Total
217 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-26349 | 1 Q-free | 1 Maxtime | 2025-10-24 | N/A | 7.2 HIGH |
| A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests. | |||||
| CVE-2025-60023 | 2025-10-23 | N/A | 4.0 MEDIUM | ||
| A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine. | |||||
| CVE-2025-59776 | 2025-10-23 | N/A | 4.0 MEDIUM | ||
| A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and create arbitrary directories on the target machine. | |||||
| CVE-2025-58429 | 2025-10-23 | N/A | 7.5 HIGH | ||
| A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary files on the target machine. | |||||
| CVE-2025-62498 | 2025-10-23 | N/A | 8.8 HIGH | ||
| A relative path traversal (ZipSlip) vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an attacker who can tamper with a productivity project to execute arbitrary code on the machine where the project is opened. | |||||
| CVE-2025-58456 | 2025-10-23 | N/A | 6.8 MEDIUM | ||
| A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and read arbitrary files on the target machine. | |||||
| CVE-2025-58078 | 2025-10-23 | N/A | 7.5 HIGH | ||
| A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine. | |||||
| CVE-2025-59682 | 1 Djangoproject | 1 Django | 2025-10-22 | N/A | 3.1 LOW |
| An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. | |||||
| CVE-2021-40870 | 1 Aviatrix | 1 Controller | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal. | |||||
| CVE-2025-11898 | 2025-10-21 | N/A | 7.5 HIGH | ||
| Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | |||||
| CVE-2024-56340 | 1 Ibm | 1 Cognos Analytics | 2025-10-17 | N/A | 6.5 MEDIUM |
| IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 is vulnerable to local file inclusion vulnerability, allowing an attacker to access sensitive files by inserting path traversal payloads inside the deficon parameter. | |||||
| CVE-2024-47051 | 1 Acquia | 1 Mautic | 2025-10-16 | N/A | 9.1 CRITICAL |
| This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be exploited by authenticated users. * Remote Code Execution (RCE) via Asset Upload: A Remote Code Execution vulnerability has been identified in the asset upload functionality. Insufficient enforcement of allowed file extensions allows an attacker to bypass restrictions and upload executable files, such as PHP scripts. * Path Traversal File Deletion: A Path Traversal vulnerability exists in the upload validation process. Due to improper handling of path components, an authenticated user can manipulate the file deletion process to delete arbitrary files on the host system. | |||||
| CVE-2025-46002 | 1 Simogeo | 1 Filemanager | 2025-10-14 | N/A | 6.5 MEDIUM |
| An issue in Filemanager v2.5.0 and below allows attackers to execute a directory traversal via sending a crafted HTTP request to the filemanager.php endpoint. | |||||
| CVE-2025-27610 | 1 Rack | 1 Rack | 2025-10-10 | N/A | 7.5 HIGH |
| Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly. The vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory. By exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file. Versions 2.2.13, 3.0.14, and 3.1.12 contain a patch for the issue. Other mitigations include removing usage of `Rack::Static`, or ensuring that `root:` points at a directory path which only contains files which should be accessed publicly. It is likely that a CDN or similar static file server would also mitigate the issue. | |||||
| CVE-2025-62187 | 1 Ankitects | 1 Anki | 2025-10-10 | N/A | 2.9 LOW |
| In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file pathnames are not necessarily relative to the media folder). | |||||
| CVE-2025-55115 | 1 Bmc | 1 Control-m\/agent | 2025-10-10 | N/A | 8.8 HIGH |
| A path traversal in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions. This vulnerability was fixed in 9.0.20.100 and above. | |||||
| CVE-2025-51052 | 1 Vedo Suite Project | 1 Vedo Suite | 2025-10-09 | N/A | 6.5 MEDIUM |
| A path traversal vulnerability in Vedo Suite 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'file_get_contents()' function call in '/api_vedo/template'. | |||||
| CVE-2025-10249 | 2025-10-09 | N/A | 6.5 MEDIUM | ||
| The Slider Revolution plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions in all versions up to, and including, 6.7.37. This makes it possible for authenticated attackers, with Contributor-level access and above, to install and activate plugin add-ons, create sliders, and download arbitrary files. | |||||
| CVE-2025-59835 | 2025-10-06 | N/A | N/A | ||
| LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5. | |||||
| CVE-2025-43016 | 1 Jetbrains | 1 Rider | 2025-10-01 | N/A | 5.4 MEDIUM |
| In JetBrains Rider before 2025.1.2 custom archive unpacker allowed arbitrary file overwrite during remote debug session | |||||