Total
7723 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1770 | 1 Themewinter | 1 Eventin | 2025-07-08 | N/A | 8.8 HIGH |
| The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2025-6278 | 1 Upsonic | 1 Upsonic | 2025-07-08 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-49303 | 2025-07-08 | N/A | 6.8 MEDIUM | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps allows Path Traversal. This issue affects Frontend Admin by DynamiApps: from n/a through 3.28.7. | |||||
| CVE-2025-28980 | 2025-07-08 | N/A | 7.7 HIGH | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in machouinard Aviation Weather from NOAA allows Path Traversal. This issue affects Aviation Weather from NOAA: from n/a through 0.7.2. | |||||
| CVE-2025-7108 | 2025-07-08 | 5.5 MEDIUM | 5.4 MEDIUM | ||
| A vulnerability classified as critical was found in risesoft-y9 Digital-Infrastructure up to 9.6.7. Affected by this vulnerability is the function deleteFile of the file /Digital-Infrastructure-9.6.7/y9-digitalbase-webapp/y9-module-filemanager/risenet-y9boot-webapp-filemanager/src/main/java/net/risesoft/y9public/controller/Y9FileController.java. The manipulation of the argument fullPath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-42970 | 2025-07-08 | N/A | 5.8 MEDIUM | ||
| SAPCAR improperly sanitizes the file paths while extracting SAPCAR archives. Due to this, an attacker could craft a malicious SAPCAR archive containing directory traversal sequences. When a high privileged victim extracts this malicious archive, it is then processed by SAPCAR on their system, causing files to be extracted outside the intended directory and overwriting files in arbitrary locations. This vulnerability has a high impact on the integrity and availability of the application with no impact on confidentiality. | |||||
| CVE-2025-1785 | 1 W3eden | 1 Download Manager | 2025-07-08 | N/A | 5.4 MEDIUM |
| The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite select file types outside of the originally intended directory, which may cause a denial of service. | |||||
| CVE-2024-40348 | 1 Bazarr | 1 Bazarr | 2025-07-08 | N/A | 8.2 HIGH |
| An issue in the component /api/swaggerui/static of Bazaar v1.4.3 allows unauthenticated attackers to execute a directory traversal. | |||||
| CVE-2025-40592 | 2025-07-08 | N/A | 6.1 MEDIUM | ||
| A vulnerability has been identified in Mendix Studio Pro 10 (All versions < V10.23.0), Mendix Studio Pro 10.12 (All versions < V10.12.17), Mendix Studio Pro 10.18 (All versions < V10.18.7), Mendix Studio Pro 10.6 (All versions < V10.6.24), Mendix Studio Pro 11 (All versions < V11.0.0), Mendix Studio Pro 8 (All versions < V8.18.35), Mendix Studio Pro 9 (All versions < V9.24.35). A zip path traversal vulnerability exists in the module installation process of Studio Pro. By crafting a malicious module and distributing it via (for example) the Mendix Marketplace, an attacker could write or modify arbitrary files in directories outside a developer’s project directory upon module installation. | |||||
| CVE-2025-40573 | 1 Siemens | 2 Scalance Lpe9403, Scalance Lpe9403 Firmware | 2025-07-08 | N/A | 4.4 MEDIUM |
| A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0). Affected devices are vulnerable to path traversal attacks. This could allow a privileged local attacker to restore backups that are outside the backup folder. | |||||
| CVE-2012-5972 | 1 Specview | 1 Specview | 2025-07-07 | 2.6 LOW | N/A |
| Directory traversal vulnerability in the web server in SpecView 2.5 build 853 and earlier allows remote attackers to read arbitrary files via a ... (dot dot dot) in a URI. | |||||
| CVE-2019-0887 | 1 Microsoft | 10 Remote Desktop Client, Windows 10, Windows 11 21h2 and 7 more | 2025-07-07 | 8.5 HIGH | 8.0 HIGH |
| A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses clipboard redirection, aka 'Remote Desktop Services Remote Code Execution Vulnerability'. | |||||
| CVE-2024-54169 | 3 Ibm, Linux, Microsoft | 3 Entirex, Linux Kernel, Windows | 2025-07-07 | N/A | 6.5 MEDIUM |
| IBM EntireX 11.1 could allow an authenticated attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. | |||||
| CVE-2025-6379 | 1 Beeteam368 | 1 Vidmov | 2025-07-07 | N/A | 8.8 HIGH |
| The BeeTeam368 Extensions Pro plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.3.4 via the handle_live_fn() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory. This vulnerability can be used to delete the wp-config.php file, which can be leveraged into a site takeover. | |||||
| CVE-2025-6755 | 1 Gameusers | 1 Game Users Share Button | 2025-07-07 | N/A | 8.8 HIGH |
| The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution. | |||||
| CVE-2025-4748 | 2025-07-04 | N/A | N/A | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4. | |||||
| CVE-2025-0332 | 1 Progress | 1 Telerik Ui For Winforms | 2025-07-03 | N/A | 7.8 HIGH |
| In Progress® Telerik® UI for WinForms, versions prior to 2025 Q1 (2025.1.211), using the improper limitation of a target path can lead to decompressing an archive's content into a restricted directory. | |||||
| CVE-2025-34058 | 2025-07-03 | N/A | N/A | ||
| Hikvision Streaming Media Management Server v2.3.5 uses default credentials that allow remote attackers to authenticate and access restricted functionality. After authenticating with these credentials, an attacker can exploit an arbitrary file read vulnerability in the /systemLog/downFile.php endpoint via directory traversal in the fileName parameter. This exploit chain can enable unauthorized access to sensitive system files. | |||||
| CVE-2025-27022 | 2025-07-03 | N/A | 7.5 HIGH | ||
| A path traversal vulnerability of the WebGUI HTTP endpoint in Infinera G42 version R6.1.3 allows remote authenticated users to download all OS files via HTTP requests. Details: Lack or insufficient validation of user-supplied input allows authenticated users to access all files on the target machine file system that are readable to the user account used to run the httpd service. | |||||
| CVE-2025-24329 | 2025-07-03 | N/A | 6.4 MEDIUM | ||
| Sending a crafted SOAP "provision" operation message archive field within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network can cause path traversal issue in Nokia Single RAN baseband software with versions earlier than release 24R1-SR 1.0 MP. This issue has been corrected to release 24R1-SR 1.0 MP and later. Beginning with release 24R1-SR 1.0 MP, the OAM service software utilizes libarchive APIs with security options enabled, effectively mitigating the reported path traversal issue. | |||||