Total
6658 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20023 | 1 Sonicwall | 2 Email Security, Hosted Email Security | 2025-03-14 | 4.0 MEDIUM | 4.9 MEDIUM |
| SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote host. | |||||
| CVE-2024-31947 | 1 Stonefly | 1 Storage Concentrator | 2025-03-14 | N/A | 6.5 MEDIUM |
| StoneFly Storage Concentrator (SC and SCVM) before 8.0.4.26 allows Directory Traversal by authenticated users. Using a crafted path parameter with the Online Help facility can expose sensitive system information. | |||||
| CVE-2024-21677 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2025-03-13 | N/A | 8.8 HIGH |
| This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.3, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version and that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. This vulnerability was reported via our Bug Bounty program. | |||||
| CVE-2018-20250 | 1 Rarlab | 1 Winrar | 2025-03-13 | 6.8 MEDIUM | 7.8 HIGH |
| In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path. | |||||
| CVE-2021-38163 | 1 Sap | 1 Netweaver | 2025-03-13 | 9.0 HIGH | 8.8 HIGH |
| SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable. | |||||
| CVE-2024-9939 | 1 Iptanus | 1 Wordpress File Upload | 2025-03-13 | N/A | 7.5 HIGH |
| The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.13 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read files outside of the originally intended directory. | |||||
| CVE-2023-52544 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-13 | N/A | N/A |
| Vulnerability of file path verification being bypassed in the email module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2022-37042 | 1 Zimbra | 1 Collaboration | 2025-03-13 | N/A | 9.8 CRITICAL |
| Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925. | |||||
| CVE-2022-30333 | 4 Debian, Linux, Opengroup and 1 more | 4 Debian Linux, Linux Kernel, Unix and 1 more | 2025-03-13 | 5.0 MEDIUM | 7.5 HIGH |
| RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected. | |||||
| CVE-2024-35428 | 1 Zkteco | 1 Zkbio Cvsecurity | 2025-03-13 | N/A | 7.1 HIGH |
| ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticated user can delete local files from the server which can lead to DoS. | |||||
| CVE-2020-36836 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2025-03-13 | N/A | 8.1 HIGH |
| The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal permissions to delete arbitrary files from the server. | |||||
| CVE-2025-1322 | 1 Plechevandrey | 1 Wp-recall | 2025-03-13 | N/A | 4.3 MEDIUM |
| The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 16.26.10 via the 'feed' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to view data from password protected, private, or draft posts that they should not have access to. | |||||
| CVE-2021-20124 | 1 Draytek | 1 Vigorconnect | 2025-03-12 | 7.8 HIGH | 7.5 HIGH |
| A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. | |||||
| CVE-2021-20123 | 1 Draytek | 1 Vigorconnect | 2025-03-12 | 7.8 HIGH | 7.5 HIGH |
| A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. | |||||
| CVE-2018-2380 | 1 Sap | 1 Customer Relationship Management | 2025-03-12 | 6.5 MEDIUM | 6.6 MEDIUM |
| SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. | |||||
| CVE-2024-52396 | 1 Pluginus | 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional | 2025-03-12 | N/A | 8.8 HIGH |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in realmag777 WOLF allows Path Traversal.This issue affects WOLF: from n/a through 1.0.8.3. | |||||
| CVE-2023-50233 | 1 Inductiveautomation | 1 Ignition | 2025-03-12 | N/A | 8.8 HIGH |
| Inductive Automation Ignition getJavaExecutable Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the getJavaExecutable method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22029. | |||||
| CVE-2025-2215 | 2025-03-12 | N/A | 4.7 MEDIUM | ||
| A vulnerability classified as critical was found in Doufox up to 0.2.0. Affected by this vulnerability is an unknown functionality of the file /?s=doudou&c=file&a=list. The manipulation of the argument dir leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-48362 | 1 Zohocorp | 1 Manageengine Desktop Central | 2025-03-11 | N/A | 8.8 HIGH |
| Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.) | |||||
| CVE-2024-52363 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-03-11 | N/A | 7.5 HIGH |
| IBM InfoSphere Information Server 11.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. | |||||