Total
8942 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-58693 | 1 Fortinet | 1 Fortivoice | 2026-01-14 | 5.7 Medium |
| An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 allows a privileged attacker to delete files from the underlying filesystem via crafted HTTP or HTTPs requests. | ||||
| CVE-2025-61557 | 1 Symphorien | 1 Nixseparatedebuginfod | 2026-01-14 | 7.5 High |
| nixseparatedebuginfod before v0.4.1 is vulnerable to Directory Traversal. | ||||
| CVE-2018-0296 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2026-01-14 | 7.5 High |
| A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic. This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 1000V Cloud Firewall, ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvi16029. | ||||
| CVE-2020-4430 | 1 Ibm | 1 Data Risk Manager | 2026-01-14 | 4.3 Medium |
| IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535. | ||||
| CVE-2025-69226 | 3 Aio-libs, Aio-libs Project, Aiohttp | 4 Aiohttp Session, Aiohttp, Aio-libs and 1 more | 2026-01-14 | 5.3 Medium |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3. | ||||
| CVE-2023-35081 | 1 Ivanti | 1 Endpoint Manager Mobile | 2026-01-14 | 7.2 High |
| A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.10.0.3, 11.9.x < 11.9.1.2 and 11.8.x < 11.8.1.2) allows an authenticated administrator to write arbitrary files onto the appliance. | ||||
| CVE-2025-69267 | 3 Broadcom, Linux, Microsoft | 3 Dx Netops Spectrum, Linux Kernel, Windows | 2026-01-14 | 6.5 Medium |
| Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Path Traversal.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. | ||||
| CVE-2025-66051 | 1 Vivotek | 2 Ip7137, Ip7137 Firmware | 2026-01-14 | 6.5 Medium |
| Vivotek IP7137 camera with firmware version 0200a is vulnerable to path traversal. It is possible for an authenticated attacker to access resources beyond webroot directory using a direct HTTP request. Due to CVE-2025-66050, a password for administration panel is not set by default. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | ||||
| CVE-2023-47541 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | 6.5 Medium |
| An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.2, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox 2.5 all versions, FortiSandbox 2.4 all versions, FortiSandbox 2.3 all versions, FortiSandbox 2.2 all versions, FortiSandbox 2.1 all versions, FortiSandbox 2.0 all versions allows attacker to execute unauthorized code or commands via CLI. | ||||
| CVE-2024-48885 | 1 Fortinet | 3 Fortirecorder, Fortivoice, Fortiweb | 2026-01-14 | 5.2 Medium |
| A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiRecorder 7.2.0 through 7.2.1, FortiRecorder 7.0.0 through 7.0.4, FortiVoice 7.0.0 through 7.0.4, FortiVoice 6.4.0 through 6.4.9, FortiVoice 6.0 all versions, FortiWeb 7.6.0, FortiWeb 7.4.0 through 7.4.4, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions, FortiWeb 6.4 all versions allows attacker to escalate privilege via specially crafted packets. | ||||
| CVE-2024-31487 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | 5.8 Medium |
| A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox 2.5 all versions, FortiSandbox 2.4 all versions allows attacker to information disclosure via crafted http requests. | ||||
| CVE-2024-23671 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | 7.9 High |
| A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.3, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4 allows attacker to execute unauthorized code or commands via crafted HTTP requests. | ||||
| CVE-2023-41682 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | 7.9 High |
| A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 4.4.0, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0 through 4.0.3, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox 2.5 all versions, FortiSandbox 2.4 all versions allows attacker to denial of service via crafted http requests. | ||||
| CVE-2024-48884 | 1 Fortinet | 8 Fortimanager, Fortimanager Cloud, Fortimanagercloud and 5 more | 2026-01-14 | 7.1 High |
| A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.4, FortiOS 7.2.0 through 7.2.9, FortiOS 7.0.0 through 7.0.15, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.4.0 through 7.4.5, FortiProxy 7.2.0 through 7.2.11, FortiProxy 7.0.0 through 7.0.18, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiProxy 1.0 all versions may allow a remote authenticated attacker with access to the security fabric interface and port to write arbitrary files or a remote unauthenticated attacker to delete an arbitrary folder | ||||
| CVE-2025-53951 | 2 Fortinet, Microsoft | 3 Fortidlp, Fortidlp Agent, Windows | 2026-01-14 | 4.9 Medium |
| An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiDLP Agent's Outlookproxy plugin for Windows 11.5.1 and 11.4.2 through 11.4.6 and 11.3.2 through 11.3.4 and 11.2.0 through 11.2.3 and 11.1.1 through 11.1.2 and 11.0.1 and 10.5.1 and 10.4.0, and 10.3.1 may allow an authenticated attacker to escalate their privilege to LocalService via sending a crafted request to a local listening port. | ||||
| CVE-2025-54658 | 2 Apple, Fortinet | 3 Macos, Fortidlp, Fortidlp Agent | 2026-01-14 | 7.2 High |
| An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiDLP Agent's Outlookproxy plugin for MacOS 11.5.1 and 11.4.2 through 11.4.6 and 11.3.2 through 11.3.4 and 11.2.0 through 11.2.3 and 11.1.1 through 11.1.2 and 11.0.1 and 10.5.1 and 10.4.0, and 10.3.1 may allow an authenticated attacker to escalate their privilege to Root via sending a crafted request to a local listening port. | ||||
| CVE-2020-14864 | 1 Oracle | 1 Business Intelligence | 2026-01-12 | 7.5 High |
| Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Supported versions that are affected are 5.5.0.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | ||||
| CVE-2025-11941 | 1 E107 | 2 E107, E107 Cms | 2026-01-12 | 5.4 Medium |
| A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107_admin/image.php?mode=main&action=avatar of the component Avatar Handler. Performing manipulation of the argument multiaction[] results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-63680 | 2 Microsoft, Nero | 2 Windows, Backitup | 2026-01-12 | 8.6 High |
| Nero BackItUp in the Nero Productline is vulnerable to a path parsing/UI rendering flaw (CWE-22) that, in combination with Windows ShellExecuteW fallback extension resolution, leads to arbitrary code execution when a user clicks a crafted entry. By creating a trailing-dot folder and placing a same-basename script, Nero BackItUp renders the file as a folder icon and then invokes ShellExecuteW, which executes the script via PATHEXT fallback (.COM/.EXE/.BAT/.CMD). The issue affects recent Nero BackItUp product lines (2019-2025 and earlier) and has been acknowledged by the vendor. | ||||
| CVE-2025-68953 | 1 Frappe | 1 Frappe | 2026-01-09 | 7.5 High |
| Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. Arbitrary files from the server could be retrieved due to a lack of proper sanitization on some requests. This issue is fixed in versions 14.99.6 and 15.88.1. To workaround, changing the setup to use a reverse proxy is recommended. | ||||