Total
342 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-2318 | 1 Zkteco | 1 Zkbio Media | 2025-06-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: '../filedir'. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.1.3 Build 2025-05-26-1605 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-3365 | 2025-06-06 | N/A | 9.8 CRITICAL | ||
| A missing protection against path traversal allows to access any file on the server. | |||||
| CVE-2025-49466 | 2025-06-05 | N/A | 5.8 MEDIUM | ||
| aerc before 93bec0d allows directory traversal in commands/msgview/open.go because of direct path concatenation of the name of an attachment part, | |||||
| CVE-2023-34990 | 1 Fortinet | 1 Fortiwlm | 2025-06-05 | N/A | 9.8 CRITICAL |
| A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests. | |||||
| CVE-2023-35816 | 1 Devexpress | 1 Devexpress | 2025-06-05 | N/A | 3.5 LOW |
| DevExpress before 23.1.3 allows arbitrary TypeConverter conversion. | |||||
| CVE-2024-27199 | 1 Jetbrains | 1 Teamcity | 2025-05-30 | N/A | 7.3 HIGH |
| In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible | |||||
| CVE-2018-5448 | 1 Medtronic | 2 2090 Carelink Programmer, 2090 Carelink Programmer Firmware | 2025-05-22 | 2.7 LOW | 4.8 MEDIUM |
| Medtronic 2090 CareLink Programmer’s software deployment network contains a directory traversal vulnerability that could allow an attacker to read files on the system. | |||||
| CVE-2025-47788 | 2025-05-19 | N/A | N/A | ||
| Atheos is a self-hosted browser-based cloud IDE. Prior to v602, similar to GHSA-rgjm-6p59-537v/CVE-2025-22152, the `$target` parameter in `/controller.php` was not properly validated, which could allow an attacker to execute arbitrary files on the server via path traversal. v602 contains a fix for the issue. | |||||
| CVE-2025-46433 | 1 Jetbrains | 1 Teamcity | 2025-05-16 | N/A | 4.9 MEDIUM |
| In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible | |||||
| CVE-2024-24940 | 1 Jetbrains | 1 Intellij Idea | 2025-05-15 | N/A | 2.8 LOW |
| In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives | |||||
| CVE-2024-20352 | 1 Cisco | 1 Emergency Responder | 2025-05-07 | N/A | 4.9 MEDIUM |
| A vulnerability in Cisco Emergency Responder could allow an authenticated, remote attacker to conduct a directory traversal attack, which could allow the attacker to perform arbitrary actions on an affected device. This vulnerability is due to insufficient protections for the web UI of an affected system. An attacker could exploit this vulnerability by sending crafted requests to the web UI. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user, such as accessing password or log files or uploading and deleting existing files from the system. | |||||
| CVE-2025-29789 | 1 Open-emr | 1 Openemr | 2025-05-06 | N/A | 7.5 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.3.0 are vulnerable to Directory Traversal in the Load Code feature. Version 7.3.0 contains a patch for the issue. | |||||
| CVE-2025-24343 | 2025-05-02 | N/A | 5.4 MEDIUM | ||
| A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary files in arbitrary file system paths via a crafted HTTP request. | |||||
| CVE-2025-24350 | 2025-05-02 | N/A | 7.1 HIGH | ||
| A vulnerability in the “Certificates and Keys” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary certificates in arbitrary file system paths via a crafted HTTP request. | |||||
| CVE-2022-42892 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2025-04-30 | N/A | 5.3 MEDIUM |
| A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow directory listing in any folder accessible to the account assigned to the website’s application pool. | |||||
| CVE-2022-4123 | 2 Fedoraproject, Podman Project | 2 Fedora, Podman | 2025-04-22 | N/A | 3.3 LOW |
| A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality. | |||||
| CVE-2017-13996 | 1 Loytec | 2 Lvis-3me, Lvis-3me Firmware | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| A Relative Path Traversal issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The web user interface fails to prevent access to critical files that non administrative users should not have access to, which could allow an attacker to create or modify files or execute arbitrary code. | |||||
| CVE-2021-22650 | 1 Ovarro | 15 Tbox Lt2-530, Tbox Lt2-530 Firmware, Tbox Lt2-532 and 12 more | 2025-04-17 | N/A | 7.5 HIGH |
| An attacker may use TWinSoft and a malicious source project file (TPG) to extract files on machine executing Ovarro TWinSoft, which could lead to code execution. | |||||
| CVE-2025-27791 | 2025-04-16 | N/A | N/A | ||
| Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a file to be written anywhere the uid running Collabora Online can write, if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, it is possible to present such a response to be processed by a Collabora Online instance. This issue has been patched in versions 24.04.13.1, 23.05.19, and 22.05.25. | |||||
| CVE-2025-27410 | 1 Pwndoc Project | 1 Pwndoc | 2025-04-16 | N/A | 6.5 MEDIUM |
| PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is vulnerable to path traversal in the TAR entry's name, allowing an attacker to overwrite any file on the system with their content. By overwriting an included `.js` file and restarting the container, this allows for Remote Code Execution as an administrator. The remote code execution occurs because any user with the `backups:create` and `backups:update` (only administrators by default) is able to overwrite any file on the system. Version 1.2.0 fixes the issue. | |||||