ReportizFlow
Filtered by vendor
Subscriptions
Total
8936 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-57784 | 2026-04-15 | 5.5 Medium | ||
| An issue in the component /php/script_uploads.php of Zenitel AlphaWeb XE v11.2.3.10 allows attackers to execute a directory traversal. | ||||
| CVE-2024-8060 | 1 Open-webui | 1 Open-webui | 2026-04-15 | N/A |
| OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint `/audio/api/v1/transcriptions` that allows for arbitrary file upload. The application performs insufficient validation on the `file.content_type` and allows user-controlled filenames, leading to a path traversal vulnerability. This can be exploited by an authenticated user to overwrite critical files within the Docker container, potentially leading to remote code execution as the root user. | ||||
| CVE-2016-15055 | 1 Jvckenwood | 1 Vn-t216vpru | 2026-04-15 | N/A |
| JVC VN-T IP-camera models firmware versions up to 2016-08-22 (confirmed on the VN-T216VPRU model) contain a directory traversal vulnerability in the checkcgi endpoint that accepts a user-controlled file parameter. An unauthenticated remote attacker can leverage this vulnerability to read arbitrary files on the device. | ||||
| CVE-2024-41695 | 2026-04-15 | 7.5 High | ||
| Cybonet - CWE-22: Improper Limitation of a Pathname to a Restricted Directory | ||||
| CVE-2023-5938 | 2026-04-15 | 8 High | ||
| Multiple functions use archives without properly validating the filenames therein, rendering the application vulnerable to path traversal via 'zip slip' attacks. An administrator able to provide tampered archives to be processed by the affected versions of Arc may be able to have arbitrary files extracted to arbitrary filesystem locations. Leveraging this issue, an attacker may be able to overwrite arbitrary files on the target filesystem and cause critical impacts on the system (e.g., arbitrary command execution on the victim’s machine). | ||||
| CVE-2023-35881 | 2026-04-15 | 7.6 High | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WooCommerce WooCommerce One Page Checkout allows PHP Local File Inclusion.This issue affects WooCommerce One Page Checkout: from n/a through 2.3.0. | ||||
| CVE-2024-25136 | 2026-04-15 | 7.5 High | ||
| There is a function in AutomationDirect C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the content. | ||||
| CVE-2025-66428 | 1 Plesk | 1 Obsidian | 2026-04-15 | 8.8 High |
| An issue with WordPress directory names in WebPros WordPress Toolkit before 6.9.1 allows privilege escalation. | ||||
| CVE-2025-11034 | 1 Dibo | 1 Data Decision Making System | 2026-04-15 | 4.3 Medium |
| A vulnerability was found in Dibo Data Decision Making System up to 2.7.0. The affected element is the function downloadImpTemplet of the file /common/dep/common_dep.action.jsp. The manipulation of the argument filePath results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. | ||||
| CVE-2024-11585 | 1 Nsp-code | 1 Wp Hide \& Security Enhancer | 2026-04-15 | 7.5 High |
| The WP Hide & Security Enhancer plugin for WordPress is vulnerable to arbitrary file contents deletion due to a missing authorization and insufficient file path validation in the file-process.php in all versions up to, and including, 2.5.1. This makes it possible for unauthenticated attackers to delete the contents of arbitrary files on the server, which can break the site or lead to data loss. | ||||
| CVE-2025-5740 | 2026-04-15 | 7.2 High | ||
| CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file writes when an authenticated user on the web server manipulates file path. | ||||
| CVE-2024-37423 | 2026-04-15 | 8.5 High | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic Newspack Blocks allows Path Traversal.This issue affects Newspack Blocks: from n/a through 3.0.8. | ||||
| CVE-2023-33310 | 2026-04-15 | 6 Medium | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Valiano Unite Gallery Lite allows PHP Local File Inclusion.This issue affects Unite Gallery Lite: from n/a through 1.7.59. | ||||
| CVE-2024-23793 | 1 Otrs | 2 Otrs, Otrs Community Edition | 2026-04-15 | 6.3 Medium |
| The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts. This issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | ||||
| CVE-2024-23772 | 2026-04-15 | 6.6 Medium | ||
| An issue was discovered in Quest KACE Agent for Windows 12.0.38 and 13.1.23.0. An Arbitrary file create vulnerability exists in the KSchedulerSvc.exe, KUserAlert.exe, and Runkbot.exe components. This allows local attackers to create any file of their choice with NT Authority\SYSTEM privileges. | ||||
| CVE-2024-5821 | 1 Stitionai | 1 Devika | 2026-04-15 | N/A |
| The vulnerability allows an attacker to access sensitive files on the server by confusing the agent with incorrect file names. When a user requests the content of a file with a misspelled name, the agent attempts to correct the command and inadvertently reveals the content of the intended file, such as /etc/passwd. This can lead to unauthorized access to sensitive information and potential server compromise. | ||||
| CVE-2024-10516 | 1 Swteplugins | 1 Swift Performance | 2026-04-15 | 8.1 High |
| The Swift Performance Lite plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 2.3.7.1 via the 'ajaxify' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2025-34452 | 1 Streama Project | 1 Streama | 2026-04-15 | N/A |
| Streama versions 1.10.0 through 1.10.5 and prior to commit b7c8767 contain a combination of path traversal and server-side request forgery (SSRF) vulnerabilities in that allow an authenticated attacker to write arbitrary files to the server filesystem. The issue exists in the subtitle download functionality, where user-controlled parameters are used to fetch remote content and construct file paths without proper validation. By supplying a crafted subtitle download URL and a path traversal sequence in the file name, an attacker can write files to arbitrary locations on the server, potentially leading to remote code execution. | ||||
| CVE-2025-52562 | 1 Convoypanel | 1 Panel | 2026-04-15 | 10 Critical |
| Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious locale and namespace parameters. This allows the attacker to include and execute arbitrary PHP files on the server. This issue has been patched in version 4.4.1. A temporary workaround involves implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints. | ||||
| CVE-2025-11565 | 1 Schneider-electric | 1 Powerchute Serial Shutdown | 2026-04-15 | N/A |
| CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause elevated system access when a Web Admin user on the local network tampers with the POST /REST/UpdateJRE request payload. | ||||