Total
6658 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-2039 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-03-31 | 4.0 MEDIUM | N/A |
| Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users to access arbitrary files via unspecified vectors. | |||||
| CVE-2014-4929 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-03-31 | 6.8 MEDIUM | N/A |
| Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, related to index.php. | |||||
| CVE-2024-30417 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-29 | N/A | 7.5 HIGH |
| Path traversal vulnerability in the Bluetooth-based sharing module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2019-25053 | 1 Sage | 1 Sage Frp 1000 | 2025-03-28 | N/A | 7.5 HIGH |
| A path traversal vulnerability exists in Sage FRP 1000 before November 2019. This allows remote unauthenticated attackers to access files outside of the web tree via a crafted URL. | |||||
| CVE-2022-39812 | 1 Italtel | 1 Netmatch-s Ci | 2025-03-28 | N/A | 7.5 HIGH |
| Italtel NetMatch-S CI 5.2.0-20211008 allows Absolute Path Traversal under NMSCI-WebGui/SaveFileUploader. An unauthenticated user can upload files to an arbitrary path. An attacker can change the uploadDir parameter in a POST request (not possible using the GUI) to an arbitrary directory. Because the application does not check in which directory a file will be uploaded, an attacker can perform a variety of attacks that can result in unauthorized access to the server. | |||||
| CVE-2024-21891 | 1 Nodejs | 1 Node.js | 2025-03-28 | N/A | 8.8 HIGH |
| Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | |||||
| CVE-2024-54291 | 2025-03-28 | N/A | N/A | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound PluginPass allows Manipulating Web Input to File System Calls. This issue affects PluginPass: from n/a through 0.9.10. | |||||
| CVE-2025-2294 | 2025-03-28 | N/A | 9.8 CRITICAL | ||
| The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2025-27726 | 2025-03-28 | N/A | N/A | ||
| Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file download process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, the product's files may be obtained and/or altered by a crafted HTTP request to specific functions of the product from a device connected to the LAN side. | |||||
| CVE-2025-27718 | 2025-03-28 | N/A | N/A | ||
| Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file upload process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, the product's files may be obtained and/or altered or arbitrary code may be executed by a crafted HTTP request to specific functions of the product from a device connected to the LAN side. | |||||
| CVE-2025-27932 | 2025-03-28 | N/A | N/A | ||
| Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file deletion process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, an attacker may delete a file on the device or cause a denial of service (DoS) condition. | |||||
| CVE-2025-27716 | 2025-03-28 | N/A | N/A | ||
| Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file/folder listing process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, the product's files may be obtained and/or altered by a crafted HTTP request to specific functions of the product from a device connected to the LAN side. | |||||
| CVE-2022-25936 | 1 Servst Project | 1 Servst | 2025-03-27 | N/A | 7.5 HIGH |
| Versions of the package servst before 2.0.3 are vulnerable to Directory Traversal due to improper sanitization of the filePath variable. | |||||
| CVE-2022-45783 | 1 Dotcms | 1 Dotcms | 2025-03-27 | N/A | 6.5 MEDIUM |
| An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution. | |||||
| CVE-2024-13920 | 1 Webtoffee | 1 Order Export \& Order Import For Woocommerce | 2025-03-27 | N/A | 4.9 MEDIUM |
| The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information. | |||||
| CVE-2023-23136 | 1 Lmxcms | 1 Lmxcms | 2025-03-27 | N/A | 6.5 MEDIUM |
| lmxcms v1.41 was discovered to contain an arbitrary file deletion vulnerability via BackdbAction.class.php. | |||||
| CVE-2023-0454 | 1 Orangescrum | 1 Orangescrum | 2025-03-27 | N/A | 8.1 HIGH |
| OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path. | |||||
| CVE-2023-49508 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2025-03-27 | N/A | 6.5 MEDIUM |
| Directory Traversal vulnerability in YetiForceCompany YetiForceCRM versions 6.4.0 and before allows a remote authenticated attacker to obtain sensitive information via the license parameter in the LibraryLicense.php component. | |||||
| CVE-2022-47768 | 1 Serinf | 1 Fast Checkin | 2025-03-27 | N/A | 7.5 HIGH |
| Serenissima Informatica Fast Checkin 1.0 is vulnerable to Directory Traversal. | |||||
| CVE-2025-30343 | 1 Openslides | 1 Openslides | 2025-03-27 | N/A | 6.5 MEDIUM |
| A directory traversal issue was discovered in OpenSlides before 4.2.5. Files can be uploaded to OpenSlides meetings and organized in folders. The interface allows users to download a ZIP archive that contains all files in a folder and its subfolders. If an attacker specifies the title of a file or folder as a relative or absolute path (e.g., ../../../etc/passwd), the ZIP archive generated for download converts that title into a path. Depending on the extraction tool used by the user, this might overwrite files locally outside of the chosen directory. | |||||