Total
8207 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-66278 | 1 Qnap | 1 File Station | 2026-02-12 | N/A | 6.5 MEDIUM |
| A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later | |||||
| CVE-2026-22894 | 1 Qnap | 1 File Station | 2026-02-12 | N/A | 6.5 MEDIUM |
| A path traversal vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later | |||||
| CVE-2025-69874 | 2026-02-12 | N/A | 9.8 CRITICAL | ||
| nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence. | |||||
| CVE-2020-37214 | 2026-02-12 | N/A | 7.5 HIGH | ||
| Voyager 1.3.0 contains a directory traversal vulnerability that allows attackers to access sensitive system files by manipulating the asset path parameter. Attackers can exploit the path parameter in /admin/voyager-assets to read arbitrary files like /etc/passwd and .env configuration files. | |||||
| CVE-2025-58470 | 1 Qnap | 1 Qsync Central | 2026-02-12 | N/A | 6.5 MEDIUM |
| A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later | |||||
| CVE-2025-68406 | 1 Qnap | 1 Qsync Central | 2026-02-12 | N/A | 6.5 MEDIUM |
| A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later | |||||
| CVE-2025-3722 | 1 Trellix | 1 System Information Reporter | 2026-02-11 | N/A | 4.4 MEDIUM |
| A path traversal vulnerability in System Information Reporter (SIR) 1.0.3 and prior allowed an authenticated high privileged user to issue malicious ePO post requests to System Information Reporter, leading to creation of files anywhere on the filesystem and possibly overwriting existing files and exposing sensitive information disclosure. | |||||
| CVE-2025-27022 | 1 Nokia | 2 G42, G42 Firmware | 2026-02-11 | N/A | 7.5 HIGH |
| A path traversal vulnerability of the WebGUI HTTP endpoint in Infinera G42 version R6.1.3 allows remote authenticated users to download all OS files via HTTP requests. Details: Lack or insufficient validation of user-supplied input allows authenticated users to access all files on the target machine file system that are readable to the user account used to run the httpd service. | |||||
| CVE-2025-63372 | 2 Articentgroup, Microsoft | 2 Zip Rar Extractor Tool, Windows | 2026-02-11 | N/A | 4.3 MEDIUM |
| Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents. | |||||
| CVE-2026-25499 | 1 Bpg | 1 Terraform Provider | 2026-02-11 | N/A | 7.5 HIGH |
| Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1. | |||||
| CVE-2026-25539 | 1 B3log | 1 Siyuan | 2026-02-11 | N/A | 9.1 CRITICAL |
| SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5. | |||||
| CVE-2026-25575 | 1 Tum | 1 Navigatum | 2026-02-11 | N/A | 7.5 HIGH |
| NavigaTUM is a website and API to search for rooms, buildings and other places. Prior to commit 86f34c7, there is a path traversal vulnerability in the propose_edits endpoint allows unauthenticated users to overwrite files in directories writable by the application user (e.g., /cdn). By supplying unsanitized file keys containing traversal sequences (e.g., ../../) in the JSON payload, an attacker can escape the intended temporary directory and replace public facing images or fill the server's storage. This issue has been patched via commit 86f34c7. | |||||
| CVE-2025-69620 | 1 Ntoolslab | 1 Office Reader | 2026-02-11 | N/A | 5.0 MEDIUM |
| A path traversal in Moo Chan Song v4.5.7 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. | |||||
| CVE-2025-64075 | 2026-02-11 | N/A | 10.0 CRITICAL | ||
| A path traversal vulnerability in the check_token function of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote attackers to bypass authentication and perform administrative actions by supplying a crafted session cookie value. | |||||
| CVE-2026-25872 | 2026-02-11 | N/A | 5.3 MEDIUM | ||
| JUNG Smart Panel KNX firmware version L1.12.22 and prior contain an unauthenticated path traversal vulnerability in the embedded web interface. The application fails to properly validate file path input, allowing remote, unauthenticated attackers to access arbitrary files on the underlying filesystem within the context of the web server. This may result in disclosure of system configuration files and other sensitive information. | |||||
| CVE-2020-37088 | 1 Arox | 1 School Erp Pro | 2026-02-10 | N/A | 7.5 HIGH |
| School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configuration files by supplying directory traversal paths to retrieve system credentials and configuration information. | |||||
| CVE-2025-69601 | 1 Altumcode | 1 66biolinks | 2026-02-09 | N/A | 6.5 MEDIUM |
| A directory traversal (Zip Slip) vulnerability exists in the “Static Sites” feature of 66biolinks v44.0.0 by AltumCode. Uploaded ZIP archives are automatically extracted without validating or sanitizing file paths. An attacker can include traversal sequences (e.g., ../) in ZIP entries to write files outside the intended extraction directory. This allows static files (html, js, css, images) file write to unintended locations, or overwriting existing HTML files, potentially leading to content defacement and, in certain deployments, further impact if sensitive files are overwritten. | |||||
| CVE-2026-1549 | 1 Jishenghua | 1 Jsherp | 2026-02-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was identified in jishenghua jshERP up to 3.6. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/plugin/uploadPluginConfigFile of the component PluginController. Such manipulation of the argument configFile leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2025-15491 | 2026-02-09 | N/A | 5.5 MEDIUM | ||
| The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks | |||||
| CVE-2026-2216 | 2026-02-09 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A flaw has been found in rachelos WeRSS we-mp-rss up to 1.4.8. Impacted is the function download_export_file of the file apis/tools.py. Executing a manipulation of the argument filename can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used. | |||||