Total
291 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-62382 | 2025-10-16 | 7.7 High | ||
| Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.2, Frigate's export workflow allows an authenticated operator to nominate any filesystem location as the thumbnail source for a video export. Because that path is copied verbatim into the publicly served clips directory, the feature can be abused to read arbitrary files that reside on the host running Frigate. In practice, a low-privilege user with API access can pivot from viewing camera footage to exfiltrating sensitive configuration files, secrets, or user data from the appliance itself. This behavior violates the principle of least privilege for the export subsystem and turns a convenience feature into a direct information disclosure vector, with exploitation hinging on a short race window while the background exporter copies the chosen file into place before cleanup runs. This vulnerability is fixed in 0.16.2. | ||||
| CVE-2025-59483 | 2025-10-16 | 6.5 Medium | ||
| A validation vulnerability exists in an undisclosed URL in the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2025-59244 | 2025-10-15 | 6.5 Medium | ||
| External control of file name or path in Windows Core Shell allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-59292 | 2025-10-15 | 8.2 High | ||
| External control of file name or path in Confidential Azure Container Instances allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59291 | 2025-10-15 | 8.2 High | ||
| External control of file name or path in Confidential Azure Container Instances allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59200 | 2025-10-15 | 7.7 High | ||
| Concurrent execution using shared resource with improper synchronization ('race condition') in Data Sharing Service Client allows an unauthorized attacker to perform spoofing locally. | ||||
| CVE-2025-59185 | 2025-10-15 | 6.5 Medium | ||
| External control of file name or path in Windows Core Shell allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2024-11042 | 2025-10-15 | N/A | ||
| In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files. This can impact the integrity and availability of applications relying on these files. | ||||
| CVE-2024-38049 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2025-10-14 | 6.6 Medium |
| Windows Distributed Transaction Coordinator Remote Code Execution Vulnerability | ||||
| CVE-2025-35053 | 1 Newforma | 1 Project Center Server | 2025-10-14 | 6.4 Medium |
| Newforma Info Exchange (NIX) accepts requests to '/UserWeb/Common/MarkupServices.ashx' specifying the 'DownloadExportedPDF' command that allow an authenticated user to read and delete arbitrary files with 'NT AUTHORITY\NetworkService' privileges. In Newforma before 2023.1, anonymous access is enabled by default (CVE-2025-35062), allowing an otherwise unauthenticated attacker to effectively authenticate as 'anonymous' and exploit this file upload vulnerability. | ||||
| CVE-2025-0851 | 2025-10-14 | 9.8 Critical | ||
| A path traversal issue in ZipUtils.unzip and TarUtils.untar in Deep Java Library (DJL) on all platforms allows a bad actor to write files to arbitrary locations. | ||||
| CVE-2014-2375 | 1 Ecava | 1 Integraxor | 2025-10-13 | N/A |
| Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature. | ||||
| CVE-2025-10043 | 2025-10-09 | 2.7 Low | ||
| Considered by the maintainers a bug scenario experienced rather than a vulnerability. | ||||
| CVE-2025-10494 | 2 Stylemix, Wordpress | 2 Motors, Wordpress | 2025-10-08 | 8.1 High |
| The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-10306 | 2 Backupbolt, Wordpress | 2 Backup Bolt, Wordpress | 2025-10-06 | 3.8 Low |
| The Backup Bolt plugin for WordPress is vulnerable to arbitrary file downloads and backup location writes in all versions up to, and including, 1.4.1 via the process_backup_batch() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to download directories outside of the webroot and write backup zip files to arbitrary locations. | ||||
| CVE-2025-58769 | 4 Auth0, Laravel, Symfony and 1 more | 4 Auth0, Laravel, Symfony and 1 more | 2025-10-02 | 3.3 Low |
| auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0–8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0. | ||||
| CVE-2025-0124 | 1 Paloaltonetworks | 1 Pan-os | 2025-10-02 | 3.8 Low |
| An authenticated file deletion vulnerability in the Palo Alto Networks PAN-OS® software enables an authenticated attacker with network access to the management web interface to delete certain files as the “nobody” user; this includes limited logs and configuration files but does not include system files. The attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue affects Cloud NGFW. However, this issue does not affect Prisma® Access software. | ||||
| CVE-2024-11838 | 1 Plextrac | 1 Plextrac | 2025-10-01 | 9.8 Critical |
| External Control of File Name or Path vulnerability in PlexTrac allows Local Code Inclusion through use of an undocumented API endpoint.This issue affects PlexTrac: from 1.61.3 before 2.8.1. | ||||
| CVE-2024-1243 | 1 Wazuh | 1 Wazuh | 2025-10-01 | 7.2 High |
| Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks. | ||||
| CVE-2024-22341 | 1 Ibm | 2 Watson Query With Cloud Pak For Data, Watson Query With Cloud Pak For Data As A Service | 2025-09-30 | 5.3 Medium |
| IBM Watson Query on Cloud Pak for Data 4.0.0 through 4.0.9, 4.5.0 through 4.5.3, 4.6.0 through 4.6.6, 4.7.0 through 4.7.4, and 4.8.0 through 4.8.7 could allow unauthorized data access from a remote data source object due to improper privilege management. | ||||