Monthly
AIOHTTP static resource handler on Windows exposes NTLMv2 remote path information to unauthenticated remote attackers, allowing information disclosure with high confidentiality impact. Versions prior to 3.13.4 are affected. The vulnerability has been patched and no active exploitation has been confirmed at this time.
The JetFormBuilder plugin for WordPress contains a critical path traversal vulnerability allowing unauthenticated attackers to read arbitrary files from the server. All versions up to and including 3.5.6.2 are affected. Attackers can exploit this to exfiltrate sensitive local files as email attachments by submitting crafted form requests with malicious Media Field payloads, with a CVSS score of 7.5 indicating high confidentiality impact.
Unsafe path handling in NLTK's filestring() function enables attackers to read arbitrary files on affected iOS and AI/ML systems through improper input validation. An unauthenticated attacker can exploit this over the network by supplying directory traversal or absolute paths to access sensitive data, with particular risk in deployments exposing the function through web APIs. No patch is currently available for this high-severity vulnerability (CVSS 8.6).
Navtor NavBox exposes an unauthenticated path traversal vulnerability in its HTTP service that allows remote attackers to read arbitrary files from the server by submitting requests with absolute filesystem paths. Successful exploitation enables unauthorized disclosure of sensitive configuration files and system information, limited only by the service process privileges. No patch is currently available.
Gradio versions up to 6.7 contains a vulnerability that allows attackers to read arbitrary files from the file system (CVSS 7.5).
Alfresco Transform Service contains a vulnerability that allows attackers to achieve both arbitrary file read and server-side request forgery through the abs (CVSS 8.2).
MeetingHub Paperless Meetings contains an arbitrary file read vulnerability that enables unauthenticated remote attackers to download sensitive system files through path traversal exploitation. The vulnerability affects all installations without authentication requirements, allowing attackers to access confidential data with high confidentiality impact. No patch is currently available for this issue.
Gotac's Police Statistics Database System contains a path traversal vulnerability that enables unauthenticated remote attackers to enumerate system directories and access sensitive files. The flaw affects industrial and law enforcement deployments with network accessibility, potentially exposing confidential database contents and system architecture details. No patch is currently available for this medium-severity vulnerability.
Gotac's Police Statistics Database System is vulnerable to unauthenticated arbitrary file read attacks via absolute path traversal, enabling remote attackers to download sensitive system files without authentication. The vulnerability carries high severity (CVSS 7.5) with broad network accessibility and no user interaction required. No patch is currently available, leaving affected deployments at risk until remediation is released.
Windows Shell path traversal vulnerability affecting Windows 10 21H2, Windows Server 2016, 2019, and 2022 allows an attacker with physical access to spoof system resources without requiring user interaction. The vulnerability has no patch available and poses a confidentiality risk through unauthorized information disclosure.
AIOHTTP static resource handler on Windows exposes NTLMv2 remote path information to unauthenticated remote attackers, allowing information disclosure with high confidentiality impact. Versions prior to 3.13.4 are affected. The vulnerability has been patched and no active exploitation has been confirmed at this time.
The JetFormBuilder plugin for WordPress contains a critical path traversal vulnerability allowing unauthenticated attackers to read arbitrary files from the server. All versions up to and including 3.5.6.2 are affected. Attackers can exploit this to exfiltrate sensitive local files as email attachments by submitting crafted form requests with malicious Media Field payloads, with a CVSS score of 7.5 indicating high confidentiality impact.
Unsafe path handling in NLTK's filestring() function enables attackers to read arbitrary files on affected iOS and AI/ML systems through improper input validation. An unauthenticated attacker can exploit this over the network by supplying directory traversal or absolute paths to access sensitive data, with particular risk in deployments exposing the function through web APIs. No patch is currently available for this high-severity vulnerability (CVSS 8.6).
Navtor NavBox exposes an unauthenticated path traversal vulnerability in its HTTP service that allows remote attackers to read arbitrary files from the server by submitting requests with absolute filesystem paths. Successful exploitation enables unauthorized disclosure of sensitive configuration files and system information, limited only by the service process privileges. No patch is currently available.
Gradio versions up to 6.7 contains a vulnerability that allows attackers to read arbitrary files from the file system (CVSS 7.5).
Alfresco Transform Service contains a vulnerability that allows attackers to achieve both arbitrary file read and server-side request forgery through the abs (CVSS 8.2).
MeetingHub Paperless Meetings contains an arbitrary file read vulnerability that enables unauthenticated remote attackers to download sensitive system files through path traversal exploitation. The vulnerability affects all installations without authentication requirements, allowing attackers to access confidential data with high confidentiality impact. No patch is currently available for this issue.
Gotac's Police Statistics Database System contains a path traversal vulnerability that enables unauthenticated remote attackers to enumerate system directories and access sensitive files. The flaw affects industrial and law enforcement deployments with network accessibility, potentially exposing confidential database contents and system architecture details. No patch is currently available for this medium-severity vulnerability.
Gotac's Police Statistics Database System is vulnerable to unauthenticated arbitrary file read attacks via absolute path traversal, enabling remote attackers to download sensitive system files without authentication. The vulnerability carries high severity (CVSS 7.5) with broad network accessibility and no user interaction required. No patch is currently available, leaving affected deployments at risk until remediation is released.
Windows Shell path traversal vulnerability affecting Windows 10 21H2, Windows Server 2016, 2019, and 2022 allows an attacker with physical access to spoof system resources without requiring user interaction. The vulnerability has no patch available and poses a confidentiality risk through unauthorized information disclosure.