Skip to main content

CWE-552

Files or Directories Accessible to External Parties

314 CVEs Avg CVSS 6.9 MITRE
27
CRITICAL
146
HIGH
135
MEDIUM
5
LOW
102
POC
2
KEV

Monthly

CVE-2026-54457 PyPI HIGH PATCH GHSA This Week

Arbitrary file read and server-side request forgery in TensorZero Gateway (pip package tensorzero, versions < 2026.6.0) let callers of the /internal/object_storage endpoint override the gateway's [object_storage] configuration via a caller-supplied storage_path JSON parameter. Using the filesystem storage type an attacker reads arbitrary files (including credential files) from the gateway host, while the s3_compatible type coerces the gateway into outbound requests to attacker-chosen internal or cloud-metadata endpoints. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; exploitability hinges on whether the deployment has authentication enabled.

Path Traversal Information Disclosure
NVD GitHub
CVSS 3.1
7.7
CVE-2026-59703 HIGH PATCH This Week

Local file inclusion in Repomix's git clone HTTP endpoint lets unauthenticated remote attackers read arbitrary tracked file contents from git repositories on the server's filesystem. The isValidRemoteValue validation in src/core/git/gitRemoteParse.ts does not reject file:// scheme URLs, so a supplied file:///path/to/repo value is passed directly to git clone. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High) driven by high confidentiality impact with no authentication required.

Authentication Bypass Path Traversal Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-13533 MEDIUM POC This Month

Unauthenticated remote file and directory exposure in agentejo Cockpit CMS 0.12.2 and earlier allows attackers to access files outside the web root via path traversal through the htaccess Handler's YAML configuration loader. The root cause is CWE-552 (Files or Directories Accessible to External Parties), triggered by unsafe processing of /config/config.yaml via the Spyc::YAMLLoad function, which can expose sensitive configuration data including credentials or internal path structures. A public exploit proof-of-concept exists on GitHub; no vendor patch has been issued, as the vendor did not respond to coordinated disclosure.

Path Traversal Information Disclosure Cockpit Cms
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2025-66389 HIGH This Week

GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fetch_webpage. Therefore, exfiltration could occur if there is indirect prompt injection.

N A Information Disclosure Path Traversal
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-40624 CRITICAL CISA Emergency

Remote code execution in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras allows unauthenticated attackers to run arbitrary code by sending a specially crafted web request to the device's HTTP interface. The flaw was reported through CISA's ICS-CERT coordination process and carries a CVSS 4.0 base score of 9.3, but there is no public exploit identified at time of analysis and the CVE is not on the CISA KEV list.

Path Traversal Information Disclosure RCE Ptc500S Ptc115 +1
NVD GitHub
CVSS 4.0
9.3
EPSS
0.6%
CVE-2025-14771 HIGH CISA This Week

Unauthorized file or directory access in ABB T-MAC Plus version 4.0-24 allows authenticated remote attackers to read, modify, or otherwise interact with resources that should not be externally reachable, with CVSS 4.0 scoring 7.3 due to high confidentiality and availability impact plus scope change to subsequent systems. The flaw is classified under CWE-552 (Files or Directories Accessible to External Parties) and was disclosed by ABB itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Abb Path Traversal
NVD
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-45543 MEDIUM PATCH This Month

Broken share revocation in Nextcloud Forms versions 4.3.0 through 5.2.7 leaves former collaborators with persistent read access to uploaded respondent files after removal. The vulnerability stems from a two-layer share architecture where removing a collaborator deleted the Forms-layer share record but silently preserved the underlying Nextcloud Files-layer share on the uploaded files folder - meaning removed users retained filesystem-level access to sensitive form submission files. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but the low-complexity network vector (CVSS AV:N/AC:L/PR:N/UI:N) means a removed collaborator can exploit this passively without any additional action.

Information Disclosure Path Traversal Nextcloud
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-40425 MEDIUM PATCH CISA This Month

Authenticated administrator access on the Danelec MacGregor Voyage Data Recorder (VDR) G4E web interface permits direct editing of sensitive authentication files, including the ability to overwrite the root password. The CVSS vector (AV:A/AC:L/PR:H/UI:N) confirms exploitation requires both adjacent network positioning and existing high-privilege credentials, meaning this is not a remotely exploitable unauthenticated attack path. Reported by ICS-CERT under advisory ICSA-26-148-01 as a maritime OT device concern, no public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Path Traversal Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2024-11399 MEDIUM PATCH This Month

Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity.

Synology Path Traversal Redis Information Disclosure
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-40564 MEDIUM PATCH This Month

Unvalidated jarURI handling in Apache Flink Kubernetes Operator exposes authenticated low-privilege users to server-side request forgery and arbitrary file read primitives against the operator pod. Any Kubernetes principal holding Custom Resource create permissions can submit a malicious FlinkSessionJob CR with a crafted jarURI - pointing to local filesystem paths, internal cloud metadata endpoints, link-local addresses, or any backing store reachable through Flink's pluggable filesystem layer - and retrieve that content via the submitted job. No public exploit has been identified at time of analysis, and EPSS sits at 0.01% (3rd percentile), but the confidentiality impact is rated High by NVD given the breadth of accessible internal resources.

Apache Information Disclosure Kubernetes SSRF Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVSS 7.7
HIGH PATCH This Week

Arbitrary file read and server-side request forgery in TensorZero Gateway (pip package tensorzero, versions < 2026.6.0) let callers of the /internal/object_storage endpoint override the gateway's [object_storage] configuration via a caller-supplied storage_path JSON parameter. Using the filesystem storage type an attacker reads arbitrary files (including credential files) from the gateway host, while the s3_compatible type coerces the gateway into outbound requests to attacker-chosen internal or cloud-metadata endpoints. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; exploitability hinges on whether the deployment has authentication enabled.

Path Traversal Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Local file inclusion in Repomix's git clone HTTP endpoint lets unauthenticated remote attackers read arbitrary tracked file contents from git repositories on the server's filesystem. The isValidRemoteValue validation in src/core/git/gitRemoteParse.ts does not reject file:// scheme URLs, so a supplied file:///path/to/repo value is passed directly to git clone. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High) driven by high confidentiality impact with no authentication required.

Authentication Bypass Path Traversal Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated remote file and directory exposure in agentejo Cockpit CMS 0.12.2 and earlier allows attackers to access files outside the web root via path traversal through the htaccess Handler's YAML configuration loader. The root cause is CWE-552 (Files or Directories Accessible to External Parties), triggered by unsafe processing of /config/config.yaml via the Spyc::YAMLLoad function, which can expose sensitive configuration data including credentials or internal path structures. A public exploit proof-of-concept exists on GitHub; no vendor patch has been issued, as the vendor did not respond to coordinated disclosure.

Path Traversal Information Disclosure Cockpit Cms
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fetch_webpage. Therefore, exfiltration could occur if there is indirect prompt injection.

N A Information Disclosure Path Traversal
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL Emergency

Remote code execution in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras allows unauthenticated attackers to run arbitrary code by sending a specially crafted web request to the device's HTTP interface. The flaw was reported through CISA's ICS-CERT coordination process and carries a CVSS 4.0 base score of 9.3, but there is no public exploit identified at time of analysis and the CVE is not on the CISA KEV list.

Path Traversal Information Disclosure RCE +3
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Unauthorized file or directory access in ABB T-MAC Plus version 4.0-24 allows authenticated remote attackers to read, modify, or otherwise interact with resources that should not be externally reachable, with CVSS 4.0 scoring 7.3 due to high confidentiality and availability impact plus scope change to subsequent systems. The flaw is classified under CWE-552 (Files or Directories Accessible to External Parties) and was disclosed by ABB itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Abb Path Traversal
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Broken share revocation in Nextcloud Forms versions 4.3.0 through 5.2.7 leaves former collaborators with persistent read access to uploaded respondent files after removal. The vulnerability stems from a two-layer share architecture where removing a collaborator deleted the Forms-layer share record but silently preserved the underlying Nextcloud Files-layer share on the uploaded files folder - meaning removed users retained filesystem-level access to sensitive form submission files. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but the low-complexity network vector (CVSS AV:N/AC:L/PR:N/UI:N) means a removed collaborator can exploit this passively without any additional action.

Information Disclosure Path Traversal Nextcloud
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authenticated administrator access on the Danelec MacGregor Voyage Data Recorder (VDR) G4E web interface permits direct editing of sensitive authentication files, including the ability to overwrite the root password. The CVSS vector (AV:A/AC:L/PR:H/UI:N) confirms exploitation requires both adjacent network positioning and existing high-privilege credentials, meaning this is not a remotely exploitable unauthenticated attack path. Reported by ICS-CERT under advisory ICSA-26-148-01 as a maritime OT device concern, no public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Path Traversal Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity.

Synology Path Traversal Redis +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unvalidated jarURI handling in Apache Flink Kubernetes Operator exposes authenticated low-privilege users to server-side request forgery and arbitrary file read primitives against the operator pod. Any Kubernetes principal holding Custom Resource create permissions can submit a malicious FlinkSessionJob CR with a crafted jarURI - pointing to local filesystem paths, internal cloud metadata endpoints, link-local addresses, or any backing store reachable through Flink's pluggable filesystem layer - and retrieve that content via the submitted job. No public exploit has been identified at time of analysis, and EPSS sits at 0.01% (3rd percentile), but the confidentiality impact is rated High by NVD given the breadth of accessible internal resources.

Apache Information Disclosure Kubernetes +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy