Total
8937 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-7896 | 1 Harry0703 | 1 Moneyprinterturbo | 2025-11-20 | 6.3 Medium |
| A vulnerability has been found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this vulnerability is the function download_video/delete_video of the file app/controllers/v1/video.py. The manipulation leads to path traversal. The attack can be launched remotely. | ||||
| CVE-2023-3961 | 3 Fedoraproject, Redhat, Samba | 7 Fedora, Enterprise Linux, Enterprise Linux Eus and 4 more | 2025-11-20 | 9.1 Critical |
| A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, which Samba initiates on demand. However, due to inadequate sanitization of incoming client pipe names, allowing a client to send a pipe name containing Unix directory traversal characters (../). This could result in SMB clients connecting as root to Unix domain sockets outside the private directory. If an attacker or client managed to send a pipe name resolving to an external service using an existing Unix domain socket, it could potentially lead to unauthorized access to the service and consequential adverse events, including compromise or service crashes. | ||||
| CVE-2024-0406 | 2 Mholt, Redhat | 4 Archiver, Advanced Cluster Security, Openshift and 1 more | 2025-11-20 | 6.1 Medium |
| A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library. | ||||
| CVE-2025-64757 | 1 Astro | 1 Astro | 2025-11-20 | 3.5 Low |
| Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3. | ||||
| CVE-2023-5189 | 1 Redhat | 7 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside and 4 more | 2025-11-20 | 6.3 Medium |
| A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten. | ||||
| CVE-2023-5115 | 2 Debian, Redhat | 7 Debian Linux, Ansible Automation Platform, Ansible Automation Platform Developer and 4 more | 2025-11-20 | 6.3 Medium |
| An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path. | ||||
| CVE-2025-54559 | 1 Desktopalert | 2 Pingalert, Pingalert Application Server | 2025-11-20 | 3.7 Low |
| An issue was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote Path Traversal for loading arbitrary external content. | ||||
| CVE-2025-34173 | 2 Netgate, Pfsense | 3 Pfsense Ce, Pfsense Plus, Pfsense | 2025-11-20 | 4.3 Medium |
| In pfSense CE /usr/local/www/snort/snort_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related characters/strings before being used to check if a file exists. While the contents of the file cannot be read, the server reveals whether a file exists, which allows an attacker to enumerate files on the target. The attacker must be authenticated with at least "WebCfg - Services: Snort package" permissions. | ||||
| CVE-2025-34176 | 2 Netgate, Pfsense | 3 Pfsense Ce, Pfsense Plus, Pfsense | 2025-11-20 | 4.3 Medium |
| In pfSense CE /suricata/suricata_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related strings/characters. This value is directly used in a file existence check operation. While the contents of the file cannot be read, the server reveals whether the file exists, which enables an attacker to enumerate files on the target. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions. | ||||
| CVE-2024-2434 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 8.5 High |
| An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read. | ||||
| CVE-2023-3385 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 6.3 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in `tar`, fixed in [`tar-1.35`](https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html). | ||||
| CVE-2025-36236 | 1 Ibm | 2 Aix, Vios | 2025-11-19 | 8.2 High |
| IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request to write arbitrary files on the system. | ||||
| CVE-2025-62630 | 1 Advantech | 2 Deviceon/iedge, Deviceon\/iedge | 2025-11-19 | 8.8 High |
| Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions. | ||||
| CVE-2025-59171 | 1 Advantech | 2 Deviceon/iedge, Deviceon\/iedge | 2025-11-19 | 7.5 High |
| Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions. | ||||
| CVE-2025-11990 | 1 Gitlab | 1 Gitlab | 2025-11-19 | 3.1 Low |
| GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses. | ||||
| CVE-2025-29592 | 1 Aaluoxiang | 1 Oa System | 2025-11-19 | 5.6 Medium |
| oasys v1.1 is vulnerable to Directory Traversal in ProcedureController. | ||||
| CVE-2025-20374 | 1 Cisco | 1 Unified Contact Center Express | 2025-11-17 | 4.9 Medium |
| A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to perform a directory traversal and access arbitrary resources. This vulnerability is due to an insufficient input validation associated to specific UI features. An attacker could exploit this vulnerability by sending a crafted request to the web UI. A successful exploit could allow the attacker to gain read access to arbitrary files on the underlying operating system. To exploit this vulnerability, the attacker must have valid administrative credentials. | ||||
| CVE-2025-9801 | 2 Sim, Simstudioai | 2 Sim, Sim | 2025-11-14 | 5.4 Medium |
| A security vulnerability has been detected in SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. This affects an unknown part. The manipulation of the argument filePath leads to path traversal. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The identifier of the patch is 45372aece5e05e04b417442417416a52e90ba174. To fix this issue, it is recommended to deploy a patch. | ||||
| CVE-2025-57712 | 1 Qnap | 1 Qsync Central | 2025-11-14 | 6.5 Medium |
| A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.3 ( 2025/08/28 ) and later | ||||
| CVE-2025-11366 | 1 N-able | 1 N-central | 2025-11-14 | 9.8 Critical |
| N-central < 2025.4 is vulnerable to authentication bypass via path traversal | ||||