Total
7108 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-44280 | 1 Automotive Shop Management System Project | 1 Automotive Shop Management System | 2025-04-25 | N/A | 6.5 MEDIUM |
| Automotive Shop Management System v1.0 is vulnerable to Delete any file via /asms/classes/Master.php?f=delete_img. | |||||
| CVE-2022-45866 | 2 Fedoraproject, Qpress Project | 2 Fedora, Qpress | 2025-04-25 | N/A | 5.3 MEDIUM |
| qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file. | |||||
| CVE-2023-49960 | 1 Indu-sol | 2 Profinet-inspektor Nt, Profinet-inspektor Nt Firmware | 2025-04-25 | N/A | 7.5 HIGH |
| In Indo-Sol PROFINET-INspektor NT through 2.4.0, a path traversal vulnerability in the httpuploadd service of the firmware allows remote attackers to write to arbitrary files via a crafted filename parameter in requests to the /upload endpoint. | |||||
| CVE-2025-28354 | 2025-04-25 | N/A | 6.5 MEDIUM | ||
| An issue in the Printer Manager Systm of Entrust Corp Printer Manager D3.18.4-3 and below allows attackers to execute a directory traversal via a crafted POST request. | |||||
| CVE-2025-29213 | 1 Jeewms | 1 Jeewms | 2025-04-25 | N/A | 5.5 MEDIUM |
| A zip slip vulnerability in the component \service\migrate\MigrateForm.java of JEEWMS v3.7 allows attackers to execute arbitrary code via a crafted Zip file. | |||||
| CVE-2022-44635 | 1 Apache | 1 Fineract | 2025-04-25 | N/A | 8.8 HIGH |
| Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1. | |||||
| CVE-2024-0406 | 2 Mholt, Redhat | 3 Archiver, Advanced Cluster Security, Openshift Container Platform | 2025-04-25 | N/A | 6.1 MEDIUM |
| A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library. | |||||
| CVE-2025-1565 | 2025-04-25 | N/A | 7.5 HIGH | ||
| The Mayosis Core plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.4.1 via the library/wave-audio/peaks/remote_dl.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | |||||
| CVE-2023-39810 | 1 Busybox | 1 Busybox | 2025-04-24 | N/A | 7.8 HIGH |
| An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. | |||||
| CVE-2023-2745 | 1 Wordpress | 1 Wordpress | 2025-04-24 | N/A | 5.4 MEDIUM |
| WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. | |||||
| CVE-2022-25848 | 1 Static-dev-server Project | 1 Static-dev-server | 2025-04-24 | N/A | 7.5 HIGH |
| This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. | |||||
| CVE-2024-37547 | 1 Livemesh | 1 Elementor Addons | 2025-04-24 | N/A | 6.5 MEDIUM |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Livemesh Livemesh Addons for Elementor.This issue affects Livemesh Addons for Elementor: from n/a through 8.4.0. | |||||
| CVE-2025-43919 | 1 Gnu | 1 Mailman | 2025-04-24 | N/A | 5.8 MEDIUM |
| GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to read arbitrary files via ../ directory traversal at /mailman/private/mailman (aka the private archive authentication endpoint) via the username parameter. | |||||
| CVE-2023-6294 | 1 Sygnoos | 1 Popup Builder | 2025-04-24 | N/A | 7.2 HIGH |
| The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations. | |||||
| CVE-2025-43928 | 1 Infodraw | 2 Pmrs-102, Pmrs-102 Firmware | 2025-04-24 | N/A | 5.8 MEDIUM |
| In Infodraw Media Relay Service (MRS) 7.1.0.0, the MRS web server (on port 12654) allows reading arbitrary files via ../ directory traversal in the username field. Reading ServerParameters.xml may reveal administrator credentials in cleartext or with MD5 hashing. | |||||
| CVE-2022-44532 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2025-04-24 | N/A | 4.9 MEDIUM |
| An authenticated path traversal vulnerability exists in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below. | |||||
| CVE-2022-43518 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2025-04-24 | N/A | 4.9 MEDIUM |
| An authenticated path traversal vulnerability exists in the Aruba EdgeConnect Enterprise web interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below. | |||||
| CVE-2022-42706 | 1 Sangoma | 2 Asterisk, Certified Asterisk | 2025-04-24 | N/A | 4.9 MEDIUM |
| An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal. | |||||
| CVE-2024-7263 | 2 Kingsoft, Microsoft | 2 Wps Office, Windows | 2025-04-24 | N/A | 7.8 HIGH |
| Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.1.0.17119 to mitigate CVE-2024-7262 was not restrictive enough. Another parameter was not properly sanitized which leads to the execution of an arbitrary Windows library. | |||||
| CVE-2023-26687 | 1 Cs-cart | 1 Cs-cart Multivendor | 2025-04-24 | N/A | 8.8 HIGH |
| Directory Traversal vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to obtain sensitive information via the product_data parameter in the PDF Add-on. | |||||