Total
8965 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-25328 | 2026-04-28 | N/A | 6.8 MEDIUM | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Product File Upload for WooCommerce products-file-upload-for-woocommerce allows Path Traversal.This issue affects Product File Upload for WooCommerce: from n/a through <= 2.2.4. | |||||
| CVE-2025-66687 | 2026-04-27 | N/A | 7.5 HIGH | ||
| Doom Launcher 3.8.1.0 is vulnerable to Directory Traversal due to missing file path validation during the extraction of game files | |||||
| CVE-2026-30996 | 2026-04-27 | N/A | 7.5 HIGH | ||
| An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows attackers to execute a directory traversal and read arbitrary files from the system via a crafted GET request. | |||||
| CVE-2026-30351 | 2026-04-27 | N/A | 7.5 HIGH | ||
| A path traversal vulnerability in the UI/static component of leonvanzyl autocoder commit 79d02a allows attackers to read arbitrary files via sending crafted URL path containing traversal sequences. | |||||
| CVE-2026-41419 | 2026-04-27 | N/A | 7.6 HIGH | ||
| 4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbitrary host files as board attachments during BOARDS archive import. Once imported, the file can be downloaded through the normal application interface, resulting in unauthorized local file disclosure. This vulnerability is fixed in 3.3.5. | |||||
| CVE-2026-4347 | 2026-04-27 | N/A | 8.1 HIGH | ||
| The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is enabled. | |||||
| CVE-2026-5638 | 2026-04-27 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was detected in HerikLyma CPPWebFramework up to 3.1. This issue affects some unknown processing. Performing a manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-41140 | 2026-04-27 | N/A | N/A | ||
| Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4. This vulnerability is fixed in 2.3.4. | |||||
| CVE-2026-41894 | 2026-04-27 | N/A | N/A | ||
| SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause — a redundant url.PathUnescape() call in serveExport(). An authenticated attacker can use double URL encoding (%252e%252e) to traverse directories and read arbitrary workspace files including the full SQLite database (siyuan.db), kernel log, and all user documents. This vulnerability is fixed in 3.6.5. | |||||
| CVE-2026-7059 | 2026-04-27 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in 666ghj MiroFish up to 0.1.2. This affects the function get_simulation_posts of the file backend/app/api/simulation.py of the component Query Parameter Handler. Performing a manipulation of the argument Platform results in path traversal. The attack can be initiated remotely. The exploit has been made public and could be used. | |||||
| CVE-2026-7132 | 2026-04-27 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in code-projects Online Lot Reservation System up to 1.0. This affects the function readfile of the file /download.php. The manipulation of the argument File results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. | |||||
| CVE-2026-41463 | 2026-04-27 | N/A | 8.8 HIGH | ||
| ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process. | |||||
| CVE-2026-30462 | 2026-04-27 | N/A | 4.3 MEDIUM | ||
| A path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS v1.5.2 allows attackers to execute a directory traversal. | |||||
| CVE-2026-4917 | 1 Ibm | 1 Guardium Data Protection | 2026-04-27 | N/A | 4.9 MEDIUM |
| IBM Guardium Data Protection 12.1 could allow an administrative user to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to write arbitrary files on the system. | |||||
| CVE-2026-3689 | 1 Openclaw | 1 Openclaw | 2026-04-27 | N/A | 6.5 MEDIUM |
| OpenClaw Canvas Path Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of OpenClaw. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of the path parameters provided to the canvas gateway endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-29312. | |||||
| CVE-2026-33656 | 1 Espocrm | 1 Espocrm | 2026-04-27 | N/A | 9.1 CRITICAL |
| EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is concatenated directly into a file path with no sanitization in `EspoUploadDir::getFilePath()`, an attacker can redirect any file read or write operation to an arbitrary path within the web server's `open_basedir` scope. Version 9.3.4 fixes the issue. | |||||
| CVE-2026-33077 | 1 Roxy-wi | 1 Roxy-wi | 2026-04-27 | N/A | 7.5 HIGH |
| Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the oldconfig parameter in the haproxy_section_save interface has an arbitrary file read vulnerability. Version 8.2.6.4 fixes the issue. | |||||
| CVE-2026-33076 | 1 Roxy-wi | 1 Roxy-wi | 2026-04-27 | N/A | 9.8 CRITICAL |
| Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote code execution due to path traversal and writing into scheduled tasks. Version 8.2.6.4 fixes the issue. | |||||
| CVE-2026-6941 | 1 Radare | 1 Radare2 | 2026-04-27 | N/A | 6.6 MEDIUM |
| radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory. | |||||
| CVE-2026-6940 | 1 Radare | 1 Radare2 | 2026-04-27 | N/A | 7.1 HIGH |
| radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss. | |||||