Total
485 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-3493 | 1 Canonical | 1 Ubuntu Linux | 2025-10-28 | 8.8 High |
| The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges. | ||||
| CVE-2020-17519 | 1 Apache | 1 Flink | 2025-10-27 | 9.1 Critical |
| A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master. | ||||
| CVE-2017-16651 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2025-10-22 | 7.8 High |
| Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests. | ||||
| CVE-2016-3715 | 6 Canonical, Imagemagick, Opensuse and 3 more | 31 Ubuntu Linux, Imagemagick, Leap and 28 more | 2025-10-22 | 5.5 Medium |
| The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image. | ||||
| CVE-2025-31996 | 1 Hcltech | 1 Unica | 2025-10-21 | 5.3 Medium |
| HCL Unica Platform is affected by unprotected files due to improper access controls. These files may contain sensitive information such as private or system information that can be exploited by attackers to compromise the application, infrastructure, or users. | ||||
| CVE-2024-47518 | 1 Arista | 1 Ng Firewall | 2025-09-29 | 6.4 Medium |
| Specially constructed queries targeting ETM could discover active remote access sessions | ||||
| CVE-2025-51818 | 1 Chshcms | 1 Mccms | 2025-09-24 | 5.4 Medium |
| MCCMS 2.7.0 is vulnerable to Arbitrary file deletion in the Backups.php component. This allows an attacker to execute arbitrary commands | ||||
| CVE-2025-25266 | 1 Siemens | 1 Tecnomatix Plant Simulation | 2025-09-23 | 6.8 Medium |
| A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). The affected application does not properly restrict access to the file deletion functionality. This could allow an unauthorized attacker to delete files even when access to the system should be prohibited, resulting in potential data loss or unauthorized modification of system files. | ||||
| CVE-2025-25267 | 1 Siemens | 1 Tecnomatix Plant Simulation | 2025-09-23 | 6.2 Medium |
| A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). The affected application does not properly restrict the scope of files accessible to the simulation model. This could allow an unauthorized attacker to compromise the confidentiality of the system. | ||||
| CVE-2024-49359 | 2 Icewhaletech, Zimaspace | 2 Zimaos, Zimaos | 2025-09-22 | 7.5 High |
| ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Zima_Server_IP:PORT>/v2_1/file` in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on the server. By manipulating the path parameter, attackers can access sensitive system directories such as `/etc`, potentially exposing critical configuration files and increasing the risk of further attacks. As of time of publication, no known patched versions are available. | ||||
| CVE-2024-48864 | 1 Qnap | 1 File Station | 2025-09-19 | 9.1 Critical |
| A files or directories accessible to external parties vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers to read/write files or directories. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4741 and later | ||||
| CVE-2025-58753 | 1 9001 | 1 Copyparty | 2025-09-18 | 7.5 High |
| Copyparty is a portable file server. In versions prior to 1.19.8, there was a missing permission-check in the shares feature (the `shr` global-option). When a share was created for just one file inside a folder, it was possible to access the other files inside that folder by guessing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This issue did not affect filekeys or dirkeys. Version 1.19.8 fixes the issue. | ||||
| CVE-2024-54099 | 1 Huawei | 2 Emui, Harmonyos | 2025-09-18 | 6.7 Medium |
| File replacement vulnerability on some devices Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality. | ||||
| CVE-2025-53536 | 1 Roocode | 1 Roo Code | 2025-09-15 | 8.1 High |
| Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. This vulnerability is fixed in 3.22.6. | ||||
| CVE-2023-3712 | 1 Honeywell | 2 Pm43, Pm43 Firmware | 2025-09-12 | 6.6 Medium |
| Files or Directories Accessible to External Parties vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Privilege Escalation.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006). | ||||
| CVE-2024-6421 | 1 Pepperl-fuchs | 8 Oit1500-f113-b12-cb, Oit1500-f113-b12-cb Firmware, Oit200-f113-b12-cb and 5 more | 2025-08-22 | 7.5 High |
| An unauthenticated remote attacker can read out sensitive device information through a incorrectly configured FTP service. | ||||
| CVE-2024-56731 | 1 Gogs | 1 Gogs | 2025-08-21 | 10 Critical |
| Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3. | ||||
| CVE-2025-44779 | 1 Ollama | 1 Ollama | 2025-08-14 | 6.6 Medium |
| An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull. | ||||
| CVE-2023-39479 | 1 Softing | 1 Secure Integration Server | 2025-08-12 | 8.8 High |
| Softing Secure Integration Server OPC UA Gateway Directory Creation Vulnerability. This vulnerability allows remote attackers to create directories on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of FileDirectory OPC UA Objects. The issue results from allowing unauthorized access to the filesystem. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20548. | ||||
| CVE-2023-39480 | 1 Softing | 1 Secure Integration Server | 2025-08-12 | 6.5 Medium |
| Softing Secure Integration Server FileDirectory OPC UA Object Arbitrary File Creation Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of FileDirectory OPC UA Objects. The issue results from allowing unauthorized access to the filesystem. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20549. | ||||