ReportizFlow
Filtered by vendor
Subscriptions
Total
399 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-29778 | 2 Pyload, Pyload-ng Project | 2 Pyload, Pyload-ng | 2026-04-17 | 7.1 High |
| pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97. | ||||
| CVE-2026-1762 | 1 Ge Vernova | 1 Enervista | 2026-04-16 | 2.9 Low |
| A vulnerability in GE Vernova Enervista UR Setup on Windows allows File Manipulation.This issue affects Enervista: 8.6 and prior versions. | ||||
| CVE-2026-21620 | 1 Erlang | 3 Erlang/otp, Erlang\/otp, Otp | 2026-04-16 | 4.2 Medium |
| Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl. This issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0. | ||||
| CVE-2023-3940 | 2026-04-15 | 7.5 High | ||
| Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to access any file on the system. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others. | ||||
| CVE-2024-9363 | 2026-04-15 | N/A | ||
| An unauthorized file deletion vulnerability exists in the latest version of the Polyaxon platform, which can lead to denial of service by terminating critical containers. An attacker can delete important files within the containers, such as `polyaxon.sock`, causing the API container to exit unexpectedly. This disrupts related services and prevents the system from functioning normally, without requiring authentication or UUID parameters. | ||||
| CVE-2025-54317 | 1 Logpoint | 1 Logpoint | 2026-04-15 | 8.4 High |
| An issue was discovered in Logpoint before 7.6.0. An attacker with operator privileges can exploit a path traversal vulnerability when creating a Layout Template, which can lead to remote code execution (RCE). | ||||
| CVE-2024-3122 | 2026-04-15 | 4.9 Medium | ||
| CHANGING Mobile One Time Password does not properly filter parameters for the file download functionality, allowing remote attackers with administrator privilege to read arbitrary file on the system. | ||||
| CVE-2024-33615 | 1 Cyberpower | 1 Powerpanel Business | 2026-04-15 | 8.8 High |
| A specially crafted Zip file containing path traversal characters can be imported to the CyberPower PowerPanel server, which allows file writing to the server outside the intended scope, and could allow an attacker to achieve remote code execution. | ||||
| CVE-2025-7146 | 1 Jhenggao | 1 Ipublish System | 2026-04-15 | 7.5 High |
| The iPublish System developed by Jhenggao has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to read arbitrary system file. | ||||
| CVE-2025-24350 | 2026-04-15 | 7.1 High | ||
| A vulnerability in the “Certificates and Keys” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary certificates in arbitrary file system paths via a crafted HTTP request. | ||||
| CVE-2021-4459 | 1 Sma | 8 Sunny Boy, Sunny Boy 1.5, Sunny Boy 2.5 and 5 more | 2026-04-15 | 6.5 Medium |
| An authorized remote attacker can access files and directories outside the intended web root, potentially exposing sensitive system information of the affected Sunny Boy devices. | ||||
| CVE-2025-13161 | 1 Iq Service International | 1 Iq-support | 2026-04-15 | 7.5 High |
| IQ-Support developed by IQ Service International has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | ||||
| CVE-2025-32409 | 2026-04-15 | 8.1 High | ||
| Ratta SuperNote A6 X2 Nomad before December 2024 allows remote code execution because an arbitrary firmware image (signed with debug keys) can be sent to TCP port 60002, and placed into the correct image-update location as a consequence of both directory traversal and unintended handling of concurrency. | ||||
| CVE-2024-34712 | 2026-04-15 | 6.5 Medium | ||
| Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with `encodeURIComponent` before providing it to the library. | ||||
| CVE-2025-47788 | 1 Atheos | 1 Atheos | 2026-04-15 | N/A |
| Atheos is a self-hosted browser-based cloud IDE. Prior to v602, similar to GHSA-rgjm-6p59-537v/CVE-2025-22152, the `$target` parameter in `/controller.php` was not properly validated, which could allow an attacker to execute arbitrary files on the server via path traversal. v602 contains a fix for the issue. | ||||
| CVE-2025-7619 | 1 Wellchoose | 1 Batchsigncs | 2026-04-15 | 8.8 High |
| BatchSignCS, a background Windows application developed by WellChoose, has an Arbitrary File Write vulnerability. If a user visits a malicious website while the application is running, remote attackers can write arbitrary files to any path and potentially lead to arbitrary code execution. | ||||
| CVE-2025-64714 | 1 Privatebin | 1 Privatebin | 2026-04-15 | 5.8 Medium |
| PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, an unauthenticated Local File Inclusion exists in the template-switching feature. If `templateselection` is enabled in the configuration, the server trusts the `template` cookie and includes the referenced PHP file. An attacker can read sensitive data or, if they manage to drop a PHP file elsewhere, gain remote code execution. The constructed path of the template file is checked for existence, then included. For PrivateBin project files this does not leak any secrets due to data files being created with PHP code that prevents execution, but if a configuration file without that line got created or the visitor figures out the relative path to a PHP script that directly performs an action without appropriate privilege checking, those might execute or leak information. The issue has been patched in version 2.0.3. As a workaround, set `templateselection = false` (which is the default) in `cfg/conf.php` or remove it entirely | ||||
| CVE-2025-66386 | 1 Misp | 1 Misp | 2026-04-15 | 4.1 Medium |
| app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin. | ||||
| CVE-2025-11898 | 1 Flowring | 1 Agentflow | 2026-04-15 | 7.5 High |
| Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | ||||
| CVE-2025-60023 | 1 Automationdirect | 8 P1-540, P1-550, P2-550 and 5 more | 2026-04-15 | 4 Medium |
| A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine. | ||||