Path Traversal
Monthly
MiniGal Nano 0.3.5 and earlier are vulnerable to a path traversal attack in the dir parameter that bypasses insufficient dot-dot sequence filtering, allowing unauthenticated remote attackers to access and enumerate image files from arbitrary filesystem locations readable by the web server. This results in confidential information disclosure from unintended directories. No patch is currently available.
Authentication bypass via path traversal in ZBT WE2001 router's check_token function. EPSS 0.69% — crafted requests bypass authentication entirely. CVSS 10.0.
File Station 6 contains a path traversal vulnerability that allows authenticated attackers to read arbitrary files and system data on affected systems. An attacker with valid user credentials can exploit this flaw to access sensitive information beyond intended restrictions. No patch is currently available for File Station 6, though File Station 5.5.6.5190 and later versions have been remediated.
A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]
A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]
A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 4.4 MEDIUM]
A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 4.4 MEDIUM]
A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]
A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]
A relative path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]
A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 4.9 MEDIUM]
Unauthenticated arbitrary file upload in WPvivid Backup & Migration WordPress plugin. EPSS 0.44%.
Unauthenticated path traversal in JUNG Smart Panel KNX firmware L1.12.22 and earlier allows remote attackers to read arbitrary files from the device's filesystem through the web interface. An attacker can leverage insufficient input validation to access sensitive system configuration and other confidential data without requiring authentication. No patch is currently available for this vulnerability.
TP-Link Tapo C260 v1 firmware contains a path traversal vulnerability in HTTPS GET request handling that allows local network attackers to probe filesystem paths and determine file existence without authentication. While the vulnerability does not permit file read, write, or code execution, it enables information disclosure about the device's filesystem structure to unauthenticated local users. No patch is currently available.
An AXIS Camera Station Pro feature can be exploited in a way that allows a non-admin user to view information they are not permitted to. [CVSS 4.6 MEDIUM]
Tanium addressed an arbitrary file deletion vulnerability in end-user-cx. [CVSS 5.5 MEDIUM]
Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS. [CVSS 5.5 MEDIUM]
Remote code execution in FUXA prior to 1.2.11 allows authenticated administrators to bypass path traversal protections using nested directory sequences, enabling arbitrary file writes to the server filesystem. An attacker with admin privileges can inject malicious scripts into runtime directories that execute when the server reloads, achieving complete system compromise. Update to version 1.2.11 or later to remediate.
FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA servers.
Tanium addressed an arbitrary file deletion vulnerability in End-User Notifications Endpoint Tools. [CVSS 5.5 MEDIUM]
MarkUs grading platform prior to 2.9.1 has a path traversal enabling students to access other students' submissions or grading data.
Insufficient URI validation in CGI endpoints permits unauthenticated attackers to bypass authentication controls through path traversal techniques, enabling direct access to protected administrative functions and configuration files. An attacker can exploit this remotely without credentials to retrieve sensitive data and potentially modify system settings. No patch is currently available for this vulnerability.
Path traversal in rachelos WeRSS plugin versions up to 1.4.8 allows authenticated remote attackers to access arbitrary files through manipulation of the filename parameter in the download_export_file function. Public exploit code exists for this vulnerability. The issue requires valid credentials but has a low complexity attack surface, affecting file confidentiality without requiring user interaction.
Path traversal in JeecgBoot's Retrieval-Augmented Generation Module (versions up to 3.9.0) allows authenticated remote attackers to access arbitrary files through manipulation of the filePath parameter in the /airag/knowledge/doc/edit endpoint. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Authenticated operators in Sliver C2 framework versions prior to 1.6.11 can read arbitrary files on the server through a path traversal vulnerability in the website content subsystem, potentially exposing sensitive credentials, configurations, and cryptographic keys. Public exploit code exists for this vulnerability. The issue is resolved in version 1.6.11 and later.
Path traversal in NiceGUI before 3.7.0 allows remote attackers to write arbitrary files outside intended directories by exploiting unsanitized filename metadata in the FileUpload.name property, potentially leading to remote code execution when developers incorporate this value directly into file paths. Public exploit code exists for this vulnerability, affecting applications using common patterns like concatenating user-supplied filenames with upload directories. Developers are only protected if they use fixed paths, generate filenames server-side, or explicitly sanitize user input.
Calibre 9.1.0 and earlier contains a path traversal vulnerability in EPUB conversion that allows malicious EPUB files to corrupt or modify arbitrary files writable by the Calibre process. The vulnerability exploits improper handling of CipherReference URIs in encryption metadata, enabling attackers to write outside the intended extraction directory. Public exploit code exists for this high-severity issue, which is patched in version 9.2.0.
Remote code execution in Calibre prior to version 9.2.0 through a path traversal flaw in the CHM reader allows local attackers to write arbitrary files with user permissions, enabling payload execution via the Windows Startup folder. Public exploit code exists for this vulnerability. Windows users should upgrade to Calibre 9.2.0 or later to remediate the risk.
Pydantic AI versions 1.34.0 through 1.50.x contain a path traversal vulnerability in the web UI that allows unauthenticated attackers to inject arbitrary JavaScript by manipulating the CDN version parameter in a malicious URL. When a victim visits the crafted link, attacker-controlled code executes in their browser, enabling theft of chat history and other sensitive client-side data. No patch is currently available.
Arbitrary file deletion in Gogs 0.13.3 and earlier allows authenticated repository contributors to exploit a path traversal flaw in the wiki page update function, enabling deletion of arbitrary files on the affected server. An attacker with wiki write access can manipulate the old_title parameter to traverse the filesystem and remove critical files. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
Gogs versions 0.13.3 and earlier are vulnerable to arbitrary file read and write operations through path traversal in the Git hook editing functionality, affecting self-hosted installations. An authenticated attacker with high privileges can exploit this vulnerability to access or modify files outside the intended directory. Public exploit code exists for this vulnerability, and no patch is currently available.
WP Duplicate WordPress plugin has a missing authorization vulnerability leading to arbitrary file deletion that can destroy the WordPress installation.
Tanium addressed an improper link resolution before file access vulnerability in Enforce. [CVSS 5.0 MEDIUM]
Tanium addressed a documentation issue in Engage. [CVSS 6.6 MEDIUM]
A path traversal in My Text Editor v1.6.2 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. [CVSS 5.0 MEDIUM]
Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server's file system, thet is, 'http://<host>/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd'.
Arbitrary file read in ShortPixel Image Optimizer plugin for WordPress through path traversal in the loadLogFile AJAX action allows authenticated users with Editor-level privileges or higher to access sensitive server files including database credentials. The vulnerability exists in versions up to 6.4.2 due to insufficient path validation on the loadFile parameter, and no patch is currently available.
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. [CVSS 3.8 LOW]
Navigatum contains a vulnerability that allows attackers to overwrite files in directories writable by the application user (e (CVSS 7.5).
OpenClaw versions prior to 2026.1.30 suffer from a path traversal vulnerability in the isValidMedia() function that permits authenticated agents to read arbitrary files on the system by crafting malicious MEDIA output directives. An attacker with agent access can leverage this flaw to exfiltrate sensitive data accessible to the application process. Public exploit code exists for this vulnerability, and no patch is currently available.
Path traversal in Alist prior to version 3.57.0 allows authenticated users to manipulate filename parameters and bypass directory restrictions within the same storage mount. Attackers can exploit this vulnerability to perform unauthorized file operations including deletion, movement, and copying across user boundaries. Public exploit code exists for this vulnerability.
Melange versions 0.14.0 through 0.40.2 allow local attackers with configuration file control to read arbitrary files from the host system through path traversal in license file path validation, potentially exfiltrating sensitive data embedded in generated SBOMs. This vulnerability affects build pipeline scenarios where configuration is user-controlled, such as pull request-driven CI or build-as-a-service environments. A patch is available in version 0.40.3.
Compressing library versions 1.10.3 and prior, and 2.0.0 fail to validate symbolic link targets during TAR archive extraction, allowing attackers to write files to arbitrary locations on the filesystem. Public exploit code exists for this vulnerability, which could enable overwriting critical system files or establishing persistence. Patched versions 1.10.4 and 2.0.1 are available.
Melange versions 0.11.3 through 0.40.2 suffer from a path traversal vulnerability in the retrieveWorkspace function that fails to validate tar entry paths, allowing an attacker with control over a QEMU guest VM's tar stream to write arbitrary files outside the intended workspace directory on the host system. An attacker exploiting this vulnerability could achieve arbitrary file write capabilities on the host machine, potentially leading to system compromise. A patch is available in version 0.40.3 and later.
Apko versions up to 1.1.1 contains a vulnerability that allows attackers to build and publish OCI container images built from apk packages (CVSS 7.5).
The unstructured Python library for document ingestion has a path traversal vulnerability allowing arbitrary file read/write during document processing.
The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. [CVSS 4.9 MEDIUM]
Samsung Members versions prior to 15.5.05.4 contain a path traversal vulnerability that enables local attackers to overwrite arbitrary data within the application. This vulnerability requires local access and valid user credentials but does not provide read access to sensitive information. No patch is currently available to address this issue.
Android ShortcutService path traversal vulnerability prior to the February 2026 SMR Release 1 enables privileged local attackers to create files with system-level privileges. The vulnerability requires high-level authentication and does not affect confidentiality significantly, but could allow attackers to modify system files or degrade availability. No patch is currently available.
A path traversal in Moo Chan Song v4.5.7 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. [CVSS 5.0 MEDIUM]
Path traversal in Bolo Solo up to version 2.6.4 allows authenticated attackers to manipulate file path arguments in the backup import function, potentially accessing or modifying arbitrary files on the affected system. Public exploit code exists for this vulnerability, and the maintainers have not yet released a patch despite early notification. The attack requires valid credentials but can be executed remotely over the network.
Path traversal in Bolo Solo's importFromMarkdown function allows authenticated attackers to manipulate file paths and access arbitrary files on affected systems. The vulnerability affects Bolo Solo versions up to 2.6.4 and requires valid credentials but no user interaction to exploit. Public exploit code exists for this vulnerability, and no patch is currently available.
School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. [CVSS 7.5 HIGH]
Easy Transfer 1.7 iOS mobile application contains a directory traversal vulnerability that allows remote attackers to access unauthorized file system paths without authentication. [CVSS 6.2 MEDIUM]
webERP 4.15.1 has an unauthenticated file access vulnerability allowing remote attackers to download sensitive files including configuration and database credentials.
Booked Scheduler 2.7.7 contains a directory traversal vulnerability in the manage_email_templates.php script that allows authenticated administrators to access unauthorized files. [CVSS 6.5 MEDIUM]
Claude Code versions prior to 2.0.74 allow authenticated users to write files outside designated directories by exploiting inadequate Bash command validation in ZSH clobber syntax parsing. An attacker with the ability to inject malicious content into a Claude Code context window on a ZSH-based system can bypass file restrictions and achieve unauthorized file writes without triggering user permission prompts. This vulnerability requires user interaction and ZSH environment configuration, making it suitable for supply chain or prompt injection attacks against Claude Code users.
Path traversal in Bolo Solo up to version 2.6.4 allows authenticated attackers to manipulate ZIP file extraction operations in the BackupService component, potentially reading or writing arbitrary files on the affected system. Public exploit code is available for this vulnerability, and the vendor has not yet provided a patch despite early notification.
A relative path traversal vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user.
The ZSPACE Q2C NAS contains a vulnerability related to incorrect symbolic link following. [CVSS 6.1 MEDIUM]
An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. [CVSS 6.1 MEDIUM]
The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink Follow vulnerability that could be exploited by attackers to leak or tamper with the internal file system. [CVSS 6.1 MEDIUM]
Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents. [CVSS 4.3 MEDIUM]
Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/GlobalContributions/GlobalContributionsPager.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php.
Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Api/Rest/Handler/UserInfoHandler.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php.
Signal K Server versions prior to 2.20.3 on Windows contain a path traversal vulnerability in the applicationData API that allows authenticated users to read, write, and list arbitrary files by bypassing directory validation using backslashes. The vulnerability exists because the validateAppId() function only blocks forward slashes, allowing attackers to escape the intended applicationData directory through Windows path semantics. Public exploit code exists for this medium-severity flaw, and a patch is available in version 2.20.3.
OpenList Frontend versions prior to 4.1.10 contain a path traversal vulnerability in file operation handlers that allows authenticated users to bypass directory restrictions and access other users' files on the same storage mount. An attacker can exploit this by injecting ".." sequences into filename parameters to perform unauthorized file operations including deletion, renaming, and copying across user boundaries. Public exploit code exists for this vulnerability, which is resolved in version 4.1.10.
Critical path traversal in Wildfire IM instant messaging server before 1.4.3 allows unauthenticated access to arbitrary files. EPSS 0.25%, patch available.
IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution. [CVSS 7.6 HIGH]
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
EAP Legislator is vulnerable to Path Traversal in file extraction functionality. Attacker can prepare zipx archive (default file type used by the Legislator application) and choose arbitrary path outside the intended directory (e.x.
Webile 1.0.1 contains a directory traversal vulnerability that allows remote attackers to manipulate file system paths without authentication. Attackers can exploit path manipulation to access sensitive system directories and potentially compromise the mobile device's local file system. [CVSS 6.5 MEDIUM]
Free Photo & Video Vault 0.0.2 contains a directory traversal web vulnerability that allows remote attackers to manipulate application path requests and access sensitive system files. [CVSS 6.5 MEDIUM]
Unauthenticated arbitrary file read and delete in SunFounder's Pironman Dashboard (pm_dashboard) 1.3.13 and earlier lets remote attackers abuse a path-traversal flaw in the log-file API to exfiltrate sensitive files and destroy critical system files. The dashboard runs on Raspberry Pi power/cooling hardware, so a successful attack can disclose configuration/secrets and cause data loss or denial of service. Publicly available exploit code exists; no active exploitation is confirmed, and EPSS remains low (0.20%).
OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. [CVSS 7.5 HIGH]
HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files. [CVSS 7.5 HIGH]
Backstage TechDocs plugin versions prior to 1.13.11 and 1.14.1 contain a path traversal vulnerability that allows authenticated attackers to read arbitrary files from the host filesystem when the local generator is enabled. The vulnerability stems from insufficient symlink validation during the documentation build process, enabling attackers to embed sensitive file contents into generated HTML accessible to documentation viewers. Organizations using `techdocs.generator.runIn: local` with untrusted documentation sources are at risk until patching to the fixed versions.
HIKSEMI NAS devices improperly validate filenames, allowing attackers with physical access to traverse directory structures and read sensitive system files. This vulnerability affects confidentiality but requires local presence and no authentication, making it a risk primarily in physically accessible environments. No patch is currently available for this issue.
Path traversal in Crafty Controller game server management allows authenticated attackers to read/write files outside the intended directory. CVSS 9.9 with scope change.
Remote code execution in Crafty Controller's Backup Configuration feature results from insufficient path traversal validation, enabling authenticated attackers to manipulate files and execute arbitrary code on affected systems. The vulnerability requires valid credentials and specific conditions to exploit but carries high impact due to its ability to compromise system integrity and confidentiality. No patch is currently available.
Runtipi versions 4.5.0 through 4.7.1 contain an unauthenticated path traversal vulnerability in the UserConfigController that allows remote attackers to overwrite the docker-compose.yml configuration file through insecure URN parsing. An attacker can inject a malicious stack configuration that executes arbitrary code when the instance restarts, achieving full remote code execution and host compromise. Public exploit code exists and no patch is currently available.
malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. [CVSS 5.5 MEDIUM]
Authenticated users in Umbraco Forms versions 16 and 17 can exploit a path traversal vulnerability to read arbitrary files on Mac and Linux systems running the CMS. An attacker with backoffice access can enumerate and access sensitive files through the export endpoint by manipulating the fileName parameter. No patch is currently available, though the vulnerability is mitigated by restricting backoffice access and blocking path traversal sequences at the WAF level.
Improper link resolution in USB HTTP access path in VX800v v1.0 allows a crafted USB device to expose root filesystem contents, giving an attacker with physical access read‑only access to system files. [CVSS 4.6 MEDIUM]
Improper link resolution in the VX800v v1.0 SFTP service allows authenticated adjacent attackers to use crafted symbolic links to access system files, resulting in high confidentiality impact and limited integrity risk. [CVSS 6.3 MEDIUM]
Ruijie Networks Switch eWeb S29_RGOS 11.4 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by manipulating file path parameters. [CVSS 7.5 HIGH]
Open Security Issue Management (OSIM) prior to v2025.9.0 contains a path traversal vulnerability in its nginx configuration that improperly concatenates URI and query string parameters, allowing unauthenticated remote attackers to access unauthorized files and directories. The vulnerability affects both OSIM and Nginx deployments using vulnerable configurations, enabling information disclosure through crafted query parameters. A patch is available for affected versions.
MiniGal Nano 0.3.5 and earlier are vulnerable to a path traversal attack in the dir parameter that bypasses insufficient dot-dot sequence filtering, allowing unauthenticated remote attackers to access and enumerate image files from arbitrary filesystem locations readable by the web server. This results in confidential information disclosure from unintended directories. No patch is currently available.
Authentication bypass via path traversal in ZBT WE2001 router's check_token function. EPSS 0.69% — crafted requests bypass authentication entirely. CVSS 10.0.
File Station 6 contains a path traversal vulnerability that allows authenticated attackers to read arbitrary files and system data on affected systems. An attacker with valid user credentials can exploit this flaw to access sensitive information beyond intended restrictions. No patch is currently available for File Station 6, though File Station 5.5.6.5190 and later versions have been remediated.
A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]
A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]
A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 4.4 MEDIUM]
A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 4.4 MEDIUM]
A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]
A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]
A relative path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]
A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 4.9 MEDIUM]
Unauthenticated arbitrary file upload in WPvivid Backup & Migration WordPress plugin. EPSS 0.44%.
Unauthenticated path traversal in JUNG Smart Panel KNX firmware L1.12.22 and earlier allows remote attackers to read arbitrary files from the device's filesystem through the web interface. An attacker can leverage insufficient input validation to access sensitive system configuration and other confidential data without requiring authentication. No patch is currently available for this vulnerability.
TP-Link Tapo C260 v1 firmware contains a path traversal vulnerability in HTTPS GET request handling that allows local network attackers to probe filesystem paths and determine file existence without authentication. While the vulnerability does not permit file read, write, or code execution, it enables information disclosure about the device's filesystem structure to unauthenticated local users. No patch is currently available.
An AXIS Camera Station Pro feature can be exploited in a way that allows a non-admin user to view information they are not permitted to. [CVSS 4.6 MEDIUM]
Tanium addressed an arbitrary file deletion vulnerability in end-user-cx. [CVSS 5.5 MEDIUM]
Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS. [CVSS 5.5 MEDIUM]
Remote code execution in FUXA prior to 1.2.11 allows authenticated administrators to bypass path traversal protections using nested directory sequences, enabling arbitrary file writes to the server filesystem. An attacker with admin privileges can inject malicious scripts into runtime directories that execute when the server reloads, achieving complete system compromise. Update to version 1.2.11 or later to remediate.
FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA servers.
Tanium addressed an arbitrary file deletion vulnerability in End-User Notifications Endpoint Tools. [CVSS 5.5 MEDIUM]
MarkUs grading platform prior to 2.9.1 has a path traversal enabling students to access other students' submissions or grading data.
Insufficient URI validation in CGI endpoints permits unauthenticated attackers to bypass authentication controls through path traversal techniques, enabling direct access to protected administrative functions and configuration files. An attacker can exploit this remotely without credentials to retrieve sensitive data and potentially modify system settings. No patch is currently available for this vulnerability.
Path traversal in rachelos WeRSS plugin versions up to 1.4.8 allows authenticated remote attackers to access arbitrary files through manipulation of the filename parameter in the download_export_file function. Public exploit code exists for this vulnerability. The issue requires valid credentials but has a low complexity attack surface, affecting file confidentiality without requiring user interaction.
Path traversal in JeecgBoot's Retrieval-Augmented Generation Module (versions up to 3.9.0) allows authenticated remote attackers to access arbitrary files through manipulation of the filePath parameter in the /airag/knowledge/doc/edit endpoint. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Authenticated operators in Sliver C2 framework versions prior to 1.6.11 can read arbitrary files on the server through a path traversal vulnerability in the website content subsystem, potentially exposing sensitive credentials, configurations, and cryptographic keys. Public exploit code exists for this vulnerability. The issue is resolved in version 1.6.11 and later.
Path traversal in NiceGUI before 3.7.0 allows remote attackers to write arbitrary files outside intended directories by exploiting unsanitized filename metadata in the FileUpload.name property, potentially leading to remote code execution when developers incorporate this value directly into file paths. Public exploit code exists for this vulnerability, affecting applications using common patterns like concatenating user-supplied filenames with upload directories. Developers are only protected if they use fixed paths, generate filenames server-side, or explicitly sanitize user input.
Calibre 9.1.0 and earlier contains a path traversal vulnerability in EPUB conversion that allows malicious EPUB files to corrupt or modify arbitrary files writable by the Calibre process. The vulnerability exploits improper handling of CipherReference URIs in encryption metadata, enabling attackers to write outside the intended extraction directory. Public exploit code exists for this high-severity issue, which is patched in version 9.2.0.
Remote code execution in Calibre prior to version 9.2.0 through a path traversal flaw in the CHM reader allows local attackers to write arbitrary files with user permissions, enabling payload execution via the Windows Startup folder. Public exploit code exists for this vulnerability. Windows users should upgrade to Calibre 9.2.0 or later to remediate the risk.
Pydantic AI versions 1.34.0 through 1.50.x contain a path traversal vulnerability in the web UI that allows unauthenticated attackers to inject arbitrary JavaScript by manipulating the CDN version parameter in a malicious URL. When a victim visits the crafted link, attacker-controlled code executes in their browser, enabling theft of chat history and other sensitive client-side data. No patch is currently available.
Arbitrary file deletion in Gogs 0.13.3 and earlier allows authenticated repository contributors to exploit a path traversal flaw in the wiki page update function, enabling deletion of arbitrary files on the affected server. An attacker with wiki write access can manipulate the old_title parameter to traverse the filesystem and remove critical files. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
Gogs versions 0.13.3 and earlier are vulnerable to arbitrary file read and write operations through path traversal in the Git hook editing functionality, affecting self-hosted installations. An authenticated attacker with high privileges can exploit this vulnerability to access or modify files outside the intended directory. Public exploit code exists for this vulnerability, and no patch is currently available.
WP Duplicate WordPress plugin has a missing authorization vulnerability leading to arbitrary file deletion that can destroy the WordPress installation.
Tanium addressed an improper link resolution before file access vulnerability in Enforce. [CVSS 5.0 MEDIUM]
Tanium addressed a documentation issue in Engage. [CVSS 6.6 MEDIUM]
A path traversal in My Text Editor v1.6.2 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. [CVSS 5.0 MEDIUM]
Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server's file system, thet is, 'http://<host>/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd'.
Arbitrary file read in ShortPixel Image Optimizer plugin for WordPress through path traversal in the loadLogFile AJAX action allows authenticated users with Editor-level privileges or higher to access sensitive server files including database credentials. The vulnerability exists in versions up to 6.4.2 due to insufficient path validation on the loadFile parameter, and no patch is currently available.
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. [CVSS 3.8 LOW]
Navigatum contains a vulnerability that allows attackers to overwrite files in directories writable by the application user (e (CVSS 7.5).
OpenClaw versions prior to 2026.1.30 suffer from a path traversal vulnerability in the isValidMedia() function that permits authenticated agents to read arbitrary files on the system by crafting malicious MEDIA output directives. An attacker with agent access can leverage this flaw to exfiltrate sensitive data accessible to the application process. Public exploit code exists for this vulnerability, and no patch is currently available.
Path traversal in Alist prior to version 3.57.0 allows authenticated users to manipulate filename parameters and bypass directory restrictions within the same storage mount. Attackers can exploit this vulnerability to perform unauthorized file operations including deletion, movement, and copying across user boundaries. Public exploit code exists for this vulnerability.
Melange versions 0.14.0 through 0.40.2 allow local attackers with configuration file control to read arbitrary files from the host system through path traversal in license file path validation, potentially exfiltrating sensitive data embedded in generated SBOMs. This vulnerability affects build pipeline scenarios where configuration is user-controlled, such as pull request-driven CI or build-as-a-service environments. A patch is available in version 0.40.3.
Compressing library versions 1.10.3 and prior, and 2.0.0 fail to validate symbolic link targets during TAR archive extraction, allowing attackers to write files to arbitrary locations on the filesystem. Public exploit code exists for this vulnerability, which could enable overwriting critical system files or establishing persistence. Patched versions 1.10.4 and 2.0.1 are available.
Melange versions 0.11.3 through 0.40.2 suffer from a path traversal vulnerability in the retrieveWorkspace function that fails to validate tar entry paths, allowing an attacker with control over a QEMU guest VM's tar stream to write arbitrary files outside the intended workspace directory on the host system. An attacker exploiting this vulnerability could achieve arbitrary file write capabilities on the host machine, potentially leading to system compromise. A patch is available in version 0.40.3 and later.
Apko versions up to 1.1.1 contains a vulnerability that allows attackers to build and publish OCI container images built from apk packages (CVSS 7.5).
The unstructured Python library for document ingestion has a path traversal vulnerability allowing arbitrary file read/write during document processing.
The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. [CVSS 4.9 MEDIUM]
Samsung Members versions prior to 15.5.05.4 contain a path traversal vulnerability that enables local attackers to overwrite arbitrary data within the application. This vulnerability requires local access and valid user credentials but does not provide read access to sensitive information. No patch is currently available to address this issue.
Android ShortcutService path traversal vulnerability prior to the February 2026 SMR Release 1 enables privileged local attackers to create files with system-level privileges. The vulnerability requires high-level authentication and does not affect confidentiality significantly, but could allow attackers to modify system files or degrade availability. No patch is currently available.
A path traversal in Moo Chan Song v4.5.7 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. [CVSS 5.0 MEDIUM]
Path traversal in Bolo Solo up to version 2.6.4 allows authenticated attackers to manipulate file path arguments in the backup import function, potentially accessing or modifying arbitrary files on the affected system. Public exploit code exists for this vulnerability, and the maintainers have not yet released a patch despite early notification. The attack requires valid credentials but can be executed remotely over the network.
Path traversal in Bolo Solo's importFromMarkdown function allows authenticated attackers to manipulate file paths and access arbitrary files on affected systems. The vulnerability affects Bolo Solo versions up to 2.6.4 and requires valid credentials but no user interaction to exploit. Public exploit code exists for this vulnerability, and no patch is currently available.
School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. [CVSS 7.5 HIGH]
Easy Transfer 1.7 iOS mobile application contains a directory traversal vulnerability that allows remote attackers to access unauthorized file system paths without authentication. [CVSS 6.2 MEDIUM]
webERP 4.15.1 has an unauthenticated file access vulnerability allowing remote attackers to download sensitive files including configuration and database credentials.
Booked Scheduler 2.7.7 contains a directory traversal vulnerability in the manage_email_templates.php script that allows authenticated administrators to access unauthorized files. [CVSS 6.5 MEDIUM]
Claude Code versions prior to 2.0.74 allow authenticated users to write files outside designated directories by exploiting inadequate Bash command validation in ZSH clobber syntax parsing. An attacker with the ability to inject malicious content into a Claude Code context window on a ZSH-based system can bypass file restrictions and achieve unauthorized file writes without triggering user permission prompts. This vulnerability requires user interaction and ZSH environment configuration, making it suitable for supply chain or prompt injection attacks against Claude Code users.
Path traversal in Bolo Solo up to version 2.6.4 allows authenticated attackers to manipulate ZIP file extraction operations in the BackupService component, potentially reading or writing arbitrary files on the affected system. Public exploit code is available for this vulnerability, and the vendor has not yet provided a patch despite early notification.
A relative path traversal vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user.
The ZSPACE Q2C NAS contains a vulnerability related to incorrect symbolic link following. [CVSS 6.1 MEDIUM]
An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. [CVSS 6.1 MEDIUM]
The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink Follow vulnerability that could be exploited by attackers to leak or tamper with the internal file system. [CVSS 6.1 MEDIUM]
Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents. [CVSS 4.3 MEDIUM]
Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/GlobalContributions/GlobalContributionsPager.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php.
Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Api/Rest/Handler/UserInfoHandler.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php.
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php.
Signal K Server versions prior to 2.20.3 on Windows contain a path traversal vulnerability in the applicationData API that allows authenticated users to read, write, and list arbitrary files by bypassing directory validation using backslashes. The vulnerability exists because the validateAppId() function only blocks forward slashes, allowing attackers to escape the intended applicationData directory through Windows path semantics. Public exploit code exists for this medium-severity flaw, and a patch is available in version 2.20.3.
OpenList Frontend versions prior to 4.1.10 contain a path traversal vulnerability in file operation handlers that allows authenticated users to bypass directory restrictions and access other users' files on the same storage mount. An attacker can exploit this by injecting ".." sequences into filename parameters to perform unauthorized file operations including deletion, renaming, and copying across user boundaries. Public exploit code exists for this vulnerability, which is resolved in version 4.1.10.
Critical path traversal in Wildfire IM instant messaging server before 1.4.3 allows unauthenticated access to arbitrary files. EPSS 0.25%, patch available.
IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution. [CVSS 7.6 HIGH]
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
EAP Legislator is vulnerable to Path Traversal in file extraction functionality. Attacker can prepare zipx archive (default file type used by the Legislator application) and choose arbitrary path outside the intended directory (e.x.
Webile 1.0.1 contains a directory traversal vulnerability that allows remote attackers to manipulate file system paths without authentication. Attackers can exploit path manipulation to access sensitive system directories and potentially compromise the mobile device's local file system. [CVSS 6.5 MEDIUM]
Free Photo & Video Vault 0.0.2 contains a directory traversal web vulnerability that allows remote attackers to manipulate application path requests and access sensitive system files. [CVSS 6.5 MEDIUM]
Unauthenticated arbitrary file read and delete in SunFounder's Pironman Dashboard (pm_dashboard) 1.3.13 and earlier lets remote attackers abuse a path-traversal flaw in the log-file API to exfiltrate sensitive files and destroy critical system files. The dashboard runs on Raspberry Pi power/cooling hardware, so a successful attack can disclose configuration/secrets and cause data loss or denial of service. Publicly available exploit code exists; no active exploitation is confirmed, and EPSS remains low (0.20%).
OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. [CVSS 7.5 HIGH]
HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files. [CVSS 7.5 HIGH]
Backstage TechDocs plugin versions prior to 1.13.11 and 1.14.1 contain a path traversal vulnerability that allows authenticated attackers to read arbitrary files from the host filesystem when the local generator is enabled. The vulnerability stems from insufficient symlink validation during the documentation build process, enabling attackers to embed sensitive file contents into generated HTML accessible to documentation viewers. Organizations using `techdocs.generator.runIn: local` with untrusted documentation sources are at risk until patching to the fixed versions.
HIKSEMI NAS devices improperly validate filenames, allowing attackers with physical access to traverse directory structures and read sensitive system files. This vulnerability affects confidentiality but requires local presence and no authentication, making it a risk primarily in physically accessible environments. No patch is currently available for this issue.
Path traversal in Crafty Controller game server management allows authenticated attackers to read/write files outside the intended directory. CVSS 9.9 with scope change.
Remote code execution in Crafty Controller's Backup Configuration feature results from insufficient path traversal validation, enabling authenticated attackers to manipulate files and execute arbitrary code on affected systems. The vulnerability requires valid credentials and specific conditions to exploit but carries high impact due to its ability to compromise system integrity and confidentiality. No patch is currently available.
Runtipi versions 4.5.0 through 4.7.1 contain an unauthenticated path traversal vulnerability in the UserConfigController that allows remote attackers to overwrite the docker-compose.yml configuration file through insecure URN parsing. An attacker can inject a malicious stack configuration that executes arbitrary code when the instance restarts, achieving full remote code execution and host compromise. Public exploit code exists and no patch is currently available.
malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. [CVSS 5.5 MEDIUM]
Authenticated users in Umbraco Forms versions 16 and 17 can exploit a path traversal vulnerability to read arbitrary files on Mac and Linux systems running the CMS. An attacker with backoffice access can enumerate and access sensitive files through the export endpoint by manipulating the fileName parameter. No patch is currently available, though the vulnerability is mitigated by restricting backoffice access and blocking path traversal sequences at the WAF level.
Improper link resolution in USB HTTP access path in VX800v v1.0 allows a crafted USB device to expose root filesystem contents, giving an attacker with physical access read‑only access to system files. [CVSS 4.6 MEDIUM]
Improper link resolution in the VX800v v1.0 SFTP service allows authenticated adjacent attackers to use crafted symbolic links to access system files, resulting in high confidentiality impact and limited integrity risk. [CVSS 6.3 MEDIUM]
Ruijie Networks Switch eWeb S29_RGOS 11.4 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by manipulating file path parameters. [CVSS 7.5 HIGH]
Open Security Issue Management (OSIM) prior to v2025.9.0 contains a path traversal vulnerability in its nginx configuration that improperly concatenates URI and query string parameters, allowing unauthenticated remote attackers to access unauthorized files and directories. The vulnerability affects both OSIM and Nginx deployments using vulnerable configurations, enabling information disclosure through crafted query parameters. A patch is available for affected versions.