Total
77 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-36357 | 1 Ibm | 2 Planning Analytics Local, Planning Analytics Workspace | 2025-11-19 | N/A | 8.0 HIGH |
| IBM Planning Analytics Local 2.1.0 through 2.1.14 could allow a remote authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing absolute path sequences to view, read, or write arbitrary files on the system. | |||||
| CVE-2025-13282 | 2025-11-18 | N/A | 8.1 HIGH | ||
| TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system. | |||||
| CVE-2025-13283 | 2025-11-18 | N/A | 7.1 HIGH | ||
| TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Copy and Paste vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk of information leakage or could consume hard drive space by copying files in large volumes. | |||||
| CVE-2025-9256 | 1 Uniong | 1 Webitr | 2025-11-06 | N/A | 6.5 MEDIUM |
| WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. | |||||
| CVE-2025-9257 | 1 Uniong | 1 Webitr | 2025-11-06 | N/A | 6.5 MEDIUM |
| WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. | |||||
| CVE-2025-9258 | 1 Uniong | 1 Webitr | 2025-11-06 | N/A | 6.5 MEDIUM |
| WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. | |||||
| CVE-2025-9259 | 1 Uniong | 1 Webitr | 2025-11-06 | N/A | 6.5 MEDIUM |
| WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. | |||||
| CVE-2024-48248 | 1 Nakivo | 1 Backup \& Replication Director | 2025-11-05 | N/A | 8.6 HIGH |
| NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials). | |||||
| CVE-2025-53651 | 1 Jenkins | 1 Html Publisher | 2025-11-04 | N/A | 6.3 MEDIUM |
| Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. | |||||
| CVE-2025-7846 | 2025-11-04 | N/A | 8.8 HIGH | ||
| The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | |||||
| CVE-2024-12375 | 1 Automatic1111 | 1 Stable-diffusion-webui | 2025-10-30 | N/A | 6.5 MEDIUM |
| A local file inclusion vulnerability was identified in automatic1111/stable-diffusion-webui, affecting version git 82a973c. This vulnerability allows an attacker to read arbitrary files on the system by sending a specially crafted request to the application. | |||||
| CVE-2024-13159 | 1 Ivanti | 1 Endpoint Manager | 2025-10-24 | N/A | 9.8 CRITICAL |
| Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | |||||
| CVE-2024-13160 | 1 Ivanti | 1 Endpoint Manager | 2025-10-24 | N/A | 9.8 CRITICAL |
| Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | |||||
| CVE-2024-13161 | 1 Ivanti | 1 Endpoint Manager | 2025-10-24 | N/A | 9.8 CRITICAL |
| Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | |||||
| CVE-2025-53392 | 1 Pfsense | 1 Pfsense | 2025-10-15 | N/A | 5.0 MEDIUM |
| In Netgate pfSense CE 2.8.0, the "WebCfg - Diagnostics: Command" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier's perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI. | |||||
| CVE-2024-10833 | 1 Dbgpt | 1 Db-gpt | 2025-10-15 | N/A | 9.1 CRITICAL |
| eosphoros-ai/db-gpt version 0.6.0 is vulnerable to an arbitrary file write through the knowledge API. The endpoint for uploading files as 'knowledge' is susceptible to absolute path traversal, allowing attackers to write files to arbitrary locations on the target server. This vulnerability arises because the 'doc_file.filename' parameter is user-controllable, enabling the construction of absolute paths. | |||||
| CVE-2025-0851 | 2025-10-14 | N/A | 9.8 CRITICAL | ||
| A path traversal issue in ZipUtils.unzip and TarUtils.untar in Deep Java Library (DJL) on all platforms allows a bad actor to write files to arbitrary locations. | |||||
| CVE-2024-28806 | 1 Italtel | 1 I-mcs Nfv | 2025-10-14 | N/A | 7.5 HIGH |
| An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. Remote unauthenticated attackers can upload files at an arbitrary path. | |||||
| CVE-2025-8575 | 2025-09-15 | N/A | 7.2 HIGH | ||
| The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | |||||
| CVE-2025-57790 | 1 Commvault | 1 Commvault | 2025-09-10 | N/A | 8.8 HIGH |
| A security vulnerability has been identified that allows remote attackers to perform unauthorized file system access through a path traversal issue. The vulnerability may lead to remote code execution. | |||||