Total
136 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-25759 | 1 Sucms Project | 1 Sucms | 2025-04-09 | N/A | 7.5 HIGH |
| An issue in the component admin_template.php of SUCMS v1.0 allows attackers to execute a directory traversal and arbitrary file deletion via a crafted GET request. | |||||
| CVE-2023-43856 | 1 Iteachyou | 1 Dreamer Cms | 2025-04-04 | N/A | 7.5 HIGH |
| Dreamer CMS v4.1.3 was discovered to contain an arbitrary file read vulnerability via the component /admin/TemplateController.java. | |||||
| CVE-2025-27147 | 2025-03-27 | N/A | 8.2 HIGH | ||
| The GLPI Inventory Plugin handles various types of tasks for GLPI agents, including network discovery and inventory (SNMP), software deployment, VMWare ESX host remote inventory, and data collection (files, Windows registry, WMI). Versions prior to 1.5.0 have an improper access control vulnerability. Version 1.5.0 fixes the vulnerability. | |||||
| CVE-2022-44343 | 1 Crmeb | 1 Crmeb | 2025-03-26 | N/A | 7.5 HIGH |
| CRMEB 4.4.4 is vulnerable to Any File download. | |||||
| CVE-2023-0331 | 1 Correos | 1 Correos Oficial | 2025-03-10 | N/A | 7.5 HIGH |
| The Correos Oficial WordPress plugin through 1.2.0.2 does not have an authorization check user input validation when generating a file path, allowing unauthenticated attackers to download arbitrary files from the server. | |||||
| CVE-2023-26956 | 1 Onekeyadmin | 1 Onekeyadmin | 2025-03-05 | N/A | 7.5 HIGH |
| onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vulnerability via the component /admin1/curd/code. | |||||
| CVE-2023-26948 | 1 Onekeyadmin | 1 Onekeyadmin | 2025-02-28 | N/A | 7.5 HIGH |
| onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vulnerability via the component /admin1/file/download. | |||||
| CVE-2025-26525 | 2025-02-24 | N/A | 8.6 HIGH | ||
| Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed). | |||||
| CVE-2024-12917 | 2025-02-24 | N/A | 8.3 HIGH | ||
| Files or Directories Accessible to External Parties vulnerability in Agito Computer Health4All allows Exploiting Incorrectly Configured Access Control Security Levels, Authentication Abuse.This issue affects Health4All: before 10.01.2025. | |||||
| CVE-2024-34066 | 1 Pterodactyl | 1 Wings | 2025-02-21 | N/A | 8.4 HIGH |
| Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. This issue has been addressed in version 1.11.12 and users are advised to upgrade. Users unable to upgrade may enable the `ignore_panel_config_updates` option as a workaround. | |||||
| CVE-2022-44583 | 1 Watchtowerhq | 1 Watchtower | 2025-02-20 | N/A | 7.5 HIGH |
| Unauth. Arbitrary File Download vulnerability in WatchTowerHQ plugin <= 3.6.15 on WordPress. | |||||
| CVE-2024-11629 | 1 Progress | 1 Telerik Document Processing Libraries | 2025-02-19 | N/A | 7.1 HIGH |
| In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), using .NET Standard 2.0, the contents of a file at an arbitrary path can be exported to RTF. | |||||
| CVE-2024-3564 | 1 Vanderwijk | 1 Content Blocks | 2025-02-19 | N/A | 8.8 HIGH |
| The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the plugin's 'content_block' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2023-23330 | 1 Amano | 1 Xoffice | 2025-02-18 | N/A | 7.5 HIGH |
| amano Xparc parking solutions 7.1.3879 was discovered to be vulnerable to local file inclusion. | |||||
| CVE-2025-0509 | 2025-02-17 | N/A | 7.3 HIGH | ||
| A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks. | |||||
| CVE-2023-1124 | 1 Wpeasycart | 1 Wp Easycart | 2025-02-14 | N/A | 7.2 HIGH |
| The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks. | |||||
| CVE-2020-17519 | 1 Apache | 1 Flink | 2025-02-13 | 5.0 MEDIUM | 7.5 HIGH |
| A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master. | |||||
| CVE-2023-27180 | 1 Gdidees | 1 Gdidees Cms | 2025-02-12 | N/A | 7.5 HIGH |
| GDidees CMS v3.9.1 was discovered to contain a source code disclosure vulnerability by the backup feature which is accessible via /_admin/backup.php. | |||||
| CVE-2024-10403 | 1 Broadcom | 1 Fabric Operating System | 2025-02-04 | N/A | 7.5 HIGH |
| Brocade Fabric OS versions before 8.2.3e2, versions 9.0.0 through 9.2.0c, and 9.2.1 through 9.2.1a can capture the SFTP/FTP server password used for a firmware download operation initiated by SANnav or through WebEM in a weblinker core dump that is later captured via supportsave. | |||||
| CVE-2024-3037 | 2 Microsoft, Papercut | 3 Windows, Papercut Mf, Papercut Ng | 2025-01-27 | N/A | 7.8 HIGH |
| An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server. Important: In most installations, this risk is mitigated by the default Windows Server configuration, which typically restricts local login access to Administrators only. However, this vulnerability could pose a risk to customers who allow non-administrative users to log in to the local console of the Windows environment hosting the PaperCut NG/MF application server. Note: This CVE has been split into two separate CVEs (CVE-2024-3037 and CVE-2024-8404) and it’s been rescored with a "Privileges Required (PR)" rating of low, and “Attack Complexity (AC)” rating of low, reflecting the worst-case scenario where an Administrator has granted local login access to standard users on the host server. | |||||