ReportizFlow
Filtered by vendor
Subscriptions
Total
119 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34392 | 3 Amidaware, Barracuda, Barracuda Networks | 3 Tactical Rmm, Rmm, Rmm | 2026-03-05 | 9.8 Critical |
| Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not verify the URL defined in an attacker-controlled WSDL that is later loaded by the application. This can lead to arbitrary file write and remote code execution via webshell upload. | ||||
| CVE-2024-10811 | 1 Ivanti | 1 Endpoint Manager | 2026-02-26 | 9.8 Critical |
| Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | ||||
| CVE-2025-36357 | 1 Ibm | 2 Planning Analytics Local, Planning Analytics Workspace | 2026-02-26 | 8 High |
| IBM Planning Analytics Local 2.1.0 through 2.1.14 could allow a remote authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing absolute path sequences to view, read, or write arbitrary files on the system. | ||||
| CVE-2025-68472 | 1 Mindsdb | 1 Mindsdb | 2026-02-20 | 8.1 High |
| MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1. | ||||
| CVE-2025-15236 | 2 Quanta Computer, Quantatw | 2 Qoca Aim Ai Medical Cloud Platform, Qoca Aim | 2026-01-21 | 4.3 Medium |
| QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability. | ||||
| CVE-2025-15237 | 2 Quanta Computer, Quantatw | 2 Qoca Aim Ai Medical Cloud Platform, Qoca Aim | 2026-01-21 | 4.3 Medium |
| QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability. | ||||
| CVE-2025-14253 | 2 Galaxy Software Services Corporation, Gss | 2 Vitals Esp, Vitalsesp | 2026-01-15 | 4.9 Medium |
| Vitals ESP developed by Galaxy Software Services has an Arbitrary File Read vulnerability, allowing privileged remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | ||||
| CVE-2025-15227 | 1 Welltend | 1 Bpmflowwebkit | 2025-12-31 | 7.5 High |
| BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | ||||
| CVE-2025-14848 | 1 Advantech | 2 Webaccess/scada, Webaccess\/scada | 2025-12-31 | 4.3 Medium |
| Advantech WebAccess/SCADA is vulnerable to absolute directory traversal, which may allow an attacker to determine the existence of arbitrary files. | ||||
| CVE-2025-13282 | 2 Cht, Chunghwa Telecom | 2 Tenderdoctransfer, Tenderdoctransfer | 2025-12-19 | 8.1 High |
| TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system. | ||||
| CVE-2025-13283 | 2 Cht, Chunghwa Telecom | 2 Tenderdoctransfer, Tenderdoctransfer | 2025-12-19 | 7.1 High |
| TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Copy and Paste vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk of information leakage or could consume hard drive space by copying files in large volumes. | ||||
| CVE-2023-5115 | 2 Debian, Redhat | 7 Debian Linux, Ansible Automation Platform, Ansible Automation Platform Developer and 4 more | 2025-11-20 | 6.3 Medium |
| An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path. | ||||
| CVE-2025-9256 | 1 Uniong | 1 Webitr | 2025-11-07 | 6.5 Medium |
| WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. | ||||
| CVE-2025-9257 | 1 Uniong | 1 Webitr | 2025-11-07 | 6.5 Medium |
| WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. | ||||
| CVE-2025-9258 | 1 Uniong | 1 Webitr | 2025-11-07 | 6.5 Medium |
| WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. | ||||
| CVE-2025-9259 | 1 Uniong | 1 Webitr | 2025-11-07 | 6.5 Medium |
| WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. | ||||
| CVE-2024-48248 | 1 Nakivo | 1 Backup \& Replication Director | 2025-11-05 | 8.6 High |
| NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials). | ||||
| CVE-2025-53651 | 1 Jenkins | 1 Html Publisher | 2025-11-05 | 6.3 Medium |
| Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. | ||||
| CVE-2018-20250 | 1 Rarlab | 1 Winrar | 2025-11-01 | 7.8 High |
| In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path. | ||||
| CVE-2024-12375 | 1 Automatic1111 | 1 Stable-diffusion-webui | 2025-10-30 | N/A |
| A local file inclusion vulnerability was identified in automatic1111/stable-diffusion-webui, affecting version git 82a973c. This vulnerability allows an attacker to read arbitrary files on the system by sending a specially crafted request to the application. | ||||