Total
269 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6483 | 2025-03-20 | N/A | 5.3 MEDIUM | ||
| A vulnerability in the `runs/delete-batch` endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion. This can be exploited to delete arbitrary files or directories, potentially causing denial of service or data loss. | |||||
| CVE-2024-10513 | 2025-03-20 | N/A | 7.2 HIGH | ||
| A path traversal vulnerability exists in the 'document uploads manager' feature of mintplex-labs/anything-llm, affecting the latest version prior to 1.2.2. This vulnerability allows users with the 'manager' role to access and manipulate the 'anythingllm.db' database file. By exploiting the vulnerable endpoint '/api/document/move-files', an attacker can move the database file to a publicly accessible directory, download it, and subsequently delete it. This can lead to unauthorized access to sensitive data, privilege escalation, and potential data loss. | |||||
| CVE-2024-10019 | 2025-03-20 | N/A | 6.3 MEDIUM | ||
| A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection. The function does not properly sanitize the `app_name` parameter, enabling an attacker to upload a malicious `server.py` file and execute arbitrary code by exploiting the path traversal vulnerability. | |||||
| CVE-2024-32115 | 1 Fortinet | 1 Fortimanager | 2025-03-19 | N/A | 5.5 MEDIUM |
| A relative path traversal vulnerability [CWE-23] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5 allows a privileged attacker to delete files from the underlying filesystem via crafted HTTP or HTTPs requests. | |||||
| CVE-2024-8510 | 2025-03-17 | N/A | 5.3 MEDIUM | ||
| N-central is vulnerable to a path traversal that allows unintended access to the Apache Tomcat WEB-INF directory. Customer data is not exposed. This vulnerability is present in all deployments of N-central prior to N-central 2024.6. | |||||
| CVE-2024-54449 | 2025-03-14 | N/A | N/A | ||
| The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled contents to an arbitrary location on the underlying file system. This can be used to facilitate RCE. An account with ‘read’ and ‘write’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to run commands of their choosing on the underlying operating system of the web server running LogicalDOC. | |||||
| CVE-2024-12019 | 2025-03-14 | N/A | N/A | ||
| The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read the contents of files on the underlying operating system. An account with ‘read’ and ‘download’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to read the contents of any file available within the privileges of the system user running the application. | |||||
| CVE-2025-2056 | 2025-03-14 | N/A | 7.5 HIGH | ||
| The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information. | |||||
| CVE-2025-23360 | 2025-03-11 | N/A | 7.1 HIGH | ||
| NVIDIA Nemo Framework contains a vulnerability where a user could cause a relative path traversal issue by arbitrary file write. A successful exploit of this vulnerability may lead to code execution and data tampering. | |||||
| CVE-2025-26645 | 2025-03-11 | N/A | 8.8 HIGH | ||
| Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2025-27610 | 2025-03-10 | N/A | 7.5 HIGH | ||
| Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly. The vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory. By exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file. Versions 2.2.13, 3.0.14, and 3.1.12 contain a patch for the issue. Other mitigations include removing usage of `Rack::Static`, or ensuring that `root:` points at a directory path which only contains files which should be accessed publicly. It is likely that a CDN or similar static file server would also mitigate the issue. | |||||
| CVE-2024-27770 | 1 Unitronics | 1 Unilogic | 2025-03-10 | N/A | 8.8 HIGH |
| Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-23: Relative Path Traversal | |||||
| CVE-2025-23410 | 2025-03-05 | N/A | 9.8 CRITICAL | ||
| When uploading organism or sequence data via the web interface, GMOD Apollo will unzip and inspect the files and will not check for path traversal in supported archive types. | |||||
| CVE-2023-30630 | 1 Nongnu | 1 Dmidecode | 2025-03-04 | N/A | 7.1 HIGH |
| Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. NOTE: Some third parties have indicated the fix in 3.5 does not adequately address the vulnerability. The argument is that the proposed patch prevents dmidecode from writing to an existing file. However, there are multiple attack vectors that would not require overwriting an existing file that would provide the same level of unauthorized privilege escalation (e.g. creating a new file in /etc/cron.hourly). | |||||
| CVE-2025-25130 | 2025-03-03 | N/A | 7.5 HIGH | ||
| Relative Path Traversal vulnerability in NotFound Delete Comments By Status allows PHP Local File Inclusion. This issue affects Delete Comments By Status: from n/a through 2.1.1. | |||||
| CVE-2024-56340 | 2025-02-28 | N/A | 6.5 MEDIUM | ||
| IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 is vulnerable to local file inclusion vulnerability, allowing an attacker to access sensitive files by inserting path traversal payloads inside the deficon parameter. | |||||
| CVE-2024-47051 | 2025-02-26 | N/A | 9.1 CRITICAL | ||
| This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be exploited by authenticated users. * Remote Code Execution (RCE) via Asset Upload: A Remote Code Execution vulnerability has been identified in the asset upload functionality. Insufficient enforcement of allowed file extensions allows an attacker to bypass restrictions and upload executable files, such as PHP scripts. * Path Traversal File Deletion: A Path Traversal vulnerability exists in the upload validation process. Due to improper handling of path components, an authenticated user can manipulate the file deletion process to delete arbitrary files on the host system. | |||||
| CVE-2024-13791 | 1 Bitapps | 1 Bit Assist | 2025-02-25 | N/A | 4.9 MEDIUM |
| Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the downloadResponseFile() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | |||||
| CVE-2025-0822 | 1 Bitapps | 1 Bit Assist | 2025-02-24 | N/A | 6.5 MEDIUM |
| Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the fileID Parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | |||||
| CVE-2025-1599 | 2025-02-24 | 5.5 MEDIUM | 5.4 MEDIUM | ||
| A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/app/profile_crud.php. The manipulation of the argument old_cat_img leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||