Total
7397 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8510 | 1 N-able | 1 N-central | 2025-09-05 | N/A | 5.3 MEDIUM |
| N-central is vulnerable to a path traversal that allows unintended access to the Apache Tomcat WEB-INF directory. Customer data is not exposed. This vulnerability is present in all deployments of N-central prior to N-central 2024.6. | |||||
| CVE-2025-21623 | 1 Oxygenz | 1 Clipbucket | 2025-09-05 | N/A | 7.5 HIGH |
| ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 238, ClipBucket V5 allows unauthenticated attackers to change the template directory via a directory traversal, which results in a denial of service. | |||||
| CVE-2025-22130 | 1 Charm | 1 Soft Serve | 2025-09-05 | N/A | 8.8 HIGH |
| Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.8.2. | |||||
| CVE-2025-21622 | 1 Oxygenz | 1 Clipbucket | 2025-09-05 | N/A | 7.5 HIGH |
| ClipBucket V5 provides open source video hosting with PHP. During the user avatar upload workflow, a user can choose to upload and change their avatar at any time. During deletion, ClipBucket checks for the avatar_url as a filepath within the avatars subdirectory. If the URL path exists within the avatars directory, ClipBucket will delete it. There is no check for path traversal sequences in the provided user input (stored in the DB as avatar_url) therefore the final $file variable could be tainted with path traversal sequences. This leads to file deletion outside of the intended scope of the avatars folder. This vulnerability is fixed in 5.5.1 - 237. | |||||
| CVE-2025-41035 | 1 Apprain | 1 Apprain | 2025-09-04 | N/A | 6.5 MEDIUM |
| A problem has been discovered in appRain CMF 4.0.5. An authenticated Path Traversal vulnerability in /apprain/common/download/ allows remote users to bypass the intended SecurityManager restrictions and download any file if they have adequate permissions outside the document root configured on the server via the base64 path after /download/. | |||||
| CVE-2025-50971 | 1 Abantecart | 1 Abantecart | 2025-09-04 | N/A | 7.5 HIGH |
| Directory traversal vulnerability in AbanteCart version 1.4.2 allows unauthenticated attackers to gain access to sensitive system files via the template parameter to index.php. | |||||
| CVE-2024-47820 | 1 Markusproject | 1 Markus | 2025-09-04 | N/A | 5.7 MEDIUM |
| MarkUs, a web application for the submission and grading of student assignments, is vulnerable to path traversal in versions prior to 2.4.8. Authenticated instructors may download any file on the web server MarkUs is running on, depending on the file permissions. MarkUs v2.4.8 has addressed this issue. No known workarounds are available at the application level aside from upgrading. | |||||
| CVE-2024-45175 | 1 C-mor | 1 C-mor Video Surveillance | 2025-09-04 | N/A | 8.8 HIGH |
| An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Sensitive information is stored in cleartext. It was found out that sensitive information, for example login credentials of cameras, is stored in cleartext. Thus, an attacker with filesystem access, for example exploiting a path traversal attack, has access to the login data of all configured cameras, or the configured FTP server. | |||||
| CVE-2024-45178 | 1 C-mor | 1 C-mor Video Surveillance | 2025-09-04 | N/A | 7.1 HIGH |
| An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper user input validation, it is possible to download arbitrary files from the C-MOR system via a path traversal attack. It was found out that different functionalities are vulnerable to path traversal attacks, due to insufficient user input validation. For instance, the download functionality for backups provided by the script download-bkf.pml is vulnerable to a path traversal attack via the parameter bkf. This enables an authenticated user to download arbitrary files as Linux user www-data from the C-MOR system. Another path traversal attack is in the script show-movies.pml, which can be exploited via the parameter cam. | |||||
| CVE-2025-6453 | 1 Diyhi | 1 Bbs | 2025-09-04 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in diyhi bbs 6.8. Affected is the function Add of the file /src/main/java/cms/web/action/template/ForumManageAction.java of the component API. The manipulation of the argument dirName leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-7975 | 2025-09-04 | N/A | 7.8 HIGH | ||
| Anritsu ShockLine CHX File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu ShockLine. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-26913. | |||||
| CVE-2025-7039 | 2025-09-04 | N/A | 3.7 LOW | ||
| A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations. | |||||
| CVE-2025-58355 | 2025-09-04 | N/A | 7.7 HIGH | ||
| Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attackers can create or override arbitrary files with uncontrolled data through its SSH API. This issue is fixed in version 0.10.0. | |||||
| CVE-2023-37474 | 1 9001 | 1 Copyparty | 2025-09-04 | N/A | 7.5 HIGH |
| Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the `.cpr` subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. This issue has been addressed in commit `043e3c7d` which has been included in release 1.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-46559 | 1 Misskey | 1 Misskey | 2025-09-03 | N/A | 5.4 MEDIUM |
| Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in `Mk:api` allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious AiScript code to prefix a URL with `../` to step out of the `/api` directory, thereby being able to make requests to other endpoints, such as `/files`, `/url`, and `/proxy`. Version 2025.4.1 fixes the issue. | |||||
| CVE-2021-24035 | 1 Whatsapp | 2 Whatsapp, Whatsapp Business | 2025-09-03 | 6.4 MEDIUM | 9.1 CRITICAL |
| A lack of filename validation when unzipping archives prior to WhatsApp for Android v2.21.8.13 and WhatsApp Business for Android v2.21.8.13 could have allowed path traversal attacks that overwrite WhatsApp files. | |||||
| CVE-2025-58161 | 1 Opensecurity | 1 Mobile Security Framework | 2025-09-03 | N/A | 4.3 MEDIUM |
| MobSF is a mobile application security testing tool used. In version 4.4.0, the GET /download/ route uses string path verification via os.path.commonprefix, which allows an authenticated user to download files outside the DWD_DIR download directory from "neighboring" directories whose absolute paths begin with the same prefix as DWD_DIR (e.g., .../downloads_bak, .../downloads.old). This is a Directory Traversal (escape) leading to a data leak. This issue has been patched in version 4.4.1. | |||||
| CVE-2025-58162 | 1 Opensecurity | 1 Mobile Security Framework | 2025-09-03 | N/A | 6.5 MEDIUM |
| MobSF is a mobile application security testing tool used. In version 4.4.0, an authenticated user who uploaded a specially prepared one.a, can write arbitrary files to any directory writable by the user of the MobSF process. This issue has been patched in version 4.4.1. | |||||
| CVE-2025-8343 | 1 Viglet | 1 Shio | 2025-09-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in openviglet shio up to 0.3.8. It has been rated as critical. This issue affects the function shStaticFilePreUpload of the file shio-app/src/main/java/com/viglet/shio/api/staticfile/ShStaticFileAPI.java. The manipulation of the argument fileName leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-33032 | 2025-09-02 | N/A | N/A | ||
| A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later | |||||