Total
401 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11965 | 2025-10-22 | N/A | N/A | ||
| In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config'). | |||||
| CVE-2020-17519 | 1 Apache | 1 Flink | 2025-10-22 | 5.0 MEDIUM | 7.5 HIGH |
| A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master. | |||||
| CVE-2017-16651 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2025-10-22 | 4.6 MEDIUM | 7.8 HIGH |
| Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests. | |||||
| CVE-2016-3715 | 6 Canonical, Imagemagick, Opensuse and 3 more | 30 Ubuntu Linux, Imagemagick, Leap and 27 more | 2025-10-22 | 5.8 MEDIUM | 5.5 MEDIUM |
| The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image. | |||||
| CVE-2025-48928 | 1 Smarsh | 1 Telemessage | 2025-10-21 | N/A | 4.0 MEDIUM |
| The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump, as exploited in the wild in May 2025. | |||||
| CVE-2025-31996 | 1 Hcltech | 1 Unica | 2025-10-21 | N/A | 5.3 MEDIUM |
| HCL Unica Platform is affected by unprotected files due to improper access controls. These files may contain sensitive information such as private or system information that can be exploited by attackers to compromise the application, infrastructure, or users. | |||||
| CVE-2025-11371 | 2025-10-14 | N/A | 6.2 MEDIUM | ||
| In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560 | |||||
| CVE-2025-59976 | 2025-10-14 | N/A | 6.5 MEDIUM | ||
| An arbitrary file download vulnerability in the web interface of Juniper Networks Junos Space allows a network-based authenticated attacker using a crafted GET method to access any file on the file system. Using specially crafted GET methods, an attacker can gain access to files beyond the file path normally allowed by the JBoss daemon. These files could contain sensitive information restricted from access by low-privileged users.This issue affects all versions of Junos Space before 24.1R3. | |||||
| CVE-2024-0949 | 2025-10-14 | N/A | 9.8 CRITICAL | ||
| Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before v17.0.68. | |||||
| CVE-2025-61734 | 1 Apache | 1 Kylin | 2025-10-03 | N/A | 7.5 HIGH |
| Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue. | |||||
| CVE-2024-47518 | 1 Arista | 1 Ng Firewall | 2025-09-29 | N/A | 6.4 MEDIUM |
| Specially constructed queries targeting ETM could discover active remote access sessions | |||||
| CVE-2025-51818 | 1 Chshcms | 1 Mccms | 2025-09-24 | N/A | 5.4 MEDIUM |
| MCCMS 2.7.0 is vulnerable to Arbitrary file deletion in the Backups.php component. This allows an attacker to execute arbitrary commands | |||||
| CVE-2025-25266 | 1 Siemens | 1 Tecnomatix Plant Simulation | 2025-09-23 | N/A | 6.8 MEDIUM |
| A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). The affected application does not properly restrict access to the file deletion functionality. This could allow an unauthorized attacker to delete files even when access to the system should be prohibited, resulting in potential data loss or unauthorized modification of system files. | |||||
| CVE-2025-25267 | 1 Siemens | 1 Tecnomatix Plant Simulation | 2025-09-23 | N/A | 6.2 MEDIUM |
| A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). The affected application does not properly restrict the scope of files accessible to the simulation model. This could allow an unauthorized attacker to compromise the confidentiality of the system. | |||||
| CVE-2024-49359 | 1 Zimaspace | 1 Zimaos | 2025-09-22 | N/A | 7.5 HIGH |
| ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Zima_Server_IP:PORT>/v2_1/file` in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on the server. By manipulating the path parameter, attackers can access sensitive system directories such as `/etc`, potentially exposing critical configuration files and increasing the risk of further attacks. As of time of publication, no known patched versions are available. | |||||
| CVE-2024-48864 | 1 Qnap | 1 File Station | 2025-09-19 | N/A | 9.1 CRITICAL |
| A files or directories accessible to external parties vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers to read/write files or directories. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4741 and later | |||||
| CVE-2025-58753 | 1 9001 | 1 Copyparty | 2025-09-18 | N/A | 7.5 HIGH |
| Copyparty is a portable file server. In versions prior to 1.19.8, there was a missing permission-check in the shares feature (the `shr` global-option). When a share was created for just one file inside a folder, it was possible to access the other files inside that folder by guessing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This issue did not affect filekeys or dirkeys. Version 1.19.8 fixes the issue. | |||||
| CVE-2024-54099 | 1 Huawei | 2 Emui, Harmonyos | 2025-09-18 | N/A | 6.7 MEDIUM |
| File replacement vulnerability on some devices Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality. | |||||
| CVE-2025-37130 | 2025-09-17 | N/A | 6.5 MEDIUM | ||
| A vulnerability in the command-line interface of EdgeConnect SD-WAN could allow an authenticated attacker to read arbitrary files within the system. Successful exploitation could allow an attacker to read sensitive data from the underlying file system. | |||||
| CVE-2025-53536 | 1 Roocode | 1 Roo Code | 2025-09-15 | N/A | 8.1 HIGH |
| Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. This vulnerability is fixed in 3.22.6. | |||||