ReportizFlow
Filtered by vendor
Subscriptions
Total
8950 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-67488 | 2 B3log, Siyuan | 2 Siyuan, Siyuan | 2026-01-30 | 7.8 High |
| SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain function importZipMd which is vulnerable to ZipSlips, allowing an authenticated user to overwrite files on the system. An authenticated user with access to the import functionality in notes is able to overwrite any file on the system, and can escalate to full code execution under some circumstances. A fix is planned for version 3.5.0. | ||||
| CVE-2022-50932 | 1 Kyocera | 1 Command Center Rx | 2026-01-30 | 7.5 High |
| Kyocera Command Center RX ECOSYS M2035dn contains a directory traversal vulnerability that allows unauthenticated attackers to read sensitive system files by manipulating file paths under the /js/ path. Attackers can exploit the issue by sending requests like /js/../../../../.../etc/passwd%00.jpg (null-byte appended traversal) to access critical files such as /etc/passwd and /etc/shadow. | ||||
| CVE-2025-67160 | 1 Vatilon | 2 Pa4, Pa4 Firmware | 2026-01-30 | 7.5 High |
| An issue in Vatilon v1.12.37-20240124 allows attackers to access sensitive directories and files via a directory traversal. | ||||
| CVE-2025-6776 | 1 Xiaoyunjie | 1 Openvpn-cms-flask | 2026-01-30 | 7.3 High |
| A vulnerability classified as critical was found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This vulnerability affects the function Upload of the file app/plugins/oss/app/controller.py of the component File Upload. The manipulation of the argument image leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The name of the patch is e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component. | ||||
| CVE-2025-9435 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2026-01-29 | 5.5 Medium |
| Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module | ||||
| CVE-2015-1579 | 1 Elegantthemes | 1 Divi | 2026-01-28 | N/A |
| Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734. | ||||
| CVE-2025-14306 | 2 Robocode, Robocode Project | 2 Robocode, Robocode | 2026-01-28 | 9.1 Critical |
| A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions. https://robo-code.blogspot.com/ | ||||
| CVE-2024-39651 | 2 Wpweb, Wpwebelite | 2 Woocommerce Pdf Vouchers, Woocommerce Pdf Vouchers | 2026-01-28 | 8.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPWeb WooCommerce PDF Vouchers allows File Manipulation.This issue affects WooCommerce PDF Vouchers: from n/a before 4.9.5. | ||||
| CVE-2022-36943 | 1 Ziparchive Project | 1 Ziparchive | 2026-01-28 | 8.1 High |
| SSZipArchive versions 2.5.3 and older contain an arbitrary file write vulnerability due to lack of sanitization on paths which are symlinks. SSZipArchive will overwrite files on the filesystem when opening a malicious ZIP containing a symlink as the first item. | ||||
| CVE-2025-66518 | 1 Apache | 1 Kyuubi | 2026-01-28 | 8.8 High |
| Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue. | ||||
| CVE-2025-29847 | 1 Apache | 1 Linkis | 2026-01-28 | 7.5 High |
| A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters. Scope of Impact This issue affects Apache Linkis: from 1.3.0 through 1.7.0. Severity level moderate Solution Continuously check if the connection information contains the "%" character; if it does, perform URL decoding. Users are recommended to upgrade to version 1.8.0, which fixes the issue. More questions about this vulnerability can be discussed here: https://lists.apache.org/[email protected]:2025-9:cve | ||||
| CVE-2025-58590 | 1 Sick | 4 Baggage Analytics, Logistic Diagnostic Analytics, Package Analytics and 1 more | 2026-01-27 | 6.5 Medium |
| It's possible to brute force folders and files, what can be used by an attacker to steal sensitve information. | ||||
| CVE-2025-58591 | 1 Sick | 4 Baggage Analytics, Logistic Diagnostic Analytics, Package Analytics and 1 more | 2026-01-27 | 6.5 Medium |
| A remote, unauthorized attacker can brute force folders and files and read them like private keys or configurations, making the application vulnerable for gathering sensitive information. | ||||
| CVE-2025-54755 | 1 F5 | 22 Big-ip, Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager and 19 more | 2026-01-27 | 4.9 Medium |
| A directory traversal vulnerability exists in TMUI that allows a highly privileged authenticated attacker to access files which are not limited to the intended files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2024-4296 | 1 Hgiga | 1 Isherlock | 2026-01-26 | 4.9 Medium |
| The account management interface of HGiga iSherlock (including MailSherlock, SpamSherlock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability to download arbitrary system files. | ||||
| CVE-2024-4297 | 1 Hgiga | 1 Isherlock | 2026-01-26 | 4.9 Medium |
| The system configuration interface of HGiga iSherlock (including MailSherlock, SpamSherlock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability to download arbitrary system files. | ||||
| CVE-2025-67004 | 1 Couchcms | 1 Couchcms | 2026-01-23 | 6.5 Medium |
| ** Disputed ** An Information Disclosure vulnerability in CouchCMS 2.4 allow an Admin user to read arbitrary files via traversing directories back after back. It can Disclosure the source code or any other confidential information if weaponize accordingly. NOTE: A community member states that this is not a CouchCMS vulnerability and that if /\<file> is accessible it is a web-server configuration issue. | ||||
| CVE-2025-68921 | 1 Steelseries | 2 Nahimic, Nahimic 3 | 2026-01-23 | 7.8 High |
| SteelSeries Nahimic 3 1.10.7 allows Directory traversal. | ||||
| CVE-2025-66689 | 2 Beehiveinnovations, Busymac | 2 Zen Mcp Server, Pal Mcp Server | 2026-01-23 | 6.5 Medium |
| A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact string matching against a blacklist of system directories. Attackers can bypass these restrictions by accessing subdirectories of blacklisted paths. | ||||
| CVE-2025-59384 | 1 Qnap | 1 Qfiling | 2026-01-22 | 7.5 High |
| A path traversal vulnerability has been reported to affect Qfiling. The remote attackers can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qfiling 3.13.1 and later | ||||