Total
157 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3812 | 2025-05-17 | N/A | 8.1 HIGH | ||
| The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the qcld_openai_delete_training_file() function in all versions up to, and including, 13.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | |||||
| CVE-2025-26646 | 2025-05-16 | N/A | 8.0 HIGH | ||
| External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network. | |||||
| CVE-2025-46762 | 1 Apache | 1 Parquet | 2025-05-13 | N/A | 9.8 CRITICAL |
| Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted) Users are recommended to upgrade to 1.15.2 or set the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on 1.15.1. Both are sufficient to fix the issue. | |||||
| CVE-2025-26684 | 2025-05-13 | N/A | 6.7 MEDIUM | ||
| External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2024-57394 | 2025-05-12 | N/A | 8.8 HIGH | ||
| The quarantine - restore function in Qi-ANXIN Tianqing Endpoint Security Management System v10.0 allows user to restore a malicious file to an arbitrary file path. Attackers can write malicious DLL to system path and perform privilege escalation by leveraging Windows DLL hijacking vulnerabilities. | |||||
| CVE-2025-3419 | 2025-05-08 | N/A | 7.5 HIGH | ||
| The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | |||||
| CVE-2025-24054 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-04-28 | N/A | 6.5 MEDIUM |
| External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2025-29709 | 1 Torrahclef | 1 Company Website Cms | 2025-04-23 | N/A | 9.8 CRITICAL |
| SourceCodester Company Website CMS 1.0 has a File upload vulnerability via the "Create portfolio" file /dashboard/portfolio. | |||||
| CVE-2025-29708 | 1 Torrahclef | 1 Company Website Cms | 2025-04-23 | N/A | 9.8 CRITICAL |
| SourceCodester Company Website CMS 1.0 contains a file upload vulnerability via the "Create Services" file /dashboard/Services. | |||||
| CVE-2025-43951 | 2025-04-23 | N/A | 9.8 CRITICAL | ||
| LabVantage before LV 8.8.0.13 HF6 allows local file inclusion. Authenticated users can retrieve arbitrary files from the environment via the objectname request parameter. | |||||
| CVE-2025-1056 | 2025-04-23 | N/A | 6.1 MEDIUM | ||
| Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has identified an issue with a specific file that the server is using. A non-admin user can modify this file to either create files or change the content of files in an admin-protected location. Axis has released a patched version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | |||||
| CVE-2024-2155 | 1 Mayurik | 1 Best Pos Management System | 2025-04-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in SourceCodester Best POS Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file index.php. The manipulation of the argument page leads to file inclusion. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-255587. | |||||
| CVE-2025-3103 | 2025-04-21 | N/A | 7.5 HIGH | ||
| The CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon plugin for WordPress is vulnerable to arbitrary file read due to insufficient file path validation in the 'history.php' file in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server, which may contain sensitive information including database credentials. The vulnerability was partially patched in version 2.4. | |||||
| CVE-2024-33860 | 1 Logpoint | 1 Siem | 2025-04-18 | N/A | 6.5 MEDIUM |
| An issue was discovered in Logpoint before 7.4.0. It allows Local File Inclusion (LFI) when an arbitrary File Path is used within the File System Collector. The content of the file specified can be viewed in the incoming logs. | |||||
| CVE-2024-55371 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
| Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authenticated users to restore backups by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an authenticated attacker (being an administrator is not required) to upload malicious files to the server. Once a web shell is installed, the attacker gains the ability to execute arbitrary commands. | |||||
| CVE-2024-55372 | 2025-04-17 | N/A | 9.8 CRITICAL | ||
| Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unauthenticated users to restore database by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an unauthenticated attacker to upload malicious files to the server. Once a web shell is installed, the attacker gains the ability to execute arbitrary commands. | |||||
| CVE-2022-31739 | 2025-04-16 | N/A | 8.8 HIGH | ||
| When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%.<br>*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. | |||||
| CVE-2025-0124 | 2025-04-11 | N/A | N/A | ||
| An authenticated file deletion vulnerability in the Palo Alto Networks PAN-OS® software enables an authenticated attacker with network access to the management web interface to delete certain files as the “nobody” user; this includes limited logs and configuration files but does not include system files. The attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue affects Cloud NGFW. However, this issue does not affect Prisma® Access software. | |||||
| CVE-2024-51961 | 1 Esri | 1 Arcgis Server | 2025-04-10 | N/A | 7.5 HIGH |
| There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server. Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability. | |||||
| CVE-2022-45213 | 1 Perfsonar | 1 Perfsonar | 2025-04-10 | N/A | 5.3 MEDIUM |
| perfSONAR before 4.4.6 inadvertently supports the parse option for a file:// URL. | |||||