Total
7118 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5709 | 1 Wpbakery | 1 Page Builder | 2025-05-28 | N/A | 8.8 HIGH |
| The WPBakery Visual Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.7 via the 'layout_name' parameter. This makes it possible for authenticated attackers, with Author-level access and above, and with post permissions granted by an Administrator, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2024-25711 | 2 Fedoraproject, Reproducible Builds | 2 Fedora, Diffoscope | 2025-05-28 | N/A | 7.5 HIGH |
| diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted. | |||||
| CVE-2023-46307 | 1 Buddho | 1 Etcd Browser | 2025-05-28 | N/A | 7.5 HIGH |
| An issue was discovered in server.js in etcd-browser 87ae63d75260. By supplying a /../../../ Directory Traversal input to the URL's GET request while connecting to the remote server port specified during setup, an attacker can retrieve local operating system files from the remote system. | |||||
| CVE-2024-7774 | 1 Langchain | 1 Langchain.js | 2025-05-28 | N/A | 9.1 CRITICAL |
| A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input. | |||||
| CVE-2022-41231 | 1 Jenkins | 1 Build-publisher | 2025-05-28 | N/A | 5.7 MEDIUM |
| Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint. | |||||
| CVE-2025-48370 | 2025-05-28 | N/A | N/A | ||
| auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.69.1, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.69.1. | |||||
| CVE-2025-4807 | 1 Senior-walter | 1 Online Student Clearance System | 2025-05-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. This affects an unknown part. The manipulation leads to exposure of information through directory listing. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4632 | 1 Samsung | 1 Magicinfo 9 Server | 2025-05-27 | N/A | 9.8 CRITICAL |
| Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority. | |||||
| CVE-2022-29799 | 1 Microsoft | 1 Windows Defender For Endpoint | 2025-05-27 | N/A | 5.5 MEDIUM |
| A vulnerability was found in networkd-dispatcher. This flaw exists because no functions are sanitized by the OperationalState or the AdministrativeState of networkd-dispatcher. This attack leads to a directory traversal to escape from the “/etc/networkd-dispatcher” base directory. | |||||
| CVE-2023-38951 | 1 Zkteco | 1 Biotime | 2025-05-27 | N/A | 9.8 CRITICAL |
| ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM. | |||||
| CVE-2022-28981 | 1 Liferay | 1 Liferay Portal | 2025-05-27 | N/A | 7.5 HIGH |
| Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter. | |||||
| CVE-2025-32950 | 2025-05-27 | N/A | 6.5 MEDIUM | ||
| Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the `/files` endpoint of the generic REST API. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website. | |||||
| CVE-2022-40444 | 1 Zzcms | 1 Zzcms | 2025-05-27 | N/A | 5.3 MEDIUM |
| ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server. | |||||
| CVE-2022-40443 | 1 Zzcms | 1 Zzcms | 2025-05-27 | N/A | 5.3 MEDIUM |
| An absolute path traversal vulnerability in ZZCMS 2022 allows attackers to obtain sensitive information via a crafted GET request sent to /one/siteinfo.php. | |||||
| CVE-2023-28465 | 1 Hapifhir | 1 Hl7 Fhir Core | 2025-05-27 | N/A | 7.5 HIGH |
| The package-decompression feature in HL7 (Health Level 7) FHIR Core Libraries before 5.6.106 allows attackers to copy arbitrary files to certain directories via directory traversal, if an allowed directory name is a substring of the directory name chosen by the attacker. NOTE: this issue exists because of an incomplete fix for CVE-2023-24057. | |||||
| CVE-2022-34026 | 1 Icecoder | 1 Icecoder | 2025-05-27 | N/A | 7.5 HIGH |
| ICEcoder v8.1 allows attackers to execute a directory traversal. | |||||
| CVE-2025-4720 | 1 Munyweki | 1 Student Result Management System | 2025-05-27 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file academic/core/drop_student.php. The manipulation of the argument img leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-0493 | 1 Multivendorx | 1 Multivendorx | 2025-05-23 | N/A | 9.8 CRITICAL |
| The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Limited Local File Inclusion in all versions up to, and including, 4.2.14 via the tabname parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included | |||||
| CVE-2024-53582 | 1 Openpanel | 1 Openpanel | 2025-05-23 | N/A | 7.5 HIGH |
| An issue found in the Copy and View functions in the File Manager component of OpenPanel v0.3.4 allows attackers to execute a directory traversal via a crafted HTTP request. | |||||
| CVE-2025-4419 | 2025-05-23 | N/A | 4.3 MEDIUM | ||
| The Hot Random Image plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.9.2 via the 'path' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to access arbitrary images with allowed extensions, outside of the originally intended directory. | |||||