Total
393 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-29778 | 2 Pyload, Pyload-ng Project | 2 Pyload, Pyload-ng | 2026-04-17 | 7.1 High |
| pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97. | ||||
| CVE-2026-1762 | 1 Ge Vernova | 1 Enervista | 2026-04-16 | 2.9 Low |
| A vulnerability in GE Vernova Enervista UR Setup on Windows allows File Manipulation.This issue affects Enervista: 8.6 and prior versions. | ||||
| CVE-2026-21620 | 1 Erlang | 3 Erlang/otp, Erlang\/otp, Otp | 2026-04-16 | 4.2 Medium |
| Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl. This issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0. | ||||
| CVE-2025-12097 | 1 Ni | 1 Labview | 2026-04-15 | 7.5 High |
| There is a relative path traversal vulnerability in the NI System Web Server that may result in information disclosure. Successful exploitation requires an attacker to send a specially crafted request to the NI System Web Server, allowing the attacker to read arbitrary files. This vulnerability existed in the NI System Web Server 2012 and prior versions. It was fixed in 2013. | ||||
| CVE-2025-32137 | 2026-04-15 | N/A | ||
| Relative Path Traversal vulnerability in Cristián Lávaque s2Member s2member allows Path Traversal.This issue affects s2Member: from n/a through <= 250419. | ||||
| CVE-2025-9639 | 2026-04-15 | 7.5 High | ||
| The QbiCRMGateway developed by Ai3 has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | ||||
| CVE-2025-23410 | 2026-04-15 | 9.8 Critical | ||
| When uploading organism or sequence data via the web interface, GMOD Apollo will unzip and inspect the files and will not check for path traversal in supported archive types. | ||||
| CVE-2024-49253 | 1 James Park | 1 Analyse Uploads | 2026-04-15 | N/A |
| Relative Path Traversal vulnerability in JamesPark.ninja Analyse Uploads analyse-uploads allows Relative Path Traversal.This issue affects Analyse Uploads: from n/a through <= 0.5. | ||||
| CVE-2025-62878 | 2026-04-15 | 9.9 Critical | ||
| A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories. | ||||
| CVE-2025-1584 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability classified as problematic was found in opensolon Solon up to 3.0.8. This vulnerability affects unknown code of the file solon-projects/solon-web/solon-web-staticfiles/src/main/java/org/noear/solon/web/staticfiles/StaticMappings.java. The manipulation leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.9 is able to address this issue. The name of the patch is f46e47fd1f8455b9467d7ead3cdb0509115b2ef1. It is recommended to upgrade the affected component. | ||||
| CVE-2024-22398 | 1 Sonicwall | 1 Email Security | 2026-04-15 | 4.9 Medium |
| An improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in SonicWall Email Security Appliance could allow a remote attacker with administrative privileges to conduct a directory traversal attack and delete arbitrary files from the appliance file system. | ||||
| CVE-2024-12897 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability was found in Intelbras VIP S3020 G2, VIP S4020 G2, VIP S4020 G3 and VIP S4320 G2 up to 20241222. It has been classified as critical. This affects an unknown part of the file ../mtd/Config/Sha1Account1 of the component Web Interface. The manipulation leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-8464 | 2026-04-15 | 5.3 Medium | ||
| The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder. | ||||
| CVE-2025-24343 | 2026-04-15 | 5.4 Medium | ||
| A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary files in arbitrary file system paths via a crafted HTTP request. | ||||
| CVE-2025-49466 | 2026-04-15 | 5.8 Medium | ||
| aerc before 93bec0d allows directory traversal in commands/msgview/open.go because of direct path concatenation of the name of an attachment part, | ||||
| CVE-2025-59835 | 1 Langbot | 1 Langbot | 2026-04-15 | N/A |
| LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5. | ||||
| CVE-2025-66386 | 1 Misp | 1 Misp | 2026-04-15 | 4.1 Medium |
| app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin. | ||||
| CVE-2021-4459 | 1 Sma | 8 Sunny Boy, Sunny Boy 1.5, Sunny Boy 2.5 and 5 more | 2026-04-15 | 6.5 Medium |
| An authorized remote attacker can access files and directories outside the intended web root, potentially exposing sensitive system information of the affected Sunny Boy devices. | ||||
| CVE-2024-2461 | 2026-04-15 | N/A | ||
| If exploited an attacker could traverse the file system to access files or directories that would otherwise be inaccessible | ||||
| CVE-2024-3122 | 2026-04-15 | 4.9 Medium | ||
| CHANGING Mobile One Time Password does not properly filter parameters for the file download functionality, allowing remote attackers with administrator privilege to read arbitrary file on the system. | ||||