability allows users with the 'manager' role to access and manipulate the 'anythingllm.db' database file. By exploiting the vulnerable endpoint '/api/document/move-files', an attacker can move the database file to a publicly accessible directory, download it, and subsequently delete it. This can lead to unauthorized access to sensitive data, privilege escalation, and potential data loss. | ||||
| CVE-2025-7146 | 1 Jhenggao | 1 Ipublish System | 2025-07-13 | 7.5 High |
| The iPublish System developed by Jhenggao has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to read arbitrary system file. | ||||