Total
8709 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-5385 | 2 Huayi-tec, Jeewms | 2 Jeewms, Jeewms | 2025-09-11 | 6.3 Medium |
| A vulnerability was found in JeeWMS up to 20250504. It has been declared as critical. This vulnerability affects the function doAdd of the file /cgformTemplateController.do?doAdd. The manipulation leads to path traversal. The attack can be initiated remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | ||||
| CVE-2018-18434 | 1 Linlinjava | 1 Litemall | 2025-09-11 | N/A |
| An issue was discovered in litemall 0.9.0. Arbitrary file download is possible via ../ directory traversal in linlinjava/litemall/wx/web/WxStorageController.java in the litemall-wx-api component. | ||||
| CVE-2025-51463 | 1 Aimstack | 1 Aim | 2025-09-11 | 7 High |
| Path Traversal in restore_run_backup() in AIM 3.28.0 allows remote attackers to write arbitrary files to the server's filesystem via a crafted backup tar file submitted to the run_instruction API, which is extracted without path validation during restoration. | ||||
| CVE-2025-8753 | 1 Linlinjava | 1 Litemall | 2025-09-11 | 5.4 Medium |
| A vulnerability, which was classified as critical, has been found in linlinjava litemall up to 1.8.0. Affected by this issue is the function delete of the file /admin/storage/delete of the component File Handler. The manipulation of the argument key leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-32023 | 1 Bmaltais | 1 Kohya Ss | 2025-09-08 | 6.5 Medium |
| Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Kohya_ss is vulnerable to a path injection in the `common_gui.py` `find_and_replace` function. This vulnerability is fixed in 23.1.5. | ||||
| CVE-2024-32024 | 1 Bmaltais | 1 Kohya Ss | 2025-09-08 | 6.5 Medium |
| Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Kohya_ss is vulnerable to a path injection in the `common_gui.py` `add_pre_postfix` function. This vulnerability is fixed in 23.1.5. | ||||
| CVE-2021-43778 | 1 Glpi-project | 1 Barcode | 2025-09-08 | 9.1 Critical |
| Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the `front/send.php` file. | ||||
| CVE-2025-48550 | 1 Google | 1 Android | 2025-09-05 | 5.5 Medium |
| In testGrantSlicePermission of SliceManagerTest.java, there is a possible permanent denial of service due to a path traversal error. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2022-42123 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-09-05 | 7.5 High |
| A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin. | ||||
| CVE-2024-8510 | 1 N-able | 1 N-central | 2025-09-05 | 5.3 Medium |
| N-central is vulnerable to a path traversal that allows unintended access to the Apache Tomcat WEB-INF directory. Customer data is not exposed. This vulnerability is present in all deployments of N-central prior to N-central 2024.6. | ||||
| CVE-2025-21623 | 1 Oxygenz | 1 Clipbucket | 2025-09-05 | 7.5 High |
| ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 238, ClipBucket V5 allows unauthenticated attackers to change the template directory via a directory traversal, which results in a denial of service. | ||||
| CVE-2025-21622 | 1 Oxygenz | 1 Clipbucket | 2025-09-05 | 7.5 High |
| ClipBucket V5 provides open source video hosting with PHP. During the user avatar upload workflow, a user can choose to upload and change their avatar at any time. During deletion, ClipBucket checks for the avatar_url as a filepath within the avatars subdirectory. If the URL path exists within the avatars directory, ClipBucket will delete it. There is no check for path traversal sequences in the provided user input (stored in the DB as avatar_url) therefore the final $file variable could be tainted with path traversal sequences. This leads to file deletion outside of the intended scope of the avatars folder. This vulnerability is fixed in 5.5.1 - 237. | ||||
| CVE-2025-41035 | 1 Apprain | 1 Apprain | 2025-09-04 | 6.5 Medium |
| A problem has been discovered in appRain CMF 4.0.5. An authenticated Path Traversal vulnerability in /apprain/common/download/ allows remote users to bypass the intended SecurityManager restrictions and download any file if they have adequate permissions outside the document root configured on the server via the base64 path after /download/. | ||||
| CVE-2025-50971 | 1 Abantecart | 1 Abantecart | 2025-09-04 | 7.5 High |
| Directory traversal vulnerability in AbanteCart version 1.4.2 allows unauthenticated attackers to gain access to sensitive system files via the template parameter to index.php. | ||||
| CVE-2024-47820 | 1 Markusproject | 1 Markus | 2025-09-04 | 5.7 Medium |
| MarkUs, a web application for the submission and grading of student assignments, is vulnerable to path traversal in versions prior to 2.4.8. Authenticated instructors may download any file on the web server MarkUs is running on, depending on the file permissions. MarkUs v2.4.8 has addressed this issue. No known workarounds are available at the application level aside from upgrading. | ||||
| CVE-2024-45175 | 2 C-mor, Za-internet | 2 C-mor Video Surveillance, C-mor Video Surveillance | 2025-09-04 | 8.8 High |
| An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Sensitive information is stored in cleartext. It was found out that sensitive information, for example login credentials of cameras, is stored in cleartext. Thus, an attacker with filesystem access, for example exploiting a path traversal attack, has access to the login data of all configured cameras, or the configured FTP server. | ||||
| CVE-2024-45178 | 2 C-mor, Za-internet | 2 C-mor Video Surveillance, C-mor Video Surveillance | 2025-09-04 | 7.1 High |
| An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper user input validation, it is possible to download arbitrary files from the C-MOR system via a path traversal attack. It was found out that different functionalities are vulnerable to path traversal attacks, due to insufficient user input validation. For instance, the download functionality for backups provided by the script download-bkf.pml is vulnerable to a path traversal attack via the parameter bkf. This enables an authenticated user to download arbitrary files as Linux user www-data from the C-MOR system. Another path traversal attack is in the script show-movies.pml, which can be exploited via the parameter cam. | ||||
| CVE-2025-6453 | 1 Diyhi | 1 Bbs | 2025-09-04 | 6.3 Medium |
| A vulnerability classified as critical has been found in diyhi bbs 6.8. Affected is the function Add of the file /src/main/java/cms/web/action/template/ForumManageAction.java of the component API. The manipulation of the argument dirName leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-37474 | 2 9001, Copyparty Project | 2 Copyparty, Copyparty | 2025-09-04 | 7.5 High |
| Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the `.cpr` subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. This issue has been addressed in commit `043e3c7d` which has been included in release 1.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-46559 | 1 Misskey | 1 Misskey | 2025-09-03 | 5.4 Medium |
| Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in `Mk:api` allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious AiScript code to prefix a URL with `../` to step out of the `/api` directory, thereby being able to make requests to other endpoints, such as `/files`, `/url`, and `/proxy`. Version 2025.4.1 fixes the issue. | ||||