Total
201 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-43614 | 1 Microsoft | 1 Defender For Endpoint | 2025-07-08 | N/A | 5.5 MEDIUM |
| Relative path traversal in Microsoft Defender for Endpoint allows an authorized attacker to perform spoofing locally. | |||||
| CVE-2024-7058 | 1 Lollms | 1 Lollms Web Ui | 2025-07-08 | N/A | 4.4 MEDIUM |
| A vulnerability in the sanitize_path function in parisneo/lollms-webui v10 - latest allows an attacker to bypass path sanitization by using relative paths such as './'. This can lead to unauthorized access to directories within the personality_folder on the victim's computer. | |||||
| CVE-2012-5972 | 1 Specview | 1 Specview | 2025-07-07 | 2.6 LOW | N/A |
| Directory traversal vulnerability in the web server in SpecView 2.5 build 853 and earlier allows remote attackers to read arbitrary files via a ... (dot dot dot) in a URI. | |||||
| CVE-2025-26645 | 1 Microsoft | 16 Remote Desktop Client, Windows 10 1507, Windows 10 1607 and 13 more | 2025-07-07 | N/A | 8.8 HIGH |
| Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2012-6069 | 1 3s-software | 1 Codesys Runtime System | 2025-07-02 | 10.0 HIGH | 10.0 CRITICAL |
| The CoDeSys Runtime Toolkit’s file transfer functionality does not perform input validation, which allows an attacker to access files and directories outside the intended scope. This may allow an attacker to upload and download any file on the device. This could allow the attacker to affect the availability, integrity, and confidentiality of the device. | |||||
| CVE-2025-52207 | 2025-06-30 | N/A | 9.9 CRITICAL | ||
| PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory. | |||||
| CVE-2024-52012 | 1 Apache | 1 Solr | 2025-06-27 | N/A | 5.4 MEDIUM |
| Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" API. Commonly known as a "zipslip", maliciously constructed ZIP files can use relative filepaths to write data to unanticipated parts of the filesystem. This issue affects Apache Solr: from 6.6 through 9.7.0. Users are recommended to upgrade to version 9.8.0, which fixes the issue. Users unable to upgrade may also safely prevent the issue by using Solr's "Rule-Based Authentication Plugin" to restrict access to the configset upload API, so that it can only be accessed by a trusted set of administrators/users. | |||||
| CVE-2025-48957 | 1 Astrbot | 1 Astrbot | 2025-06-25 | N/A | 7.5 HIGH |
| AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in Pull Request #1676 and is included in version 3.5.13. As a workaround, users can edit the `cmd_config.json` file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later to fully resolve this issue. | |||||
| CVE-2025-52922 | 2025-06-23 | N/A | 7.4 HIGH | ||
| Innoshop through 0.4.1 allows directory traversal via FileManager API endpoints. An authenticated attacker with access to the admin panel could abuse this to: (1) fully map the filesystem structure via the /api/file_manager/files?base_folder= endpoint, (2) create arbitrary directories on the server via the /api/file_manager/directories endpoint, (3) read arbitrary files from the server by copying the file to a readable location within the application via the /api/file_manager/copy_files endpoint, {4) delete arbitrary files from the server via a DELETE request to /api/file_manager/files, or (5) create arbitrary files on the server by uploading them and then leveraging the /api/file_manager/move_files endpoint to move them anywhere in the filesystem. | |||||
| CVE-2025-2056 | 1 Wpplugins | 1 Hide My Wp Ghost | 2025-06-20 | N/A | 7.5 HIGH |
| The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information. | |||||
| CVE-2024-2318 | 1 Zkteco | 1 Zkbio Media | 2025-06-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: '../filedir'. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.1.3 Build 2025-05-26-1605 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-3365 | 2025-06-06 | N/A | 9.8 CRITICAL | ||
| A missing protection against path traversal allows to access any file on the server. | |||||
| CVE-2025-49466 | 2025-06-05 | N/A | 5.8 MEDIUM | ||
| aerc before 93bec0d allows directory traversal in commands/msgview/open.go because of direct path concatenation of the name of an attachment part, | |||||
| CVE-2023-34990 | 1 Fortinet | 1 Fortiwlm | 2025-06-05 | N/A | 9.8 CRITICAL |
| A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests. | |||||
| CVE-2023-35816 | 1 Devexpress | 1 Devexpress | 2025-06-05 | N/A | 3.5 LOW |
| DevExpress before 23.1.3 allows arbitrary TypeConverter conversion. | |||||
| CVE-2024-27199 | 1 Jetbrains | 1 Teamcity | 2025-05-30 | N/A | 7.3 HIGH |
| In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible | |||||
| CVE-2025-47788 | 2025-05-19 | N/A | N/A | ||
| Atheos is a self-hosted browser-based cloud IDE. Prior to v602, similar to GHSA-rgjm-6p59-537v/CVE-2025-22152, the `$target` parameter in `/controller.php` was not properly validated, which could allow an attacker to execute arbitrary files on the server via path traversal. v602 contains a fix for the issue. | |||||
| CVE-2025-46433 | 1 Jetbrains | 1 Teamcity | 2025-05-16 | N/A | 4.9 MEDIUM |
| In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible | |||||
| CVE-2024-20352 | 1 Cisco | 1 Emergency Responder | 2025-05-07 | N/A | 4.9 MEDIUM |
| A vulnerability in Cisco Emergency Responder could allow an authenticated, remote attacker to conduct a directory traversal attack, which could allow the attacker to perform arbitrary actions on an affected device. This vulnerability is due to insufficient protections for the web UI of an affected system. An attacker could exploit this vulnerability by sending crafted requests to the web UI. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user, such as accessing password or log files or uploading and deleting existing files from the system. | |||||
| CVE-2025-29789 | 1 Open-emr | 1 Openemr | 2025-05-06 | N/A | 7.5 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.3.0 are vulnerable to Directory Traversal in the Load Code feature. Version 7.3.0 contains a patch for the issue. | |||||