Total
153 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-45495 | 1 Microsoft | 1 Edge Chromium | 2026-05-26 | N/A | 8.8 HIGH |
| Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | |||||
| CVE-2026-44933 | 2026-05-20 | N/A | 7.8 HIGH | ||
| `PluginScript` attempts to `chroot` the plugin to the `repoManagerRoot`, this root is frequently `/` (the system root) in standard configurations or when using `--root`. If the chroot target is `/`, it is a no-op, allowing the traversed path to execute host binaries (like `/bin/bash`) with root privileges. | |||||
| CVE-2026-0804 | 1 Axis | 1 Axis Os | 2026-05-19 | N/A | 6.7 MEDIUM |
| An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | |||||
| CVE-2026-7302 | 1 Lmsys | 1 Sglang | 2026-05-19 | N/A | 9.1 CRITICAL |
| SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints. | |||||
| CVE-2026-42930 | 2026-05-13 | N/A | 8.7 HIGH | ||
| When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2026-24464 | 2026-05-13 | N/A | 6.8 MEDIUM | ||
| When running in Appliance mode, a directory traversal vulnerability exists in an undisclosed iControl REST endpoint that may allow an authenticated attacker with administrator role privileges to cross a security boundary and delete files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2026-25705 | 2026-05-13 | N/A | 8.4 HIGH | ||
| A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code. * Write to /var/lib/rancher/ to tamper with cluster state. * If hostPath volumes are mounted, write to the host node filesystem. * Use this issue to chain with other attack vectors. | |||||
| CVE-2026-42274 | 2026-05-08 | N/A | N/A | ||
| Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14. | |||||
| CVE-2026-20034 | 2026-05-06 | N/A | 8.8 HIGH | ||
| A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. | |||||
| CVE-2026-0205 | 1 Sonicwall | 64 Nsa 2650, Nsa 2700, Nsa 2800 and 61 more | 2026-05-05 | N/A | 6.8 MEDIUM |
| A post-authentication Path Traversal vulnerability in SonicOS allows an attacker to interact with usually restricted services. | |||||
| CVE-2026-25397 | 2026-04-28 | N/A | 7.5 HIGH | ||
| Path Traversal: '.../...//' vulnerability in Snowray Software File Uploader for WooCommerce file-uploader-for-woocommerce allows Path Traversal.This issue affects File Uploader for WooCommerce: from n/a through <= 1.0.4. | |||||
| CVE-2026-32415 | 2026-04-22 | N/A | 5.0 MEDIUM | ||
| Path Traversal: '.../...//' vulnerability in Bogdan Bendziukov Squeeze squeeze allows Path Traversal.This issue affects Squeeze: from n/a through <= 1.7.7. | |||||
| CVE-2026-28265 | 1 Dell | 13 Powerstore 1000t, Powerstore 1200t, Powerstore 3000t and 10 more | 2026-04-02 | N/A | 4.4 MEDIUM |
| PowerStore, contains a Path Traversal vulnerability in the Service user. A low privileged attacker with local access could potentially exploit this vulnerability, leading to modification of arbitrary system files. | |||||