Total
8709 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-49089 | 1 Harry0703 | 1 Moneyprinterturbo | 2025-10-02 | 6.3 Medium |
| wangxutech MoneyPrinterTurbo 1.2.6 allows path traversal via /api/v1/download/ URIs such as /api/v1/download//etc/passwd. | ||||
| CVE-2024-53537 | 1 Openpanel | 1 Openpanel | 2025-10-02 | 9.1 Critical |
| An issue in OpenPanel v0.3.4 to v0.2.1 allows attackers to execute a directory traversal in File Actions of File Manager. | ||||
| CVE-2025-25279 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | 9.9 Critical |
| Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards. | ||||
| CVE-2025-46565 | 1 Vitejs | 1 Vite | 2025-10-02 | 5.3 Medium |
| Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14. | ||||
| CVE-2024-55401 | 1 4cstrategies | 1 Exonaut | 2025-10-01 | 6.5 Medium |
| An issue in 4C Strategies Exonaut before v22.4 allows attackers to execute a directory traversal. | ||||
| CVE-2025-7107 | 2 Sim, Simstudioai | 2 Sim, Sim | 2025-10-01 | 5.3 Medium |
| A vulnerability classified as critical has been found in SimStudioAI sim up to 0.1.17. Affected is the function handleLocalFile of the file apps/sim/app/api/files/parse/route.ts. The manipulation of the argument filePath leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as b2450530d1ddd0397a11001a72aa0fde401db16a. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2024-11833 | 1 Plextrac | 1 Plextrac | 2025-10-01 | 9.1 Critical |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in PlexTrac allows arbitrary file writes.This issue affects PlexTrac: from 1.61.3 before 2.8.1. | ||||
| CVE-2024-11834 | 1 Plextrac | 1 Plextrac | 2025-10-01 | 9.1 Critical |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in PlexTrac allows arbitrary file writes.This issue affects PlexTrac: from 1.61.3 before 2.8.1. | ||||
| CVE-2025-5714 | 1 Isolucoesweb | 1 Solucoescoop | 2025-10-01 | 4.3 Medium |
| A vulnerability was found in SoluçõesCoop iSoluçõesWEB up to 20250516. It has been classified as problematic. This affects an unknown part of the file /sys/up.upload.php of the component Profile Information Update. The manipulation of the argument nomeArquivo leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
| CVE-2023-46988 | 1 Onlyoffice | 1 Document Server | 2025-10-01 | 6.7 Medium |
| Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating the fileExt parameter in the /example/editor endpoint, leading to unauthorized access to sensitive files and potential Denial of Service (DoS). | ||||
| CVE-2025-27566 | 1 Appleple | 1 A-blog Cms | 2025-09-30 | 3.8 Low |
| Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege. If this vulnerability is exploited, a remote authenticated attacker with the administrator privilege may obtain or delete any file on the server. | ||||
| CVE-2025-6282 | 1 Xlang | 1 Openagents | 2025-09-30 | 5.5 Medium |
| A vulnerability was found in xlang-ai OpenAgents up to ff2e46440699af1324eb25655b622c4a131265bb and classified as critical. Affected by this issue is the function create_upload_file of the file backend/api/file.py. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The reported GitHub issue was closed automatically with the label "not planned" by a bot. | ||||
| CVE-2025-6283 | 1 Xata | 1 Agent | 2025-09-30 | 3.5 Low |
| A vulnerability was found in xataio Xata Agent up to 0.3.0. It has been classified as problematic. This affects the function GET of the file apps/dbagent/src/app/api/evals/route.ts. The manipulation of the argument passed leads to path traversal. Upgrading to version 0.3.1 is able to address this issue. The patch is named 03f27055e0cf5d4fa7e874d34ce8c74c7b9086cc. It is recommended to upgrade the affected component. | ||||
| CVE-2025-53375 | 1 Dokploy | 1 Dokploy | 2025-09-29 | 6.5 Medium |
| Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated attacker can read any file that the Traefik process user can access (e.g., /etc/passwd, application source, environment variable files containing credentials and secrets). This may lead to full compromise of other services or lateral movement. This vulnerability is fixed in 0.23.7. | ||||
| CVE-2009-4449 | 1 Mybb | 1 Mybb | 2025-09-26 | 6.5 Medium |
| Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php. | ||||
| CVE-2025-31174 | 1 Huawei | 1 Harmonyos | 2025-09-26 | 6.8 Medium |
| Path traversal vulnerability in the DFS module Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2025-58320 | 2 Delta Electronics, Deltaww | 2 Dialink, Dialink | 2025-09-26 | 7.3 High |
| Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability. | ||||
| CVE-2025-58321 | 2 Delta Electronics, Deltaww | 2 Dialink, Dialink | 2025-09-26 | 10 Critical |
| Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability. | ||||
| CVE-2025-22601 | 1 Discourse | 1 Discourse | 2025-09-25 | 3.1 Low |
| Discourse is an open source platform for community discussion. In affected versions an attacker can trick a target user to make changes to their own username via carefully crafted link using the `activate-account` route. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-24836 | 1 Sun.net | 1 Ehrd Ctms | 2025-09-25 | 8.8 High |
| SUNNET CTMS has vulnerability of path traversal within its file uploading function. An authenticated remote attacker with general user privilege can exploit this vulnerability to upload and execute scripts onto arbitrary directories to perform arbitrary system operation or disrupt service. | ||||