Total
7172 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-29213 | 1 Jeewms | 1 Jeewms | 2025-04-25 | 5.5 Medium |
| A zip slip vulnerability in the component \service\migrate\MigrateForm.java of JEEWMS v3.7 allows attackers to execute arbitrary code via a crafted Zip file. | ||||
| CVE-2025-32950 | 2025-04-25 | 6.5 Medium | ||
| Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the `/files` endpoint of the generic REST API. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website. | ||||
| CVE-2022-44635 | 1 Apache | 1 Fineract | 2025-04-25 | 8.8 High |
| Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1. | ||||
| CVE-2025-34028 | 2025-04-25 | 10 Critical | ||
| A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38. | ||||
| CVE-2023-39810 | 1 Busybox | 1 Busybox | 2025-04-24 | 7.8 High |
| An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. | ||||
| CVE-2022-29837 | 1 Westerndigital | 6 My Cloud Home, My Cloud Home Duo, My Cloud Home Duo Firmware and 3 more | 2025-04-24 | 4.7 Medium |
| A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution. | ||||
| CVE-2022-40977 | 1 Pilz | 15 Pasvisu, Pmi V507, Pmi V507 Firmware and 12 more | 2025-04-24 | 7.5 High |
| A path traversal vulnerability was discovered in Pilz PASvisu Server before 1.12.0. An unauthenticated remote attacker could use a zipped, malicious configuration file to trigger arbitrary file writes ('zip-slip'). File writes do not affect confidentiality or availability. | ||||
| CVE-2023-2745 | 1 Wordpress | 1 Wordpress | 2025-04-24 | 5.4 Medium |
| WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. | ||||
| CVE-2022-44749 | 1 Knime | 1 Knime Analytics Platform | 2025-04-24 | 5.5 Medium |
| A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Analytics Platform 3.2.0 and above can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an error is being reported but only after the files have already been written. This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the user. In all cases the attacker has to know the location of files on the user's system, though. | ||||
| CVE-2022-25848 | 1 Static-dev-server Project | 1 Static-dev-server | 2025-04-24 | 7.5 High |
| This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. | ||||
| CVE-2024-37547 | 1 Livemesh | 1 Elementor Addons | 2025-04-24 | 6.5 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Livemesh Livemesh Addons for Elementor.This issue affects Livemesh Addons for Elementor: from n/a through 8.4.0. | ||||
| CVE-2023-6294 | 2 Popup Builder, Sygnoos | 2 Popup Builder, Popup Builder | 2025-04-24 | 7.5 High |
| The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations. | ||||
| CVE-2025-43928 | 1 Infodraw | 2 Pmrs-102, Pmrs-102 Firmware | 2025-04-24 | 5.8 Medium |
| In Infodraw Media Relay Service (MRS) 7.1.0.0, the MRS web server (on port 12654) allows reading arbitrary files via ../ directory traversal in the username field. Reading ServerParameters.xml may reveal administrator credentials in cleartext or with MD5 hashing. | ||||
| CVE-2024-1433 | 1 Kde | 1 Plasma-workspace | 2025-04-24 | 3.1 Low |
| A vulnerability, which was classified as problematic, was found in KDE Plasma Workspace up to 5.93.0. This affects the function EventPluginsManager::enabledPlugins of the file components/calendar/eventpluginsmanager.cpp of the component Theme File Handler. The manipulation of the argument pluginId leads to path traversal. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The patch is named 6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-253407. NOTE: This requires write access to user's home or the installation of third party global themes. | ||||
| CVE-2022-44532 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2025-04-24 | 4.9 Medium |
| An authenticated path traversal vulnerability exists in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below. | ||||
| CVE-2022-43518 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2025-04-24 | 4.9 Medium |
| An authenticated path traversal vulnerability exists in the Aruba EdgeConnect Enterprise web interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below. | ||||
| CVE-2022-42706 | 1 Sangoma | 2 Asterisk, Certified Asterisk | 2025-04-24 | 4.9 Medium |
| An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal. | ||||
| CVE-2024-7263 | 2 Kingsoft, Microsoft | 2 Wps Office, Windows | 2025-04-24 | 7.8 High |
| Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.1.0.17119 to mitigate CVE-2024-7262 was not restrictive enough. Another parameter was not properly sanitized which leads to the execution of an arbitrary Windows library. | ||||
| CVE-2023-26687 | 1 Cs-cart | 1 Cs-cart Multivendor | 2025-04-24 | 8.8 High |
| Directory Traversal vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to obtain sensitive information via the product_data parameter in the PDF Add-on. | ||||
| CVE-2023-26691 | 1 Cs-cart | 1 Cs-cart Multivendor | 2025-04-24 | 7.2 High |
| Directory Traversal vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via crafted zip file when installing a new add-on. | ||||