Total
88 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6381 | 2 Beeteam368, Wordpress | 2 Vidmov, Wordpress | 2025-07-13 | 8.8 High |
| The BeeTeam368 Extensions plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.3.4 via the handle_remove_temp_file() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory. This vulnerability can be used to delete the wp-config.php file, which can be leveraged into a site takeover. | ||||
| CVE-2024-57966 | 1 Kde | 1 Ark | 2025-07-13 | 5 Medium |
| libarchiveplugin.cpp in KDE ark before 24.12.0 can extract to an absolute path from an archive. | ||||
| CVE-2024-13945 | 1 Abb | 3 Aspect Enterprise, Matrix Series, Nexus Series | 2025-07-12 | 6 Medium |
| Stored Absolute Path Traversal vulnerabilities in ASPECT could expose sensitive data if administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*. | ||||
| CVE-2024-48850 | 1 Abb | 3 Aspect Enterprise, Matrix Series, Nexus Series | 2025-07-12 | 7.2 High |
| Absolute File Traversal vulnerabilities in ASPECT allows access and modification of unintended resources. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. | ||||
| CVE-2025-36574 | 1 Dell | 1 Wyse Management Suite | 2025-07-11 | 8.2 High |
| Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Absolute Path Traversal vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure and Unauthorized access. | ||||
| CVE-2025-4799 | 1 Wp-downloadmanager Project | 1 Wp-downloadmanager | 2025-07-09 | 7.2 High |
| The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability can be paired with CVE-2025-4798 to delete any file within the WordPress root directory. | ||||
| CVE-2024-6250 | 1 Lollms | 1 Lollms Web Ui | 2025-07-09 | N/A |
| An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitrary directories on the affected system. | ||||
| CVE-2024-10047 | 1 Lollms | 1 Lollms Web Ui | 2025-07-08 | N/A |
| parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitrary directories on a Windows system by sending a specially crafted HTTP request to the /open_file endpoint. | ||||
| CVE-2025-5927 | 1 Wpeverest | 1 Everest Forms | 2025-07-08 | 7.5 High |
| The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability requires an admin to trigger the deletion via deletion of a form entry and cannot be carried out by the attacker alone. | ||||
| CVE-2025-53392 | 1 Netgate | 1 Pfsense | 2025-07-06 | 5 Medium |
| In Netgate pfSense CE 2.8.0, the "WebCfg - Diagnostics: Command" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier's perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI. | ||||
| CVE-2023-40597 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2025-07-01 | 7.8 High |
| In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk. | ||||
| CVE-2023-5022 | 1 Dedecms | 1 Dedecms | 2025-06-18 | 5.5 Medium |
| A vulnerability has been found in DedeCMS up to 5.7.100 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /include/dialog/select_templets_post.php. The manipulation of the argument activepath leads to absolute path traversal. The associated identifier of this vulnerability is VDB-239863. | ||||
| CVE-2024-10811 | 1 Ivanti | 1 Endpoint Manager | 2025-06-17 | 9.8 Critical |
| Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | ||||
| CVE-2023-30970 | 1 Palantir | 2 Gotham Blackbird-witchcraft, Gotham Static-assets-servlet | 2025-05-29 | 6.5 Medium |
| Gotham Table service and Forward App were found to be vulnerable to a Path traversal issue allowing an authenticated user to read arbitrary files on the file system. | ||||
| CVE-2023-5390 | 1 Honeywell | 4 Controledge Unit Operations Controller, Controledge Unit Operations Controller Firmware, Controledge Virtual Unit Operations Controller and 1 more | 2025-05-29 | 5.3 Medium |
| An attacker could potentially exploit this vulnerability, leading to files being read from the Honeywell Experion ControlEdge VirtualUOC and ControlEdge UOC. This exploit could be used to read files from the controller that may expose limited information from the device. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning. | ||||
| CVE-2025-46822 | 2025-05-21 | N/A | ||
| OsamaTaher/Java-springboot-codebase is a collection of Java and Spring Boot code snippets, applications, and projects. Prior to commit c835c6f7799eacada4c0fc77e0816f250af01ad2, insufficient path traversal mechanisms make absolute path traversal possible. This vulnerability allows unauthorized access to sensitive internal files. Commit c835c6f7799eacada4c0fc77e0816f250af01ad2 contains a patch for the issue. | ||||
| CVE-2024-29053 | 1 Microsoft | 1 Defender For Iot | 2025-05-03 | 8.8 High |
| Microsoft Defender for IoT Remote Code Execution Vulnerability | ||||
| CVE-2024-21323 | 1 Microsoft | 1 Defender For Iot | 2025-05-03 | 8.8 High |
| Microsoft Defender for IoT Remote Code Execution Vulnerability | ||||
| CVE-2023-2765 | 1 Weaver | 1 E-office | 2025-04-25 | 4.3 Medium |
| A vulnerability has been found in Weaver OA up to 9.5 and classified as problematic. This vulnerability affects unknown code of the file /E-mobile/App/System/File/downfile.php. The manipulation of the argument url leads to absolute path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-229270 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-24877 | 1 Fluxcd | 2 Flux2, Kustomize-controller | 2025-04-23 | 9.9 Critical |
| Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. | ||||