Skip to main content

Path Traversal

7729 CVEs technique

Monthly

CVE-2025-39467 HIGH This Week

Path traversal vulnerability in Wanderland WordPress theme versions ≤1.7.1 enables remote unauthenticated PHP local file inclusion through crafted '.../...//' patterns. Successful exploitation allows reading arbitrary PHP files on the server, potentially exposing database credentials, configuration secrets, or achieving remote code execution if writable paths exist. EPSS score of 0.05% (17th percentile) indicates relatively low probability of mass exploitation, and no evidence of active exploitation in CISA KEV. Attack complexity is rated High (AC:H), suggesting exploitation requires specific timing, configuration conditions, or race conditions despite the remote unauthenticated attack vector.

Path Traversal PHP
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-22288 MEDIUM Monitor

Path Traversal: '.../...//' vulnerability in WPMU DEV - Your All-in-One WordPress Platform Smush Image Compression and Optimization wp-smushit allows Path Traversal.17.0. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Path Traversal PHP
NVD
CVSS 3.1
4.1
EPSS
0.1%
CVE-2025-20374 MEDIUM Monitor

A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to perform a directory traversal and access arbitrary resources. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Cisco Unified Contact Center Express
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2025-64108 HIGH This Month

Cursor is a code editor built for programming with AI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Cursor
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-64107 HIGH This Month

Cursor is a code editor built for programming with AI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Microsoft Cursor Windows
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-12493 CRITICAL This Week

The ShopLentor - WooCommerce Builder for Elementor & Gutenberg +21 Modules - All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure RCE Path Traversal PHP +1
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-43382 MEDIUM This Month

A parsing issue in the handling of directory paths was addressed with improved path validation. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Path Traversal Apple
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-50735 HIGH POC This Month

Directory traversal vulnerability in NextChat thru 2.16.0 due to the WebDAV proxy failing to canonicalize or reject dot path segments in its catch-all route, allowing attackers to gain sensitive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Nextchat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-12626 LOW Monitor

A security flaw has been discovered in jeecgboot jeewx-boot up to 641ab52c3e1845fec39996d7794c33fb40dad1dd. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-55752 Maven HIGH POC PATCH CISA This Week

Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints protecting /WEB-INF/ and /META-INF/ directories when URL rewriting rules manipulate query parameters. Successful exploitation combined with enabled PUT requests enables remote code execution through malicious file upload. Apache Security Team confirms publicly available exploit code exists. The vulnerability stems from a regression in the fix for bug 60013, where URL normalization occurs before decoding, creating an exploitable window in specific rewrite configurations.

Apache Tomcat Path Traversal RCE Red Hat +1
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-12250 LOW Monitor

Path traversal vulnerability in OpenWGA 7.11.12 Build 737 TMLScript API WGA.File component allows high-privileged remote attackers to manipulate file paths and access unauthorized resources. The vulnerability has publicly available exploit code and an extremely low EPSS score (0.07%, percentile 22%), suggesting limited real-world exploitation despite network accessibility, likely due to the requirement for high-level authentication that restricts practical attack surface.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-12203 LOW POC PATCH Monitor

Path traversal in givanz Vvveb up to 1.0.7.3 allows authenticated remote attackers to manipulate the File argument in the Code Editor's sanitizeFileName function, enabling unauthorized file system access with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS score of 0.05% suggests limited real-world exploitation despite the availability of proof-of-concept.

PHP Path Traversal Vvveb
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-60227 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes wp-pipes allows Path Traversal.This issue affects WP Pipes: from n/a through <= 1.4.3.

Path Traversal
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-60217 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ypromo PT Luxa Addons pt-luxa-addons allows Path Traversal.This issue affects PT Luxa Addons: from n/a through <= 1.2.2.

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-59566 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Workreap (theme's plugin) workreap allows Path Traversal.This issue affects Workreap (theme's plugin): from n/a through <= 3.3.5.

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-58959 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Taskbot taskbot allows Path Traversal.This issue affects Taskbot: from n/a through <= 6.4.

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-11941 LOW POC Monitor

Path traversal in e107 CMS up to version 2.3.3 allows authenticated remote attackers to manipulate the multiaction[] parameter in the Avatar Handler (/e107_admin/image.php) to access or modify arbitrary files on the server. The vulnerability requires valid user credentials but has low CVSS impact (2.1) and extremely low exploitation probability (EPSS 0.11%), though publicly available exploit code exists and the vendor has not provided a response or patch.

PHP Path Traversal E107
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-11939 LOW POC Monitor

Path traversal in ChurchCRM's Backup Restore Handler allows high-privileged remote attackers to manipulate the restoreFile argument and access arbitrary files on the system. The vulnerability affects ChurchCRM up to version 5.18.0, requires administrative privileges (PR:H), and has publicly available exploit code. While CVSS score is low (2.0) due to privilege requirements, the limited scope impact and vendor non-response elevate practical risk for deployments with exposed admin interfaces.

PHP Path Traversal Churchcrm
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2025-11914 LOW POC Monitor

Path traversal in Streamax Crocus 1.3.40 allows authenticated remote attackers to read arbitrary files via manipulation of the FilePath parameter in the /DeviceFileReport.do?Action=Download endpoint. The vulnerability has publicly available exploit code and affects the file download functionality with low confidentiality impact. Despite a CVSS score of 2.1, the vendor has not responded to disclosure and the exploit is publicly weaponized.

Path Traversal Streamax Crocus
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-11913 LOW POC Monitor

Path traversal in Streamax Crocus 1.3.40 Download function allows authenticated remote attackers to read arbitrary files via manipulation of the Path parameter in /Service.do?Action=Download requests. The vulnerability has a low CVSS score (2.1) due to requirement for authenticated access and confidentiality-only impact, but publicly available exploit code exists and the vendor has not responded to disclosure efforts.

Path Traversal Streamax Crocus
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-11849 LIB MEDIUM PATCH This Month

Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.

Path Traversal
NVD GitHub
CVSS 4.0
5.4
EPSS
0.2%
CVE-2025-60641 MEDIUM This Month

PHP object injection in Vfront 0.99.52's mexcel.php endpoint exposes an unauthenticated POST parameter directly to unserialize() without class restrictions, enabling remote attackers to instantiate arbitrary PHP objects. Depending on exploitable gadget chains present in the Vfront codebase or its PHP dependencies, this can escalate to remote code execution, SQL injection, path traversal, or denial of service. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.40% (32nd percentile), consistent with the absence of a CISA KEV listing.

Deserialization Path Traversal SQLi Denial Of Service RCE +1
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2025-11631 LOW POC Monitor

Path traversal in RainyGao DocSys up to version 2.02.36 allows authenticated remote attackers to manipulate the path argument in the /Doc/deleteDoc.do endpoint, enabling deletion or access to arbitrary files outside the intended directory. The vulnerability has been publicly disclosed with exploit code available on GitHub, though the vendor has not responded to early disclosure notifications. EPSS exploitation probability is low at 0.11%, and no active exploitation in CISA KEV has been reported.

Path Traversal Docsys
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-11630 LOW POC Monitor

Path traversal in RainyGao DocSys up to version 2.02.36 allows authenticated remote attackers to manipulate the 'path' parameter in the updateRealDoc function (/Doc/uploadDoc.do) to write files outside intended directories. The vulnerability affects the file upload component and has publicly available exploit code, though the low CVSS score (2.1) and minimal EPSS (0.12%) indicate limited real-world impact despite confirmed public exploitability.

File Upload Path Traversal Docsys
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-11607 LOW Monitor

Path traversal vulnerability in MoneyPrinterTurbo up to version 1.2.6 allows authenticated remote attackers to manipulate file upload parameters in the music API endpoint, enabling arbitrary file write operations with limited confidentiality and integrity impact. Publicly available exploit code exists and the vulnerability has low EPSS exploitation probability (0.09%, 26th percentile), suggesting limited real-world weaponization despite proof-of-concept availability.

Path Traversal Moneyprinterturbo
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-9950 MEDIUM This Month

Directory traversal in the Error Log Viewer plugin for WordPress (versions up to 1.1.6) allows authenticated administrators to read arbitrary files on the server via the rrrlgvwr_get_file function. The vulnerability is rooted in insufficient path validation (CWE-22) and has a CVSS score of 4.9 due to high confidentiality impact but limited scope (administrator privilege requirement). No public exploit code or active exploitation has been identified at the time of analysis.

Path Traversal WordPress
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-3718 MEDIUM This Month

A client-side path traversal vulnerability was discovered in the web management interface front-end due to missing validation of an input parameter. An authenticated user with limited privileges can craft a malicious URL which, if visited by an authenticated victim, leads to a Cross-Site Scripting (XSS) attack.

XSS Path Traversal Cmc Guardian
NVD
CVSS 4.0
5.9
EPSS
0.0%
CVE-2025-60969 MEDIUM This Month

Path traversal in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000 Ver 4.00) exposes sensitive files to authenticated network attackers. The flaw resides in the device's web interface, where insufficiently validated path input allows an attacker to escape the intended directory root and read arbitrary files from the underlying filesystem. No public exploit code or active exploitation has been confirmed at time of analysis, but a third-party security researcher advisory exists at xdiv-sec.github.io detailing the issue.

Path Traversal Sonoma D12 Firmware
NVD
CVSS 3.1
5.7
EPSS
0.6%
CVE-2025-61685 npm MEDIUM PATCH MAL This Month

Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for reading file contents, but this check is effectively bypassed by subsequent logic that attempts to find directory suggestions. An attacker can leverage this flaw to list the contents of arbitrary directories on the user's filesystem, including the user's home directory, exposing sensitive information about the file system's structure. This issue is fixed in version 0.13.20.

Path Traversal
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2025-47211 MEDIUM PATCH This Month

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Qnap Path Traversal Quts Hero Qts
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-33034 MEDIUM PATCH This Month

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Path Traversal Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-61666 HIGH POC PATCH This Week

Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any file on the file system including the Traccar configuration file. Versions 5.8 - 6.0 are only vulnerable if <entry key='web.override'>./override</entry> is set in the configuration file. Versions 6.1 - 6.8.1 are vulnerable by default as the web override is enabled by default. The vulnerable code is removed in version 6.9.0.

Path Traversal Windows
NVD GitHub
CVSS 4.0
8.7
EPSS
1.0%
CVE-2025-59744 HIGH This Week

Path traversal vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to access files only within the web root using the “docurl” parameter in “/lib/asp/DOCSAVEASASP.ASP”.

Path Traversal E Tms
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-54293 Go MEDIUM POC PATCH This Month

Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.

Path Traversal Ubuntu Debian Lxd Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-61734 Maven HIGH PATCH This Week

Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

Information Disclosure Path Traversal Apache Kylin
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-54292 MEDIUM POC PATCH This Month

Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.

Path Traversal Ubuntu Lxd Suse
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-11221 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type vulnerability in GTONE ChangeFlow allows Path Traversal, Accessing Functionality Not Properly Constrained by ACLs.This issue affects ChangeFlow: from All versions through v9.0.1.1.

Path Traversal File Upload
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-11182 MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Download of Code Without Integrity Check vulnerability in GTONE ChangeFlow allows Path Traversal.This issue affects ChangeFlow: All versions to v9.0.1.1.

Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-11020 HIGH This Week

An attacker can obtain server information using Path Traversal vulnerability to conduct SQL Injection, which possibly exploits Unrestricted Upload of File with Dangerous Type vulnerability in MarkAny SafePC Enterprise on Windows, Linux.This issue affects SafePC Enterprise: V7.0.* (V7.0.YYYY.MM.DD) before V7.0.1, and V5.*.*.

SQLi Path Traversal File Upload Windows
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-61189 MEDIUM POC This Month

Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. The endpoint is /sys/comment/addFile. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server.

Path Traversal Jeecg Boot
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-61188 MEDIUM POC This Month

Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server.

Path Traversal Jeecg Boot
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-58769 PHP LOW PATCH Monitor

auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0-8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0.

PHP Path Traversal WordPress
NVD GitHub
CVSS 3.1
3.3
EPSS
0.1%
CVE-2025-59682 PyPI LOW PATCH Monitor

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Python Path Traversal Ubuntu Debian Django
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-11233 MEDIUM PATCH This Month

Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (`x86_64-pc-cygwin`) didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations. Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target. While we assess the severity of this vulnerability as "medium", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the `x86_64-pc-cygwin` target you are not affected by this vulnerability. Users of the tier 1 MinGW target (`x86_64-pc-windows-gnu`) are also explicitly not affected.

Path Traversal Ubuntu Debian Red Hat Suse +1
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2025-8559 MEDIUM This Month

The All in One Music Player plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.1 via the 'theme' parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Path Traversal PHP
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-61586 MEDIUM POC PATCH This Week

FreshRSS is a free, self-hostable RSS aggregator. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Freshrss
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-43813 Maven MEDIUM PATCH This Month

Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.4,. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Digital Experience Platform Liferay Portal
NVD
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-11139 LOW POC Monitor

A vulnerability was determined in Bjskzy Zhiyou ERP up to 11.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-11034 LOW Monitor

A vulnerability was found in Dibo Data Decision Making System up to 2.7.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11031 MEDIUM POC PATCH This Month

A flaw has been found in DataTables up to 1.10.13. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP Path Traversal Datatables
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.2%
CVE-2025-11018 MEDIUM POC This Month

A flaw has been found in Four-Faith Water Conservancy Informatization Platform 1.0. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Water Conservancy Informatization
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2025-11016 LOW Monitor

A security vulnerability has been detected in kalcaddle kodbox up to 1.61.09. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-10544 HIGH This Month

Unrestricted file upload vulnerability in DocAve 6.13.2, Perimeter 1.12.3, Compliance Guardian 4.7.1, and earlier versions, allowing administrator users to upload files without proper validation. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Path Traversal
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-59002 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder allows Path Traversal. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-10307 MEDIUM This Month

The Backuply - Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete backup functionality in all. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP Path Traversal RCE
NVD
CVSS 3.1
6.5
EPSS
1.9%
CVE-2025-10951 PyPI MEDIUM This Month

A vulnerability was identified in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-10449 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saysis Computer Systems Trade Ltd. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-10438 HIGH This Week

Path Traversal: 'dir/../../filename' vulnerability in Yordam Information Technology Consulting Education and Electrical Systems Industry Trade Inc. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-59343 npm HIGH PATCH This Week

tar-fs provides filesystem bindings for tar-stream. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Red Hat Suse
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-20313 MEDIUM This Month

Multiple vulnerabilities in Cisco IOS XE Software of could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to the device to execute. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Cisco Apple Path Traversal
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2025-56816 HIGH POC This Week

Datart 1.0.0-rc.3 is vulnerable to Directory Traversal. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Path Traversal Datart
NVD GitHub
CVSS 3.1
8.8
EPSS
1.5%
CVE-2025-56815 HIGH POC This Week

Datart 1.0.0-rc.3 is vulnerable to Directory Traversal in the POST /viz/image interface, since the server directly uses MultipartFile.transferTo() to save the uploaded file to a path controllable by. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Datart
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-60020 MEDIUM This Month

nncp before 8.12.0 allows path traversal (for reading or writing) during freqing and file saving via a crafted path in packet data. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-59825 Cargo MEDIUM PATCH This Month

astral-tokio-tar is a tar archive reading/writing library for async Rust. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Red Hat
NVD GitHub
CVSS 4.0
6.1
EPSS
0.0%
CVE-2025-9963 CRITICAL Act Now

A path traversal vulnerability in Novakon P series allows to expose the root file system "/" and modify all files with root permissions. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2025-57682 MEDIUM This Month

Directory Traversal vulnerability in Papermark 0.20.0 and prior allows authenticated attackers to retrieve arbitrary files from an S3 bucket through its CloudFront distribution via the "POST. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Papermark
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-10854 HIGH This Month

The txtai framework allows the loading of compressed tar files as embedding indices. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Path Traversal
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-10777 LOW Monitor

A flaw has been found in JSC R7 R7-Office Document Server up to 20250820. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Path Traversal
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-10766 LOW Monitor

A weakness has been identified in SeriaWei ZKEACMS up to 4.3.cs. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-9079 Go HIGH PATCH This Month

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. No vendor patch available.

RCE Path Traversal Mattermost Server Suse
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-56869 MEDIUM This Month

Directory traversal vulnerability in Sync In server thru 1.1.1 allowing authenticated attackers to gain read and write access to the system via FilesManager.saveMultipart function in. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Sync In Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-10709 MEDIUM POC This Month

A vulnerability was detected in Four-Faith Water Conservancy Informatization Platform 1.0. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Water Conservancy Informatization
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2025-10708 MEDIUM POC This Month

A security vulnerability has been detected in Four-Faith Water Conservancy Informatization Platform 1.0. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Water Conservancy Informatization
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2025-10468 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Beyaz Computer CityPlus allows Path Traversal.29375. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-6237 PyPI CRITICAL PATCH This Week

A vulnerability in invokeai version v6.0.0a1 and below allows attackers to perform path traversal and arbitrary file deletion via the GET /api/v1/images/download/{bulk_download_item_name} endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD
CVSS 3.0
9.8
EPSS
0.1%
CVE-2025-59352 Go MEDIUM PATCH This Month

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

RCE Path Traversal Dragonfly Suse
NVD GitHub
CVSS 4.0
6.9
EPSS
0.8%
CVE-2025-59414 npm LOW POC PATCH Monitor

Nuxt is an open-source web development framework for Vue.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Path Traversal Nuxt
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-59304 CRITICAL POC Act Now

A directory traversal issue in Swetrix Web Analytics API 3.1.1 before 7d8b972 allows a remote attacker to achieve Remote Code Execution via a crafted HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Swetrix
NVD GitHub
CVSS 3.1
9.8
EPSS
4.7%
CVE-2025-35430 MEDIUM This Month

CISA Thorium does not adequately validate the paths of downloaded files via 'download_ephemeral' and 'download_children'. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Thorium
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-59456 MEDIUM This Month

In JetBrains TeamCity before 2025.07.2 path traversal was possible during project archive upload. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Teamcity
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-9215 MEDIUM This Month

The StoreEngine - Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Path Traversal PHP
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-10050 MEDIUM This Month

The Developer Loggers for Simple History plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.5 via the enabled_loggers parameter. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

WordPress PHP RCE Path Traversal Information Disclosure
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-37130 MEDIUM This Month

A vulnerability in the command-line interface of EdgeConnect SD-WAN could allow an authenticated attacker to read arbitrary files within the system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-34185 HIGH This Week

Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains a pre-authentication file disclosure vulnerability via the 'db_log' POST parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Eve X1 Server Firmware
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2025-59336 MEDIUM This Month

Luanox is a module host for Lua packages. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Path Traversal
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-55115 CRITICAL This Week

A path traversal in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. Rated critical severity (CVSS 9.3), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Path Traversal Control M Agent
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-43314 MEDIUM This Month

A parsing issue in the handling of directory paths was addressed with improved path validation. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple Path Traversal
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43190 MEDIUM This Month

A parsing issue in the handling of directory paths was addressed with improved path validation. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple Path Traversal
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-59056 MEDIUM This Month

FreePBX is an open-source web-based graphical user interface. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Freepbx
NVD GitHub
CVSS 4.0
6.6
EPSS
0.1%
CVE-2025-10472 MEDIUM POC This Month

A vulnerability has been found in harry0703 MoneyPrinterTurbo up to 1.2.6. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Moneyprinterturbo
NVD VulDB
CVSS 4.0
5.5
EPSS
0.2%
EPSS 0% CVSS 8.1
HIGH This Week

Path traversal vulnerability in Wanderland WordPress theme versions ≤1.7.1 enables remote unauthenticated PHP local file inclusion through crafted '.../...//' patterns. Successful exploitation allows reading arbitrary PHP files on the server, potentially exposing database credentials, configuration secrets, or achieving remote code execution if writable paths exist. EPSS score of 0.05% (17th percentile) indicates relatively low probability of mass exploitation, and no evidence of active exploitation in CISA KEV. Attack complexity is rated High (AC:H), suggesting exploitation requires specific timing, configuration conditions, or race conditions despite the remote unauthenticated attack vector.

Path Traversal PHP
NVD
EPSS 0% CVSS 4.1
MEDIUM Monitor

Path Traversal: '.../...//' vulnerability in WPMU DEV - Your All-in-One WordPress Platform Smush Image Compression and Optimization wp-smushit allows Path Traversal.17.0. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Path Traversal PHP
NVD
EPSS 0% CVSS 4.9
MEDIUM Monitor

A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to perform a directory traversal and access arbitrary resources. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Cisco Unified Contact Center Express
NVD
EPSS 0% CVSS 8.8
HIGH This Month

Cursor is a code editor built for programming with AI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Cursor
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Month

Cursor is a code editor built for programming with AI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Microsoft Cursor +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL This Week

The ShopLentor - WooCommerce Builder for Elementor & Gutenberg +21 Modules - All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure RCE +3
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A parsing issue in the handling of directory paths was addressed with improved path validation. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Path Traversal Apple
NVD
EPSS 1% CVSS 7.5
HIGH POC This Month

Directory traversal vulnerability in NextChat thru 2.16.0 due to the WebDAV proxy failing to canonicalize or reject dot path segments in its catch-all route, allowing attackers to gain sensitive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Nextchat
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

A security flaw has been discovered in jeecgboot jeewx-boot up to 641ab52c3e1845fec39996d7794c33fb40dad1dd. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints protecting /WEB-INF/ and /META-INF/ directories when URL rewriting rules manipulate query parameters. Successful exploitation combined with enabled PUT requests enables remote code execution through malicious file upload. Apache Security Team confirms publicly available exploit code exists. The vulnerability stems from a regression in the fix for bug 60013, where URL normalization occurs before decoding, creating an exploitable window in specific rewrite configurations.

Apache Tomcat Path Traversal +3
NVD
EPSS 0% CVSS 2.0
LOW Monitor

Path traversal vulnerability in OpenWGA 7.11.12 Build 737 TMLScript API WGA.File component allows high-privileged remote attackers to manipulate file paths and access unauthorized resources. The vulnerability has publicly available exploit code and an extremely low EPSS score (0.07%, percentile 22%), suggesting limited real-world exploitation despite network accessibility, likely due to the requirement for high-level authentication that restricts practical attack surface.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Path traversal in givanz Vvveb up to 1.0.7.3 allows authenticated remote attackers to manipulate the File argument in the Code Editor's sanitizeFileName function, enabling unauthorized file system access with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS score of 0.05% suggests limited real-world exploitation despite the availability of proof-of-concept.

PHP Path Traversal Vvveb
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes wp-pipes allows Path Traversal.This issue affects WP Pipes: from n/a through <= 1.4.3.

Path Traversal
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ypromo PT Luxa Addons pt-luxa-addons allows Path Traversal.This issue affects PT Luxa Addons: from n/a through <= 1.2.2.

Path Traversal
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Workreap (theme's plugin) workreap allows Path Traversal.This issue affects Workreap (theme's plugin): from n/a through <= 3.3.5.

Path Traversal
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Taskbot taskbot allows Path Traversal.This issue affects Taskbot: from n/a through <= 6.4.

Path Traversal
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in e107 CMS up to version 2.3.3 allows authenticated remote attackers to manipulate the multiaction[] parameter in the Avatar Handler (/e107_admin/image.php) to access or modify arbitrary files on the server. The vulnerability requires valid user credentials but has low CVSS impact (2.1) and extremely low exploitation probability (EPSS 0.11%), though publicly available exploit code exists and the vendor has not provided a response or patch.

PHP Path Traversal E107
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Path traversal in ChurchCRM's Backup Restore Handler allows high-privileged remote attackers to manipulate the restoreFile argument and access arbitrary files on the system. The vulnerability affects ChurchCRM up to version 5.18.0, requires administrative privileges (PR:H), and has publicly available exploit code. While CVSS score is low (2.0) due to privilege requirements, the limited scope impact and vendor non-response elevate practical risk for deployments with exposed admin interfaces.

PHP Path Traversal Churchcrm
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in Streamax Crocus 1.3.40 allows authenticated remote attackers to read arbitrary files via manipulation of the FilePath parameter in the /DeviceFileReport.do?Action=Download endpoint. The vulnerability has publicly available exploit code and affects the file download functionality with low confidentiality impact. Despite a CVSS score of 2.1, the vendor has not responded to disclosure and the exploit is publicly weaponized.

Path Traversal Streamax Crocus
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in Streamax Crocus 1.3.40 Download function allows authenticated remote attackers to read arbitrary files via manipulation of the Path parameter in /Service.do?Action=Download requests. The vulnerability has a low CVSS score (2.1) due to requirement for authenticated access and confidentiality-only impact, but publicly available exploit code exists and the vendor has not responded to disclosure efforts.

Path Traversal Streamax Crocus
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.

Path Traversal
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

PHP object injection in Vfront 0.99.52's mexcel.php endpoint exposes an unauthenticated POST parameter directly to unserialize() without class restrictions, enabling remote attackers to instantiate arbitrary PHP objects. Depending on exploitable gadget chains present in the Vfront codebase or its PHP dependencies, this can escalate to remote code execution, SQL injection, path traversal, or denial of service. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.40% (32nd percentile), consistent with the absence of a CISA KEV listing.

Deserialization Path Traversal SQLi +3
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in RainyGao DocSys up to version 2.02.36 allows authenticated remote attackers to manipulate the path argument in the /Doc/deleteDoc.do endpoint, enabling deletion or access to arbitrary files outside the intended directory. The vulnerability has been publicly disclosed with exploit code available on GitHub, though the vendor has not responded to early disclosure notifications. EPSS exploitation probability is low at 0.11%, and no active exploitation in CISA KEV has been reported.

Path Traversal Docsys
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in RainyGao DocSys up to version 2.02.36 allows authenticated remote attackers to manipulate the 'path' parameter in the updateRealDoc function (/Doc/uploadDoc.do) to write files outside intended directories. The vulnerability affects the file upload component and has publicly available exploit code, though the low CVSS score (2.1) and minimal EPSS (0.12%) indicate limited real-world impact despite confirmed public exploitability.

File Upload Path Traversal Docsys
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Path traversal vulnerability in MoneyPrinterTurbo up to version 1.2.6 allows authenticated remote attackers to manipulate file upload parameters in the music API endpoint, enabling arbitrary file write operations with limited confidentiality and integrity impact. Publicly available exploit code exists and the vulnerability has low EPSS exploitation probability (0.09%, 26th percentile), suggesting limited real-world weaponization despite proof-of-concept availability.

Path Traversal Moneyprinterturbo
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Directory traversal in the Error Log Viewer plugin for WordPress (versions up to 1.1.6) allows authenticated administrators to read arbitrary files on the server via the rrrlgvwr_get_file function. The vulnerability is rooted in insufficient path validation (CWE-22) and has a CVSS score of 4.9 due to high confidentiality impact but limited scope (administrator privilege requirement). No public exploit code or active exploitation has been identified at the time of analysis.

Path Traversal WordPress
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

A client-side path traversal vulnerability was discovered in the web management interface front-end due to missing validation of an input parameter. An authenticated user with limited privileges can craft a malicious URL which, if visited by an authenticated victim, leads to a Cross-Site Scripting (XSS) attack.

XSS Path Traversal Cmc +1
NVD
EPSS 1% CVSS 5.7
MEDIUM This Month

Path traversal in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000 Ver 4.00) exposes sensitive files to authenticated network attackers. The flaw resides in the device's web interface, where insufficiently validated path input allows an attacker to escape the intended directory root and read arbitrary files from the underlying filesystem. No public exploit code or active exploitation has been confirmed at time of analysis, but a third-party security researcher advisory exists at xdiv-sec.github.io detailing the issue.

Path Traversal Sonoma D12 Firmware
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for reading file contents, but this check is effectively bypassed by subsequent logic that attempts to find directory suggestions. An attacker can leverage this flaw to list the contents of arbitrary directories on the user's filesystem, including the user's home directory, exposing sensitive information about the file system's structure. This issue is fixed in version 0.13.20.

Path Traversal
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Qnap Path Traversal Quts Hero +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Path Traversal Qsync Central
NVD
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any file on the file system including the Traccar configuration file. Versions 5.8 - 6.0 are only vulnerable if <entry key='web.override'>./override</entry> is set in the configuration file. Versions 6.1 - 6.8.1 are vulnerable by default as the web override is enabled by default. The vulnerable code is removed in version 6.9.0.

Path Traversal Windows
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Path traversal vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to access files only within the web root using the “docurl” parameter in “/lib/asp/DOCSAVEASASP.ASP”.

Path Traversal E Tms
NVD
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.

Path Traversal Ubuntu Debian +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

Information Disclosure Path Traversal Apache +1
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM POC PATCH This Month

Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.

Path Traversal Ubuntu Lxd +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type vulnerability in GTONE ChangeFlow allows Path Traversal, Accessing Functionality Not Properly Constrained by ACLs.This issue affects ChangeFlow: from All versions through v9.0.1.1.

Path Traversal File Upload
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Download of Code Without Integrity Check vulnerability in GTONE ChangeFlow allows Path Traversal.This issue affects ChangeFlow: All versions to v9.0.1.1.

Path Traversal
NVD
EPSS 0% CVSS 8.8
HIGH This Week

An attacker can obtain server information using Path Traversal vulnerability to conduct SQL Injection, which possibly exploits Unrestricted Upload of File with Dangerous Type vulnerability in MarkAny SafePC Enterprise on Windows, Linux.This issue affects SafePC Enterprise: V7.0.* (V7.0.YYYY.MM.DD) before V7.0.1, and V5.*.*.

SQLi Path Traversal File Upload +1
NVD
EPSS 0% CVSS 6.3
MEDIUM POC This Month

Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. The endpoint is /sys/comment/addFile. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server.

Path Traversal Jeecg Boot
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC This Month

Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server.

Path Traversal Jeecg Boot
NVD GitHub
EPSS 0% CVSS 3.3
LOW PATCH Monitor

auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0-8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0.

PHP Path Traversal WordPress
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Python Path Traversal Ubuntu +2
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (`x86_64-pc-cygwin`) didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations. Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target. While we assess the severity of this vulnerability as "medium", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the `x86_64-pc-cygwin` target you are not affected by this vulnerability. Users of the tier 1 MinGW target (`x86_64-pc-windows-gnu`) are also explicitly not affected.

Path Traversal Ubuntu Debian +3
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

The All in One Music Player plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.1 via the 'theme' parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Path Traversal PHP
NVD
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Week

FreshRSS is a free, self-hostable RSS aggregator. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Freshrss
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.4,. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Digital Experience Platform Liferay Portal
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was determined in Bjskzy Zhiyou ERP up to 11.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability was found in Dibo Data Decision Making System up to 2.7.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

A flaw has been found in DataTables up to 1.10.13. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP Path Traversal Datatables
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A flaw has been found in Four-Faith Water Conservancy Informatization Platform 1.0. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Water Conservancy Informatization
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

A security vulnerability has been detected in kalcaddle kodbox up to 1.61.09. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Month

Unrestricted file upload vulnerability in DocAve 6.13.2, Perimeter 1.12.3, Compliance Guardian 4.7.1, and earlier versions, allowing administrator users to upload files without proper validation. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Path Traversal
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder allows Path Traversal. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

The Backuply - Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete backup functionality in all. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP Path Traversal +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A vulnerability was identified in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saysis Computer Systems Trade Ltd. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Path Traversal: 'dir/../../filename' vulnerability in Yordam Information Technology Consulting Education and Electrical Systems Industry Trade Inc. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

tar-fs provides filesystem bindings for tar-stream. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Red Hat Suse
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM This Month

Multiple vulnerabilities in Cisco IOS XE Software of could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to the device to execute. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Cisco Apple Path Traversal
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Datart 1.0.0-rc.3 is vulnerable to Directory Traversal. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Path Traversal +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC This Week

Datart 1.0.0-rc.3 is vulnerable to Directory Traversal in the POST /viz/image interface, since the server directly uses MultipartFile.transferTo() to save the uploaded file to a path controllable by. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Datart
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

nncp before 8.12.0 allows path traversal (for reading or writing) during freqing and file saving via a crafted path in packet data. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

astral-tokio-tar is a tar archive reading/writing library for async Rust. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Red Hat
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL Act Now

A path traversal vulnerability in Novakon P series allows to expose the root file system "/" and modify all files with root permissions. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Directory Traversal vulnerability in Papermark 0.20.0 and prior allows authenticated attackers to retrieve arbitrary files from an S3 bucket through its CloudFront distribution via the "POST. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Papermark
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Month

The txtai framework allows the loading of compressed tar files as embedding indices. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Path Traversal
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

A flaw has been found in JSC R7 R7-Office Document Server up to 20250820. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Path Traversal
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

A weakness has been identified in SeriaWei ZKEACMS up to 4.3.cs. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Month

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. No vendor patch available.

RCE Path Traversal Mattermost Server +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Directory traversal vulnerability in Sync In server thru 1.1.1 allowing authenticated attackers to gain read and write access to the system via FilesManager.saveMultipart function in. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Sync In Server
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was detected in Four-Faith Water Conservancy Informatization Platform 1.0. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Water Conservancy Informatization
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security vulnerability has been detected in Four-Faith Water Conservancy Informatization Platform 1.0. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Water Conservancy Informatization
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Beyaz Computer CityPlus allows Path Traversal.29375. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH This Week

A vulnerability in invokeai version v6.0.0a1 and below allows attackers to perform path traversal and arbitrary file deletion via the GET /api/v1/images/download/{bulk_download_item_name} endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD
EPSS 1% CVSS 6.9
MEDIUM PATCH This Month

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

RCE Path Traversal Dragonfly +1
NVD GitHub
EPSS 0% CVSS 3.1
LOW POC PATCH Monitor

Nuxt is an open-source web development framework for Vue.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Path Traversal Nuxt
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL POC Act Now

A directory traversal issue in Swetrix Web Analytics API 3.1.1 before 7d8b972 allows a remote attacker to achieve Remote Code Execution via a crafted HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Swetrix
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

CISA Thorium does not adequately validate the paths of downloaded files via 'download_ephemeral' and 'download_children'. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Thorium
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

In JetBrains TeamCity before 2025.07.2 path traversal was possible during project archive upload. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Teamcity
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The StoreEngine - Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Path Traversal PHP
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM This Month

The Developer Loggers for Simple History plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.5 via the enabled_loggers parameter. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

WordPress PHP RCE +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A vulnerability in the command-line interface of EdgeConnect SD-WAN could allow an authenticated attacker to read arbitrary files within the system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains a pre-authentication file disclosure vulnerability via the 'db_log' POST parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Eve X1 Server Firmware
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Luanox is a module host for Lua packages. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Path Traversal
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL This Week

A path traversal in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. Rated critical severity (CVSS 9.3), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Path Traversal Control M Agent
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A parsing issue in the handling of directory paths was addressed with improved path validation. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple Path Traversal
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A parsing issue in the handling of directory paths was addressed with improved path validation. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple Path Traversal
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

FreePBX is an open-source web-based graphical user interface. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Freepbx
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability has been found in harry0703 MoneyPrinterTurbo up to 1.2.6. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Moneyprinterturbo
NVD VulDB
Prev Page 22 of 86 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy