Total
7816 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-40443 | 1 Zzcms | 1 Zzcms | 2025-05-27 | 5.3 Medium |
| An absolute path traversal vulnerability in ZZCMS 2022 allows attackers to obtain sensitive information via a crafted GET request sent to /one/siteinfo.php. | ||||
| CVE-2023-28465 | 1 Hapifhir | 1 Hl7 Fhir Core | 2025-05-27 | 7.5 High |
| The package-decompression feature in HL7 (Health Level 7) FHIR Core Libraries before 5.6.106 allows attackers to copy arbitrary files to certain directories via directory traversal, if an allowed directory name is a substring of the directory name chosen by the attacker. NOTE: this issue exists because of an incomplete fix for CVE-2023-24057. | ||||
| CVE-2022-34026 | 1 Icecoder | 1 Icecoder | 2025-05-27 | 7.5 High |
| ICEcoder v8.1 allows attackers to execute a directory traversal. | ||||
| CVE-2025-4720 | 1 Munyweki | 1 Student Result Management System | 2025-05-27 | 5.4 Medium |
| A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file academic/core/drop_student.php. The manipulation of the argument img leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-45316 | 1 Mattermost | 1 Mattermost Server | 2025-05-24 | 7.3 High |
| Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack. | ||||
| CVE-2025-0493 | 1 Multivendorx | 1 Multivendorx | 2025-05-23 | 9.8 Critical |
| The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Limited Local File Inclusion in all versions up to, and including, 4.2.14 via the tabname parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included | ||||
| CVE-2024-53582 | 1 Openpanel | 1 Openpanel | 2025-05-23 | 7.5 High |
| An issue found in the Copy and View functions in the File Manager component of OpenPanel v0.3.4 allows attackers to execute a directory traversal via a crafted HTTP request. | ||||
| CVE-2025-47492 | 2025-05-23 | 8.6 High | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms allows Path Traversal. This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through 1.4.3. | ||||
| CVE-2025-46486 | 2025-05-23 | 4.9 Medium | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in totalprocessing Nomupay Payment Processing Gateway allows Path Traversal. This issue affects Nomupay Payment Processing Gateway: from n/a through 7.1.7. | ||||
| CVE-2025-46527 | 2025-05-23 | 6.5 Medium | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LikeCoin Web3Press allows Path Traversal. This issue affects Web3Press: from n/a through 3.2.0. | ||||
| CVE-2024-55415 | 1 Thecontrolgroup | 1 Voyager | 2025-05-23 | 5.7 Medium |
| DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass. | ||||
| CVE-2024-23721 | 1 Draytek | 2 Vigor3910, Vigor3910 Firmware | 2025-05-23 | 7.5 High |
| A Directory Traversal issue was discovered in process_post on Draytek Vigor3910 4.3.2.5 devices. When sending a certain POST request, it calls the function and exports information. | ||||
| CVE-2018-5448 | 1 Medtronic | 2 2090 Carelink Programmer, 2090 Carelink Programmer Firmware | 2025-05-22 | 4.8 Medium |
| Medtronic 2090 CareLink Programmer’s software deployment network contains a directory traversal vulnerability that could allow an attacker to read files on the system. | ||||
| CVE-2024-2434 | 1 Gitlab | 1 Gitlab | 2025-05-22 | 8.5 High |
| An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read. | ||||
| CVE-2023-3385 | 1 Gitlab | 1 Gitlab | 2025-05-22 | 6.3 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in `tar`, fixed in [`tar-1.35`](https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html). | ||||
| CVE-2025-3223 | 2025-05-21 | 5.9 Medium | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in GE Vernova WorkstationST on Windows (EGD Configuration Server modules) allows Path Traversal.This issue affects WorkstationST: WorkstationST V07.10.10C and earlier. | ||||
| CVE-2025-5029 | 2025-05-21 | 5.4 Medium | ||
| A vulnerability has been found in Kingdee Cloud Galaxy Private Cloud BBC System up to 9.0 Patch April 2025 and classified as critical. Affected by this vulnerability is the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file fileUpload/deleteFileAction.jhtml of the component File Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2025-4524 | 2025-05-21 | 9.8 Critical | ||
| The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2025-48017 | 2025-05-21 | 9 Critical | ||
| Improper limitation of pathname in Circuit Provisioning and File Import applications allows modification and uploading of files | ||||
| CVE-2025-4898 | 1 Munyweki | 1 Student Result Management System | 2025-05-21 | 5.4 Medium |
| A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been declared as critical. This vulnerability affects the function unlink of the file update_system.php of the component Logo File Handler. The manipulation of the argument old_logo leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||