Total
7960 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12203 | 2 Givanz, Vvveb | 2 Vvveb, Vvveb | 2025-11-07 | 6.3 Medium |
| A weakness has been identified in givanz Vvveb up to 1.0.7.3. This issue affects the function sanitizeFileName of the file system/functions.php of the component Code Editor. Executing manipulation of the argument File can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. This patch is called b0fa7ff74a3539c6d37000db152caad572e4c39b. Applying a patch is advised to resolve this issue. | ||||
| CVE-2025-3356 | 1 Ibm | 1 Tivoli Monitoring | 2025-11-07 | 8.6 High |
| IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 21 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view, overwrite, or append to arbitrary files on the system. | ||||
| CVE-2025-3355 | 1 Ibm | 1 Tivoli Monitoring | 2025-11-07 | 7.5 High |
| IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 21 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. | ||||
| CVE-2022-29081 | 1 Zohocorp | 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro | 2025-11-06 | 9.8 Critical |
| Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring. | ||||
| CVE-2025-22130 | 2 Charm, Charmbracelet | 2 Soft Serve, Soft-serve | 2025-11-06 | 8.8 High |
| Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.8.2. | ||||
| CVE-2024-12088 | 8 Almalinux, Archlinux, Gentoo and 5 more | 21 Almalinux, Arch Linux, Linux and 18 more | 2025-11-06 | 6.5 Medium |
| A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory. | ||||
| CVE-2025-7566 | 1 Jishenghua | 1 Jsherp | 2025-11-06 | 4.7 Medium |
| A vulnerability has been found in jshERP up to 3.5 and classified as critical. This vulnerability affects the function exportExcelByParam of the file /src/main/java/com/jsh/erp/controller/SystemConfigController.java. The manipulation of the argument Title leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-7625 | 1 Yijiusmile | 1 Kkfileviewofficeedit | 2025-11-06 | 4.3 Medium |
| A vulnerability, which was classified as critical, was found in YiJiuSmile kkFileViewOfficeEdit up to 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd. Affected is the function Download of the file /download. The manipulation of the argument url leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | ||||
| CVE-2019-11510 | 1 Ivanti | 1 Connect Secure | 2025-11-06 | 10.0 Critical |
| In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . | ||||
| CVE-2019-16278 | 1 Nazgul | 1 Nostromo Nhttpd | 2025-11-06 | 9.8 Critical |
| Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request. | ||||
| CVE-2025-50735 | 1 Nextchat | 1 Nextchat | 2025-11-05 | 7.5 High |
| Directory traversal vulnerability in NextChat thru 2.16.0 due to the WebDAV proxy failing to canonicalize or reject dot path segments in its catch-all route, allowing attackers to gain sensitive information via authenticated or anonymous WebDAV endpoints. | ||||
| CVE-2024-25567 | 1 Deltaww | 1 Diaenergie | 2025-11-05 | 8.1 High |
| Path traversal attack is possible and write outside of the intended directory and may access sensitive information. If a file name is specified that already exists on the file system, then the original file will be overwritten. | ||||
| CVE-2024-28171 | 1 Deltaww | 1 Diaenergie | 2025-11-05 | 8.1 High |
| It is possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten. | ||||
| CVE-2025-8749 | 1 Mobile-industrial-robots | 5 Mir100, Mir1000, Mir200 and 2 more | 2025-11-05 | 6.5 Medium |
| Path Traversal vulnerability in API Endpoint in Mobile Industrial Robots (MiR) Software Versions prior to 3.0.0 on MiR Robots allows authenticated users to extract files from the robot file system via a crafted API request. | ||||
| CVE-2025-34508 | 2025-11-04 | 6.3 Medium | ||
| A path traversal vulnerability exists in the file dropoff functionality of ZendTo versions 6.15-7 and prior. This could allow a remote, authenticated attacker to retrieve the files of other ZendTo users, retrieve files on the host system, or cause a denial of service. | ||||
| CVE-2025-34154 | 1 Unform | 1 Server Manager | 2025-11-04 | N/A |
| UnForm Server Manager versions prior to 10.1.12 expose an unauthenticated file read vulnerability via its log file analysis interface. The flaw resides in the arc endpoint, which accepts a fl parameter to specify the log file to be opened. Due to insufficient input validation and lack of path sanitization, attackers can supply relative paths to access arbitrary files on the host system — including sensitive OS-level files — without authentication. | ||||
| CVE-2025-59682 | 1 Djangoproject | 1 Django | 2025-11-04 | 3.1 Low |
| An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. | ||||
| CVE-2025-53906 | 1 Vim | 1 Vim | 2025-11-04 | 4.1 Medium |
| Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability. | ||||
| CVE-2025-53905 | 1 Vim | 1 Vim | 2025-11-04 | 4.1 Medium |
| Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability. | ||||
| CVE-2025-49830 | 1 Cyberark | 1 Conjur | 2025-11-04 | 6.5 Medium |
| Conjur provides secrets management and application identity for infrastructure. An authenticated attacker who is able to load policy can use the policy yaml parser to reference files on the Secrets Manager, Self-Hosted server. These references may be used as reconnaissance to better understand the folder structure of the Secrets Manager/Conjur server or to have the yaml parser include files on the server in the yaml that is processed as the policy loads. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. | ||||