Total
7723 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-9047 | 1 Iptanus | 1 Wordpress File Upload | 2025-03-12 | N/A | 9.8 CRITICAL |
| The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier. | |||||
| CVE-2024-52396 | 1 Pluginus | 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional | 2025-03-12 | N/A | 4.9 MEDIUM |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in realmag777 WOLF allows Path Traversal.This issue affects WOLF: from n/a through 1.0.8.3. | |||||
| CVE-2025-27101 | 2025-03-12 | N/A | N/A | ||
| Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, when copying any parent directory to a folder in the /temp/ directory, all files in that parent directory are copied, including files which the user should not have access to. All users of the application are impacted, as this is exploitable by any user to reveal all files in the opal filesystem. This also means that low-privilege users such as DataShield users can retrieve the files of other users. Version 5.1.1 contains a patch for the issue. | |||||
| CVE-2023-50233 | 1 Inductiveautomation | 1 Ignition | 2025-03-12 | N/A | 8.8 HIGH |
| Inductive Automation Ignition getJavaExecutable Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the getJavaExecutable method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22029. | |||||
| CVE-2023-51603 | 1 Honeywell | 1 Saia Pg5 Controls Suite | 2025-03-12 | N/A | 8.8 HIGH |
| Honeywell Saia PG5 Controls Suite CAB File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CAB files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. . Was ZDI-CAN-18592. | |||||
| CVE-2023-51599 | 1 Honeywell | 1 Saia Pg5 Controls Suite | 2025-03-12 | N/A | 8.8 HIGH |
| Honeywell Saia PG5 Controls Suite Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. . Was ZDI-CAN-18412. | |||||
| CVE-2025-2215 | 2025-03-12 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A vulnerability classified as critical was found in Doufox up to 0.2.0. Affected by this vulnerability is an unknown functionality of the file /?s=doudou&c=file&a=list. The manipulation of the argument dir leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-48362 | 1 Zohocorp | 1 Manageengine Desktop Central | 2025-03-11 | N/A | 8.8 HIGH |
| Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.) | |||||
| CVE-2024-52363 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-03-11 | N/A | 6.5 MEDIUM |
| IBM InfoSphere Information Server 11.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. | |||||
| CVE-2025-1282 | 1 Thememakers | 1 Car Dealer Automotive | 2025-03-11 | N/A | 8.8 HIGH |
| The Car Dealer Automotive WordPress Theme – Responsive theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_post_photo() and add_car() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The add_car() function may also make it possible to read arbitrary files. | |||||
| CVE-2024-49780 | 3 Ibm, Linux, Microsoft | 3 Openpages With Watson, Linux Kernel, Windows | 2025-03-11 | N/A | 5.3 MEDIUM |
| IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages could allow a remote attacker to traverse directories on the system. An attacker with privileges to perform Import Configuration could send a specially crafted http request containing "dot dot" sequences (/../) in the file name parameter used in Import Configuration to write files to arbitrary locations outside of the specified directory and possibly overwrite arbitrary files. | |||||
| CVE-2024-27770 | 1 Unitronics | 1 Unilogic | 2025-03-10 | N/A | 8.8 HIGH |
| Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-23: Relative Path Traversal | |||||
| CVE-2024-27771 | 1 Unitronics | 1 Unilogic | 2025-03-10 | N/A | 8.8 HIGH |
| Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-22: 'Path Traversal' may allow RCE | |||||
| CVE-2024-27768 | 1 Unitronics | 1 Unilogic | 2025-03-10 | N/A | 9.8 CRITICAL |
| Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-22: 'Path Traversal' may allow RCE | |||||
| CVE-2023-26758 | 1 Smeup | 1 Erp | 2025-03-10 | N/A | 7.5 HIGH |
| Sme.UP TOKYO V6R1M220406 was discovered to contain an arbitrary file download vulnerabilty via the component /ResourceService. | |||||
| CVE-2023-22776 | 1 Arubanetworks | 24 7010, 7030, 7205 and 21 more | 2025-03-07 | N/A | 4.9 MEDIUM |
| An authenticated path traversal vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files. | |||||
| CVE-2023-22774 | 1 Arubanetworks | 24 7010, 7030, 7205 and 21 more | 2025-03-07 | N/A | 7.2 HIGH |
| Authenticated path traversal vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files in the underlying operating system. | |||||
| CVE-2023-22773 | 1 Arubanetworks | 24 7010, 7030, 7205 and 21 more | 2025-03-07 | N/A | 7.2 HIGH |
| Authenticated path traversal vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files in the underlying operating system. | |||||
| CVE-2023-22772 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2025-03-07 | N/A | 6.5 MEDIUM |
| An authenticated path traversal vulnerability exists in the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in the ability to delete arbitrary files in the underlying operating system. | |||||
| CVE-2025-27519 | 2025-03-07 | N/A | N/A | ||
| Cognita is a RAG (Retrieval Augmented Generation) Framework for building modular, open source applications for production by TrueFoundry. A path traversal issue exists at /v1/internal/upload-to-local-directory which is enabled when the Local env variable is set to true, such as when Cognita is setup using Docker. Because the docker environment sets up the backend uvicorn server with auto reload enabled, when an attacker overwrites the /app/backend/__init__.py file, the file will automatically be reloaded and executed. This allows an attacker to get remote code execution in the context of the Docker container. This vulnerability is fixed in commit a78bd065e05a1b30a53a3386cc02e08c317d2243. | |||||