Total
8942 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59381 | 2 Qnap, Qnap Systems Inc. | 4 Qts, Quts Hero, Qts and 1 more | 2026-01-06 | 4.9 Medium |
| A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later | ||||
| CVE-2024-32465 | 5 Debian, Fedoraproject, Git and 2 more | 6 Debian Linux, Fedora, Git and 3 more | 2026-01-05 | 7.4 High |
| Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources. | ||||
| CVE-2025-15245 | 2 D-link, Dlink | 3 Dcs-850l, Dcs-850l, Dcs-850l Firmware | 2026-01-05 | 3.5 Low |
| A vulnerability was found in D-Link DCS-850L 1.02.09. Affected is the function uploadfirmware of the component Firmware Update Service. The manipulation of the argument DownloadFile results in path traversal. The attack must originate from the local network. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-68916 | 1 Riello-ups | 1 Netman 208 | 2026-01-05 | 9.1 Critical |
| Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/certsupload.cgi /../ directory traversal for file upload with resultant code execution. | ||||
| CVE-2024-25183 | 2 Givanz, Vvveb | 2 Vvvebjs, Vvvebjs | 2026-01-05 | 7.5 High |
| givanz VvvebJs 1.7.2 is vulnerable to Directory Traversal via scan.php. | ||||
| CVE-2025-14420 | 1 Pdfforge | 1 Pdf Architect | 2026-01-02 | N/A |
| pdfforge PDF Architect CBZ File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CBZ files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27514. | ||||
| CVE-2025-65815 | 2 Ab Technology, Uniteddevelopers | 2 Document Reader, Document Reader\ | 2026-01-02 | 6.5 Medium |
| A lack of security checks in the file import process of AB TECHNOLOGY Document Reader: PDF, DOC, PPT v65.0 allows attackers to execute a directory traversal. | ||||
| CVE-2023-47467 | 1 Jeecg | 1 Jeecg Boot | 2026-01-02 | 6.5 Medium |
| Directory Traversal vulnerability in jeecg-boot v.3.6.0 allows a remote privileged attacker to obtain sensitive information via the file directory structure. | ||||
| CVE-2025-67442 | 1 Eve-ng | 1 Eve-ng | 2026-01-02 | 7.6 High |
| EVE-NG 6.4.0-13-PRO is vulnerable to Directory Traversal. The /api/export interface allows authenticated users to export lab files. This interface lacks effective input validation and filtering when processing file path parameters submitted by users. | ||||
| CVE-2025-68279 | 1 Weblate | 1 Weblate | 2026-01-02 | 7.7 High |
| Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue. | ||||
| CVE-2024-42718 | 1 Croogo | 1 Croogo | 2025-12-31 | 6.5 Medium |
| A path traversal vulnerability in Croogo CMS 4.0.7 allows remote attackers to read arbitrary files via a specially crafted path in the 'edit-file' parameter. | ||||
| CVE-2025-15225 | 1 Sun.net | 1 Wmpro | 2025-12-31 | 7.5 High |
| WMPro developed by Sunnet has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to read arbitrary system files. | ||||
| CVE-2025-15227 | 1 Welltend | 1 Bpmflowwebkit | 2025-12-31 | 7.5 High |
| BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | ||||
| CVE-2025-14850 | 1 Advantech | 2 Webaccess/scada, Webaccess\/scada | 2025-12-31 | 8.1 High |
| Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to delete arbitrary files. | ||||
| CVE-2022-1000 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 9.8 Critical |
| Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7. | ||||
| CVE-2020-12102 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 7.7 High |
| In Tiny File Manager 2.4.1, there is a Path Traversal vulnerability in the ajax recursive directory listing functionality. This allows authenticated users to enumerate directories and files on the filesystem (outside of the application scope). | ||||
| CVE-2020-12103 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 7.7 High |
| In Tiny File Manager 2.4.1 there is a vulnerability in the ajax file backup copy functionality which allows authenticated users to create backup copies of files (with .bak extension) outside the scope in the same directory in which they are stored. | ||||
| CVE-2021-45010 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 8.8 High |
| A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution. | ||||
| CVE-2021-40964 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 6.5 Medium |
| A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer. | ||||
| CVE-2025-15138 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 4.7 Medium |
| A flaw has been found in prasathmani TinyFileManager up to 2.6. Affected by this issue is some unknown functionality of the file tinyfilemanager.php. This manipulation of the argument fullpath causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||