Total
8256 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-8941 | 2025-11-20 | N/A | 7.8 HIGH | ||
| A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020. | |||||
| CVE-2025-34045 | 1 Weiphp | 1 Weiphp | 2025-11-20 | N/A | 7.5 HIGH |
| A path traversal vulnerability exists in WeiPHP 5.0, an open source WeChat public account platform development framework by Shenzhen Yuanmengyun Technology Co., Ltd. The flaw occurs in the picUrl parameter of the /public/index.php/material/Material/_download_imgage endpoint, where insufficient input validation allows unauthenticated remote attackers to perform directory traversal via crafted POST requests. This enables arbitrary file read on the server, potentially exposing sensitive information such as configuration files and source code. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC. | |||||
| CVE-2025-34040 | 2025-11-20 | N/A | N/A | ||
| An arbitrary file upload vulnerability exists in the Zhiyuan OA platform via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-01 UTC. | |||||
| CVE-2024-13982 | 2025-11-20 | N/A | N/A | ||
| SPON IP Network Broadcast System, a digital audio transmission platform developed by SPON Communications, contains an arbitrary file read vulnerability in the rj_get_token.php endpoint. The flaw arises from insufficient input validation on the jsondata[url] parameter, which allows attackers to perform directory traversal and access sensitive files on the server. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted POST request to read arbitrary files, potentially exposing system configuration, credentials, or internal logic. An affected version range is undefined. | |||||
| CVE-2025-64757 | 1 Astro | 1 Astro | 2025-11-20 | N/A | 3.5 LOW |
| Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3. | |||||
| CVE-2025-54559 | 1 Desktopalert | 1 Pingalert Application Server | 2025-11-20 | N/A | 3.7 LOW |
| An issue was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote Path Traversal for loading arbitrary external content. | |||||
| CVE-2025-36236 | 1 Ibm | 2 Aix, Vios | 2025-11-19 | N/A | 8.2 HIGH |
| IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request to write arbitrary files on the system. | |||||
| CVE-2025-62630 | 1 Advantech | 1 Deviceon\/iedge | 2025-11-19 | N/A | 8.8 HIGH |
| Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions. | |||||
| CVE-2025-59171 | 1 Advantech | 1 Deviceon\/iedge | 2025-11-19 | N/A | 7.5 HIGH |
| Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions. | |||||
| CVE-2025-11990 | 1 Gitlab | 1 Gitlab | 2025-11-19 | N/A | 3.1 LOW |
| GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses. | |||||
| CVE-2025-29592 | 1 Aaluoxiang | 1 Oa System | 2025-11-19 | N/A | 5.6 MEDIUM |
| oasys v1.1 is vulnerable to Directory Traversal in ProcedureController. | |||||
| CVE-2025-13246 | 2025-11-18 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was identified in shsuishang ShopSuite ModulithShop up to 45a99398cec3b7ad7ff9383694f0b53339f2d35a. Impacted is the function JwtAuthenticationFilter of the file src/main/java/com/suisung/shopsuite/common/security/JwtAuthenticationFilter.java. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | |||||
| CVE-2025-13266 | 2025-11-18 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A security vulnerability has been detected in wwwlike vlife up to 2.0.1. This issue affects the function create of the file vlife-base/src/main/java/cn/wwwlike/sys/api/SysFileApi.java of the component VLifeApi. Such manipulation of the argument fileName leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-34048 | 2025-11-17 | N/A | N/A | ||
| A path traversal vulnerability exists in the web management interface of D-Link DSL-2730U, DSL-2750U, and DSL-2750E ADSL routers with firmware versions IN_1.02, SEA_1.04, and SEA_1.07. The vulnerability is due to insufficient input validation on the getpage parameter within the /cgi-bin/webproc CGI script. This flaw allows an unauthenticated remote attacker to perform path traversal attacks by supplying crafted requests, enabling arbitrary file read on the affected device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC. | |||||
| CVE-2025-20374 | 1 Cisco | 1 Unified Contact Center Express | 2025-11-17 | N/A | 4.9 MEDIUM |
| A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to perform a directory traversal and access arbitrary resources. This vulnerability is due to an insufficient input validation associated to specific UI features. An attacker could exploit this vulnerability by sending a crafted request to the web UI. A successful exploit could allow the attacker to gain read access to arbitrary files on the underlying operating system. To exploit this vulnerability, the attacker must have valid administrative credentials. | |||||
| CVE-2025-60722 | 1 Microsoft | 1 Onedrive | 2025-11-17 | N/A | 6.5 MEDIUM |
| Improper limitation of a pathname to a restricted directory ('path traversal') in OneDrive for Android allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2025-9801 | 1 Sim | 1 Sim | 2025-11-14 | 5.5 MEDIUM | 5.4 MEDIUM |
| A security vulnerability has been detected in SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. This affects an unknown part. The manipulation of the argument filePath leads to path traversal. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The identifier of the patch is 45372aece5e05e04b417442417416a52e90ba174. To fix this issue, it is recommended to deploy a patch. | |||||
| CVE-2025-57712 | 1 Qnap | 1 Qsync Central | 2025-11-14 | N/A | 6.5 MEDIUM |
| A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.3 ( 2025/08/28 ) and later | |||||
| CVE-2025-11366 | 1 N-able | 1 N-central | 2025-11-14 | N/A | 9.8 CRITICAL |
| N-central < 2025.4 is vulnerable to authentication bypass via path traversal | |||||
| CVE-2023-7327 | 2025-11-14 | N/A | N/A | ||
| Ozeki SMS Gateway versions up to and including 10.3.208 contain a path traversal vulnerability. Successful exploitation allows an unauthenticated attacker to use URL-encoded traversal sequences to read arbitrary files from the underlying filesystem with the privileges of the gateway service, leading to disclosure of sensitive information. | |||||