Total
9447 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6108 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability was found in hansonwang99 Spring-Boot-In-Action up to 807fd37643aa774b94fd004cc3adbd29ca17e9aa. It has been declared as critical. Affected by this vulnerability is the function watermarkTest of the file /springbt_watermark/src/main/java/cn/codesheep/springbt_watermark/service/ImageUploadService.java of the component File Upload. The manipulation of the argument filename leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-0615 | 2026-04-15 | 5.3 Medium | ||
| Input validation vulnerability in Qualifio's Wheel of Fortune. This vulnerability allows an attacker to modify an email to contain the ‘+’ symbol to access the application and win prizes as many times as wanted. | ||||
| CVE-2024-41971 | 2026-04-15 | 8.1 High | ||
| A low privileged remote attacker can overwrite an arbitrary file on the filesystem leading to a DoS and data loss. | ||||
| CVE-2025-15491 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.5 Medium |
| The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks | ||||
| CVE-2023-7327 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2026-04-15 | N/A |
| Ozeki SMS Gateway versions up to and including 10.3.208 contain a path traversal vulnerability. Successful exploitation allows an unauthenticated attacker to use URL-encoded traversal sequences to read arbitrary files from the underlying filesystem with the privileges of the gateway service, leading to disclosure of sensitive information. | ||||
| CVE-2024-32944 | 2026-04-15 | 3.3 Low | ||
| Path traversal vulnerability exists in UTAU versions prior to v0.4.19. If a user of the product installs a crafted UTAU voicebank installer (.uar file, .zip file) to UTAU, an arbitrary file may be placed. | ||||
| CVE-2023-23872 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.9 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in German Mesky GMAce allows Path Traversal.This issue affects GMAce: from n/a through 1.5.2. | ||||
| CVE-2024-34060 | 1 Dfir-iris | 1 Iris | 2026-04-15 | 8.8 High |
| IrisEVTXModule is an interface module for Evtx2Splunk and Iris in order to ingest Microsoft EVTX log files. The `iris-evtx-module` is a pipeline plugin of `iris-web` that processes EVTX files through IRIS web application. During the upload of an EVTX through this pipeline, the filename is not safely handled and may cause an Arbitrary File Write. This can lead to a remote code execution (RCE) when combined with a Server Side Template Injection (SSTI). This vulnerability has been patched in version 1.0.0. | ||||
| CVE-2024-9935 | 1 Redefiningtheweb | 1 Pdf Generator Addon For Elementor Page Builder | 2026-04-15 | 7.5 High |
| The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.0.0 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-24569 may be a duplicate of this issue. | ||||
| CVE-2025-4868 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability was found in merikbest ecommerce-spring-reactjs up to 464e610bb11cc2619cf6ce8212ccc2d1fd4277fd. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/v1/admin/ of the component File Upload Endpoint. The manipulation of the argument filename leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | ||||
| CVE-2024-10803 | 1 Fwdesign | 1 Mp3 Sticky Player | 2026-04-15 | 7.5 High |
| The MP3 Sticky Player plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 8.0 via the content/downloader.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Please note the vendor released the patched version as the same version as the affected version. | ||||
| CVE-2024-27575 | 1 Inotec | 1 Gmbh Webserver | 2026-04-15 | 7.5 High |
| INOTEC Sicherheitstechnik WebServer CPS220/64 3.3.19 allows a remote attacker to read arbitrary files via absolute path traversal, such as with the /cgi-bin/display?file=/etc/passwd URI. | ||||
| CVE-2025-6109 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability was found in javahongxi whatsmars 2021.4.0. It has been rated as problematic. Affected by this issue is the function initialize of the file /whatsmars-archetypes/whatsmars-initializr/src/main/java/org/hongxi/whatsmars/initializr/controller/InitializrController.java. The manipulation of the argument artifactId leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-4078 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability, which was classified as problematic, has been found in Wangshen SecGate 3600 2400. This issue affects some unknown processing of the file ?g=log_export_file. The manipulation of the argument file_name leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2010-10012 | 2026-04-15 | N/A | ||
| A path traversal vulnerability exists in httpdasm version 0.92, a lightweight Windows HTTP server, that allows unauthenticated attackers to read arbitrary files on the host system. By sending a specially crafted GET request containing a sequence of URL-encoded backslashes and directory traversal patterns, an attacker can escape the web root and access sensitive files outside of the intended directory. | ||||
| CVE-2025-41229 | 1 Vmware | 1 Cloud Foundation | 2026-04-15 | 8.2 High |
| VMware Cloud Foundation contains a directory traversal vulnerability. A malicious actor with network access to port 443 on VMware Cloud Foundation may exploit this issue to access certain internal services. | ||||
| CVE-2024-28880 | 2026-04-15 | 6.5 Medium | ||
| Path traversal vulnerability in MosP kintai kanri V4.6.6 and earlier allows a remote attacker who can log in to the product to obtain sensitive information of the product. | ||||
| CVE-2025-10307 | 2 Softaculous, Wordpress | 2 Backuply, Wordpress | 2026-04-15 | 6.5 Medium |
| The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete backup functionality in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-8917 | 1 Allegroai | 1 Clearml | 2026-04-15 | N/A |
| A vulnerability in allegroai/clearml version v2.0.1 allows for path traversal due to improper handling of symbolic and hard links in the `safe_extract` function. This flaw can lead to arbitrary file writes outside the intended directory, potentially resulting in remote code execution if critical files are overwritten. | ||||
| CVE-2024-54452 | 2026-04-15 | 4.9 Medium | ||
| An issue was discovered in Kurmi Provisioning Suite before 7.9.0.35 and 7.10.x through 7.10.0.18. A Directory Traversal and Local File Inclusion vulnerability in the logsSys.do page allows remote attackers (authenticated as administrators) to trigger the display of unintended files. Any file accessible to the Kurmi user account could be displayed, e.g., configuration files with information such as the database password. | ||||