Total
8943 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-24125 | 2 Ssw, Tina | 2 Tinacms\/graphql, Tinacms | 2026-03-20 | 6.3 Medium |
| Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory. Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary. This vulnerability is fixed in 2.1.2. | ||||
| CVE-2026-28792 | 2 Ssw, Tina | 2 Tinacms\/cli, Tinacms | 2026-03-20 | 9.7 Critical |
| Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8. | ||||
| CVE-2026-28793 | 2 Ssw, Tina | 2 Tinacms\/cli, Tinacms | 2026-03-20 | 8.4 High |
| Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, the CLI starts a local HTTP server (default port 4001) exposing endpoints such as /media/list/*, /media/upload/*, and /media/*. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory. This vulnerability is fixed in 2.1.8. | ||||
| CVE-2026-28791 | 2 Ssw, Tina | 2 Tinacms\/cli, Tinacms | 2026-03-20 | 7.4 High |
| Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7. | ||||
| CVE-2026-32116 | 2 Magic-wormhole, Magic-wormhole Project | 2 Magic-wormhole, Magic Wormhole | 2026-03-20 | 8.1 High |
| Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0. | ||||
| CVE-2026-32140 | 1 Dataease | 1 Dataease | 2026-03-20 | 8.8 High |
| Dataease is an open source data visualization analysis tool. Prior to 2.10.20, By controlling the IniFile parameter, an attacker can force the JDBC driver to load an attacker-controlled configuration file. This configuration file can inject dangerous JDBC properties, leading to remote code execution. The Redshift JDBC driver execution flow reaches a method named getJdbcIniFile. The getJdbcIniFile method implements an aggressive automatic configuration file discovery mechanism. If not explicitly restricted, it searches for a file named rsjdbc.ini. In a JDBC URL context, users can explicitly specify the configuration file via URL parameters, which allows arbitrary files on the server to be loaded as JDBC configuration files. Within the Redshift JDBC driver properties, the parameter IniFile is explicitly supported and used to load an external configuration file. This vulnerability is fixed in 2.10.20. | ||||
| CVE-2026-30234 | 2 Openproject, Opf | 2 Openproject, Openproject | 2026-03-20 | 6.5 Medium |
| OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF import permissions can upload a crafted .bcf archive where the <Snapshot> value in markup.bcf is manipulated to contain an absolute or traversal local path (for example: /etc/passwd or ../../../../etc/passwd). During import, this untrusted <Snapshot> value is used as file.path during attachment processing. As a result, local filesystem content can be read outside the intended ZIP scope. This results in an Arbitrary File Read (AFR) within the read permissions of the OpenProject application user. This vulnerability is fixed in 17.2.0. | ||||
| CVE-2026-21360 | 1 Adobe | 4 Adobe Commerce, Commerce, Commerce B2b and 1 more | 2026-03-20 | 6.8 Medium |
| Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restricted path. Exploitation of this issue does not require user interaction. | ||||
| CVE-2026-32061 | 1 Openclaw | 1 Openclaw | 2026-03-20 | 4.4 Medium |
| OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials. | ||||
| CVE-2026-22557 | 1 Ubiquiti | 1 Unifi Network Application | 2026-03-20 | 10 Critical |
| A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account. | ||||
| CVE-2026-3312 | 1 Pagure | 1 Pagure | 2026-03-18 | 7.7 High |
| A flaw was found in Pagure's rendering engine for reStructuredText (RST) files. An authenticated user can exploit an unrestricted `.. include::` directive within RST files to read arbitrary internal files from the server hosting Pagure. This information disclosure vulnerability allows unauthorized access to sensitive data on the server. | ||||
| CVE-2024-9675 | 2 Buildah Project, Redhat | 21 Buildah, Enterprise Linux, Enterprise Linux Eus and 18 more | 2026-03-18 | 7.8 High |
| A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah. | ||||
| CVE-2024-1132 | 1 Redhat | 23 Amq Broker, Build Keycloak, Build Of Keycloak and 20 more | 2026-03-17 | 8.1 High |
| A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL. | ||||
| CVE-2025-67506 | 2 Pipeshub, Pipeshub-ai | 2 Pipeshub, Pipeshub-ai | 2026-03-17 | 9.8 Critical |
| PipesHub is a fully extensible workplace AI platform for enterprise search and workflow automation. Versions prior to 0.1.0-beta expose POST /api/v1/record/buffer/convert through missing authentication. The endpoint accepts a file upload and converts it to PDF via LibreOffice by uploading payload to os.path.join(tmpdir, file.filename) without normalizing the filename. An attacker can submit a crafted filename containing ../ sequences to write arbitrary files anywhere the service account has permission, enabling remote file overwrite or planting malicious code. This issue is fixed in version 0.1.0-beta. | ||||
| CVE-2025-61634 | 2 Mediawiki, Wikimedia | 2 Mediawiki, Mediawiki | 2026-03-17 | 3.1 Low |
| Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | ||||
| CVE-2018-25178 | 2 Rul10, Sourceforge | 2 Easyndexer, Easyndexer | 2026-03-16 | 7.5 High |
| Easyndexer 1.0 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the file parameter. Attackers can send POST requests to showtif.php with arbitrary file paths in the file parameter to retrieve system files like configuration and initialization files. | ||||
| CVE-2025-69619 | 1 Zipperapp | 2 My Teditor, My Text Editor | 2026-03-13 | 5.5 Medium |
| A path traversal in My Text Editor v1.6.2 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. | ||||
| CVE-2025-69618 | 2 Coto, Coto.world | 2 Tarot, Astro & Healing, Coto | 2026-03-13 | 8.1 High |
| An arbitrary file overwrite vulnerability in the file import process of Tarot, Astro & Healing v11.4.0 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information. | ||||
| CVE-2025-66292 | 2 Donknap, Dpanel | 2 Dpanel, Dpanel | 2026-03-12 | 8.1 High |
| DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2. | ||||
| CVE-2025-41758 | 2 Mbs, Mbs-solutions | 7 Ubr-01 Mk Ii, Ubr-02, Ubr-lon and 4 more | 2026-03-11 | 8.8 High |
| A low-privileged remote attacker can exploit an arbitrary file write vulnerability in the wwupload.cgi endpoint. Due to path traversal this can lead to overwriting arbitrary files on the device and achieving a full system compromise. | ||||