Path Traversal
Monthly
Replication Fullsync in Apache Kvrocks fails to validate filenames transmitted from a master node to a replica during full synchronization, enabling path traversal to arbitrary filesystem locations. Deployments using Kvrocks master-replica replication are affected; standalone instances with no replication configured are not exposed. An attacker who controls or can impersonate a master node can cause a replica to read or write files outside its intended data directory - no public exploit has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Memory corruption in Apache Kvrocks' embedded Lua scripting engine allows a client able to run EVAL/EVALSHA commands to trigger a stack buffer overflow in the bit.tohex() function, potentially crashing the server or corrupting process memory toward code execution. Kvrocks is a Redis-protocol-compatible distributed key-value store, and this flaw was disclosed via the oss-security mailing list on 2026-06-25 alongside three other Kvrocks issues. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Lua sandbox escape in Apache Kvrocks exposes the host environment to authenticated users who hold EVAL command privileges. The database fails to strip the `loadstring` function from its Lua scripting environment, which is a standard hardening step in Redis-protocol-compatible systems; retaining it allows a sandboxed Lua script to load and execute arbitrary Lua bytecode dynamically, effectively escaping the intended script isolation. No public exploit code or CISA KEV listing exists at time of analysis; however, sandbox escapes of this class are well-understood and exploitable by any user granted EVAL access.
Path traversal in Rapid7 InsightConnect's Compression Plugin on Linux allows authenticated attackers with high privileges to write files to arbitrary paths on the underlying host via crafted archive filenames passed to the create_archive function. Impact is constrained to file corruption - the attacker can control write destination but not write content, preventing code execution via this vector alone. No public exploit code exists and no KEV listing is present; the low CVSS score of 3.3 reflects the high authentication bar and limited impact scope.
Arbitrary file read in Rapid7's InsightConnect Sed Plugin on Linux exposes sensitive host filesystem contents to authenticated attackers through an unsanitized expression parameter. All versions are affected per the CPE wildcard, and exploitation requires only a low-privilege authenticated InsightConnect session over the network with no user interaction. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CWE-22 path traversal class is well-understood and mechanically straightforward to exploit once authentication is obtained.
Arbitrary file write in the Rapid7 InsightConnect Sed Plugin on Linux lets an authenticated attacker supply a crafted expression parameter to write attacker-controlled content to any filesystem path the plugin process can reach. The flaw (CWE-22 path traversal) carries a CVSS 7.1 with high integrity impact and there is no public exploit identified at time of analysis, but it is dangerous because arbitrary writes can be leveraged toward code execution or configuration tampering within the SOAR plugin runtime.
Authenticated remote code execution in ATEN Unizon arises from a directory traversal flaw in the ImportDeviceList method, where a user-supplied file path is used in file operations without proper validation. A high-privileged remote attacker can traverse outside intended directories to write or manipulate files and ultimately execute arbitrary code in the SYSTEM context, fully compromising the host. Discovered and reported via the Zero Day Initiative (ZDI-26-382 / ZDI-CAN-28579); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authenticated remote code execution in ATEN Unizon arises from a directory traversal flaw in the restoreDB method, where a user-supplied path is used in file operations without validation, letting a high-privileged attacker write or restore files outside the intended directory and run code as SYSTEM. The flaw was reported through Trend Micro's Zero Day Initiative (ZDI-CAN-28578 / ZDI-26-381) and carries a CVSS 3.0 base score of 7.2 (PR:H). There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Unauthenticated information disclosure in ATEN Unizon allows remote attackers to read arbitrary files from affected installations by abusing a path-traversal weakness in the writeFileToHttpServletResponse method. Because the underlying service runs with SYSTEM privileges, an attacker can exfiltrate sensitive files including configuration, credentials, and OS-level data. Cataloged via ZDI (ZDI-26-380 / ZDI-CAN-28505) with no public exploit identified at time of analysis; not listed in CISA KEV and no EPSS score was provided.
Arbitrary file deletion via directory traversal in ATEN Unizon's uploadSSL method allows authenticated remote attackers with high-privilege credentials to delete files anywhere on the underlying filesystem. All versions are indicated as affected by the wildcard CPE. Exploitation can be used to destroy configuration or system files, inducing a denial-of-service condition; no confirmed active exploitation or public exploit code has been identified at time of analysis.
Arbitrary file deletion in ATEN Unizon exposes all installations to destructive denial-of-service attacks via a path traversal flaw in the updateLicense method, reachable over the network by any authenticated high-privilege user. The CVSS PR:H constraint confirms exploitation requires high-privilege credentials, limiting opportunistic mass exploitation, but a motivated insider or attacker with stolen admin credentials can delete critical system files and render the host inoperable. No public exploit or CISA KEV listing has been identified at time of analysis, but the straightforward AC:L nature of the flaw means exploitation is trivial once credentials are obtained.
Symlink-based workspace boundary bypass in chrome-devtools-mcp (versions 0.24.0 through before 1.1.0) allows a local low-privileged actor - including an AI coding agent itself - to read or overwrite files outside the configured workspace root. The McpContext.validatePath() function performs only a lexical prefix check on the resolved path and never canonicalizes symbolic links, so an in-root symlink whose target lies outside the root passes validation and causes downstream file operations to act on the real out-of-workspace target. No public exploit has been identified and the CVE is not listed in CISA KEV; a vendor-released patch is available in version 1.1.0.
Arbitrary file disclosure in SiYuan personal knowledge management system before 3.7.0 lets an unauthenticated remote attacker read any file inside the workspace directory through its publish-mode HTTP endpoint (default port 6808). The flaw is an incomplete fix for CVE-2026-41894: the earlier patch sanitized the /export/ route but left the identical double-URL-encoding path traversal in the /assets/*path route, exposing conf/conf.json (AccessAuthCode SHA256 hash, API token, sync keys), the temp SQLite databases, and siyuan.log. Publicly available exploit code exists; no public active exploitation has been confirmed.
Path traversal in Jellyfin prior to 10.11.10 enables an attacker who can place a crafted MKV file in a victim's Jellyfin library to redirect the server's MKV attachment extraction routine to arbitrary absolute filesystem paths on the host. The flaw originates in .NET's Path.Combine behavior: Jellyfin passes the unsanitized MKV filename tag directly into Path.Combine(attachmentFolder, fileName), and .NET silently ignores the base path when the second argument is rooted, enabling full path override. Exploitation is triggered automatically whenever any Jellyfin client plays the affected file with subtitle burning enabled, which is the default behavior. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 1.7 reflects high complexity and low integrity-only impact.
Arbitrary file write in Jellyfin media server (10.9.0 through 10.11.9) lets any authenticated non-admin user abuse the POST /ClientLog/Document endpoint to plant attacker-controlled content outside the intended log directory. The endpoint trusts the Client and Version fields of the Authorization header and uses them unsanitized to build the on-disk filename, so embedding ../ sequences in the Client field redirects writes to any path reachable by the Jellyfin service account, with a forced .log extension. No public exploit has been identified at time of analysis, and the issue is fixed in 10.11.10.
Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to enumerate directories outside the intended documents directory. The root cause is a platform-specific gap in the shared path containment helper: it correctly rejects POSIX-style '../' sequences but fails to reject Windows-style parent path segments produced by Node.js path.relative(), such as bare '..'. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, consistent with the Medium CVSS score of 4.3 and the authentication requirement.
Path traversal in the Jenkins External Workspace Manager Plugin (versions 1.3.2 and earlier) lets an attacker with Item/Configure permission supply traversal sequences in the custom workspace path of the exwsAllocate Pipeline step to read arbitrary files from the Jenkins controller filesystem, which the vendor notes can escalate to remote code execution. The flaw requires an authenticated low-privileged user (CVSS:3.1 PR:L, base 8.8) and is reported directly by the Jenkins security team. No public exploit identified at time of analysis, and CISA SSVC marks exploitation as none.
Arbitrary file read in motionEye versions before 0.44.0 lets remote attackers retrieve any file readable by the motionEye process by supplying an absolute path to the media playback, download, and preview handlers. The flaw stems from os.path.join() discarding the configured media directory when given an absolute path, compounded by MoviePlaybackHandler deliberately overriding Tornado's StaticFileHandler path-safety checks. A proof-of-concept exists and the CVSS 4.0 exploit-maturity is rated Proof-of-Concept, but there is no public evidence of active exploitation.
Path traversal in the mise HTTP backend allows a repository-controlled `.tool-versions` file to direct `mise install` to create symlinks at arbitrary filesystem locations outside the designated mise installs root on Unix-like systems. Affecting mise up to version 2026.5.16, a developer or CI system that runs `mise install` against a malicious project can have executable symlinks silently placed under attacker-chosen `PATH` directories, enabling replacement of trusted commands with attacker-controlled HTTP content. No public exploit identified at time of analysis beyond the detailed proof-of-concept published in GitHub Security Advisory GHSA-f94h-j2qg-fxw3, and no CISA KEV listing confirms active in-the-wild exploitation.
Arbitrary file write and command execution in Glances (Python system monitoring tool) versions 4.0.8 through 4.5.4 allows attackers with the ability to modify glances.conf to abuse shell-like operators (`>`, `|`, `&&`) interpreted by the `secure_popen()` function inside AMP module command configuration. The flaw bypasses the `--disable-config-exec` mitigation introduced for CVE-2026-33641, since that flag only blocks backtick execution in `config.get_value()` and not operator parsing in `secure_popen()`. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-3vwc-qwhc-3mj7), but no public exploit identified in active campaigns at time of analysis.
Remote code execution in Gogs self-hosted Git service before 0.14.3 allows unauthenticated attackers (where self-registration is enabled) to abuse unsanitized organization names containing '../' sequences to write Git repository files outside the intended storage root, then overwrite a repository's hooks/update script and trigger arbitrary command execution as the git user. The flaw carries a CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C) rating, and a fully working public proof-of-concept is published alongside the GHSA advisory, though no CISA KEV listing or EPSS data is provided in the input.
Authenticated arbitrary file write in Gogs (self-hosted Git service) versions below 0.14.3 on Linux/macOS lets a user with repository write access escape the working tree and overwrite any file the gogs UID can touch, escalating to remote code execution. The flaw stems from `UploadRepoFiles` validating symlinks only on the leaf path while sibling functions correctly walk every component; combined with a crafted multipart filename containing a literal backslash, the write is redirected through a previously committed directory symlink to targets like `~git/.ssh/authorized_keys` or `<repo>.git/hooks/post-receive`. No CISA KEV listing and no EPSS provided, but a detailed, tested proof-of-concept is published in the vendor advisory, so publicly available exploit code exists.
Open redirect in Gogs versions up to and including 0.14.2 allows unauthenticated remote attackers to craft login URLs that redirect authenticated users to arbitrary external sites after successful login. The root cause is a two-character-only URL validation in the `IsSameSite()` function: the path `/a/../\example.com` passes server-side inspection but resolves to `//example.com` after browsers normalize backslashes to forward slashes. A publicly available proof-of-concept with screenshots exists; this vulnerability is not in CISA KEV and active exploitation has not been confirmed at time of analysis.
Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filters and create a symlink pointing outside the destination directory, enabling out-of-destination file reads or writes when extractall() is later used or the resulting symlink is followed. The flaw is an incomplete fix of CVE-2025-4330: a hardlink referencing a symlink stored at a deeper path than the hardlink itself causes the fallback to validate the symlink at its archived (deep) location but recreate it at the hardlink's shallower path, making a previously 'contained' relative target escape the extraction root. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary file write in Crawl4AI Docker API server before 0.8.8 lets unauthenticated remote attackers escape the ALLOWED_OUTPUT_DIR via symlinks and a TOCTOU race on the output_path parameter of the /screenshot and /pdf endpoints, potentially escalating to code execution where the runtime user can write to executable or cron paths. No public exploit identified at time of analysis, but the API is unauthenticated by default and the GHSA confirms the issue was found in an internal security audit.
Out-of-bounds read and denial-of-service in Zephyr RTOS's ext2 filesystem parser expose embedded devices to filesystem-level attacks via maliciously crafted disk images. The flaw resides in ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), where insufficient validation of on-disk directory entry fields - specifically de_rec_len and de_name_len against block boundaries - allows a crafted ext2 image to trigger an oversized memcpy (out-of-bounds read) or a zero-progress infinite loop when de_rec_len equals zero. All Zephyr versions are indicated as affected per the wildcard CPE, no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.
Arbitrary file read in Budibase self-hosted server (@budibase/server <= 3.39.0) allows an authenticated workspace builder to exfiltrate any file readable by the server process by uploading a crafted PWA zip containing a symlink entry. Because the default `budibase/budibase:latest` Docker image runs Node as root, attackers can retrieve `/data/.env` (JWT_SECRET, INTERNAL_API_KEY, MinIO/Redis/CouchDB credentials, DATABASE_URL) and even `/etc/shadow`, enabling JWT forgery and full global-admin takeover. Publicly available exploit code exists - a complete working PoC is published in the GHSA advisory - though there is no public exploit identified at time of analysis beyond that disclosure write-up.
Arbitrary file read in WebP Server Go through 0.14.4 on Windows deployments allows unauthenticated remote attackers to retrieve files outside the configured IMG_PATH by sending HTTP requests containing percent-encoded backslashes (%5C), bypassing the path.Clean() sanitization in handler/router.go. The flaw is platform-specific to Windows hosts because Go normalizes only forward slashes while the Windows file API treats backslashes equivalently; no public exploit identified at time of analysis, though VulnCheck has published an advisory and an upstream fix is merged in 0.15.0.
Path traversal and sandbox escape in LangChain prior to 1.3.9 allow untrusted inputs - including LLM-generated content steered by adversarial prompts - to escape a configured filesystem root boundary. Three components are affected: a file-search agent middleware that validates a starting directory but not glob patterns or symlink targets; prompt and chain/agent configuration loaders that resolve path fields without root confinement; and path-prefix authorization logic that performs string-prefix comparison without segment boundaries, allowing sibling paths to bypass access controls. No public exploit code has been identified at time of analysis and this CVE does not appear in CISA KEV, but the risk is meaningful for any deployment that exposes LangChain filesystem agents to untrusted user input or LLM prompt injection.
Path traversal in motionEye v0.43.1 allows any authenticated user - including those with normal (non-admin) privileges - to read arbitrary files from the server filesystem via the picture and movie preview API endpoints. The root cause is inconsistent input validation: `get_media_preview()` and `del_media_content()` in `mediafiles.py` omit the `..` sequence check that `get_media_content()` correctly implements, and the Tornado web framework passes percent-encoded slashes (`%2F`) through unmodified to `os.path.join()`. A fully functional public proof-of-concept demonstrating retrieval of `/etc/passwd` is published in the GitHub security advisory; no public exploit identified at time of analysis for CISA KEV, but the low exploitation complexity and pre-computable default-credential signature make exposed instances an immediate practical target.
Path traversal in Keras 3.14.0 exposes local file systems to arbitrary file and directory creation when processing maliciously crafted model files. The DiskIOStore.make method constructs directory paths from user-supplied layer names without sanitizing directory traversal sequences (..); since only forward slashes are blocked, embedding .. components in a layer name allows escape from the intended temporary working directory during model save or load operations. No active exploitation (CISA KEV) and no public proof-of-concept has been identified at time of analysis; however, EPSS data was not provided, leaving probabilistic exploitation likelihood unquantified.
Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. No public exploit identified at time of analysis, but the upstream advisory and Bugzilla entry document the issue in detail.
Authenticated path traversal in AIL Framework (CIRCL's Analysis Information Leak threat-intel platform) lets a low-privileged user abuse the investigation workflow to read arbitrary files readable by the AIL process and exfiltrate them inside a generated archive. The flaw is fixed in commit 0041456af25da0cdea1c1c4624e46baff2731d8f, and no public exploit is identified at time of analysis. CVSS 4.0 is 8.3 (High), driven by a scope change where the leaked filesystem content is considered subsequent-system confidentiality impact.
GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fetch_webpage. Therefore, exfiltration could occur if there is indirect prompt injection.
Path traversal in FlowiseAI Flowise's S3 Document Loader component (packages/components/nodes/documentloaders/S3/S3.ts) enables authenticated remote attackers to manipulate S3 object key inputs to access files outside the intended storage scope. Versions 3.1.0 through 3.1.2 are confirmed affected. Publicly available exploit code exists (E:P in the CVSS 4.0 vector), and the vendor did not respond to responsible disclosure, leaving no vendor-confirmed patch at time of analysis.
Authenticated path traversal in Craft CMS (4.0.0-RC1 through 4.17.6 and 5.0.0-RC1 through 5.9.12) allows low-privileged users to read arbitrary SVG files on the server via the assets/icon endpoint's extension parameter, which was passed to file existence checks without validation. No public exploit identified at time of analysis, though VulnCheck published an advisory and the upstream fix is visible in commit 30f5f1a. Confidentiality impact is high but no integrity or availability impact, and exploitation requires valid authenticated session.
Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows remote attackers to delete any file the web server can write to, including wp-config.php, which can escalate to remote code execution. The flaw lives in the eeSFL_DeleteFile function and is reachable via the simplefilelist_edit_job AJAX action registered through wp_ajax_nopriv_, with the is_admin() guard rendered ineffective because that function always returns true on admin-ajax.php. No public exploit identified at time of analysis, but the trivial reachability and high-value target (WordPress) make weaponization straightforward.
Arbitrary file deletion in the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin (versions ≤1.5.1) allows remote unauthenticated attackers to poison form entries with traversal payloads that, when later viewed by an administrator, delete arbitrary server files and can be escalated to remote code execution by removing wp-config.php. Reported by Wordfence with publicly available exploit code exists via the Wordfence advisory; no public exploit identified at time of analysis as weaponized in-the-wild attacks, and the issue is not in CISA KEV.
Arbitrary file write and read in Symfony UX Toolkit's `ux:install` console command allows a crafted or compromised recipe kit to escape the intended installation directory and overwrite or read attacker-controlled files on a developer's machine or CI runner. Because overwriting controllers, git hooks, or `.env` files yields code execution, this path-traversal flaw escalates to local RCE, and no public exploit identified at time of analysis though the fix and root cause are documented in the upstream GHSA.
Path traversal in Allure Report's built-in HTTP server (allure-commandline <= 2.38.1) allows any client that can reach the server port to read arbitrary files accessible to the Allure process. The vulnerability exists in Commands.setUpServer() where request URI paths are resolved against the report directory without normalization or containment checks, and Java's URI.getPath() additionally percent-decodes sequences like %2e%2e to .., bypassing client-side normalization. A proof-of-concept is publicly available via the GitHub Security Advisory GHSA-82cg-3hv7-74gc; no CISA KEV listing has been confirmed at time of analysis, though real-world risk is materially elevated in CI/CD environments where --host 0.0.0.0 is commonly used.
Symlink-chain path traversal in the go.qbee.io/transport library's extractTar routine allows a crafted tar archive to write or overwrite files one directory level above the intended extraction path. Applications using this library with elevated privileges - specifically qbee-agent, which runs as root - face the most severe impact, as exploitation enables root-privileged arbitrary file writes outside the extraction sandbox. No public exploit is identified at time of analysis; vendor-released patch v1.26.25 resolves the issue.
Path traversal in Kestra's `inputFiles` task mechanism allows remote attackers to write arbitrary files to the worker filesystem when flows forward untrusted webhook or execution data as file names. Affected across four release branches (prior to 1.3.19, 1.2.19, 1.1.19, and 1.0.43), exploitation depends on a specific flow design pattern but requires no authentication if the target webhook is publicly accessible. No public exploit code or active exploitation has been identified at time of analysis, but the CVSS integrity impact is rated High due to the ability to create or overwrite files outside the task working directory.
Path traversal in the YARD Ruby documentation server (prior to 0.9.44) allows unauthenticated remote attackers to read arbitrary `.html` files from directories outside the configured document root by supplying crafted `../`-containing request paths such as `/../yard-cache-secret.html`. The flaw exists because the static cache lookup in `StaticCaching#check_static_cache` constructs a filesystem path from the raw `request.path` before the router's own path-sanitization logic runs, enabling traversal to sibling directories. No active exploitation has been identified (not in CISA KEV) and no public POC exists at time of analysis; the vendor-released fix is version 0.9.44.
Arbitrary file write in gonic music streaming server prior to v0.21.0 allows any authenticated Subsonic user - including non-admin accounts - to write attacker-controlled M3U playlist content to any absolute filesystem path on the host, while also creating intermediate directories with world-writable 0o777 permissions. The flaw stems from an unreachable guard clause in ServeCreateOrUpdatePlaylist combined with missing path containment in Store.Write. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-4gxv-p5g5-j7w7 documents the issue and a fix is available.
Authenticated path traversal in gonic music streaming server allows any Subsonic user to read or delete other users' playlists and probe arbitrary host file paths by smuggling `..` segments into the playlist `id` parameter. The flaw bypasses the ownership check introduced in commit 6dd71e6, which derived `playlist.UserID` from the first path segment of the attacker-controlled ID without containing the resolved file path. No public exploit identified at time of analysis, but a proof-of-concept test case is embedded in the upstream patch.
Arbitrary file write via path traversal in Slopsmith (a self-hosted Rocksmith 2014 CDLC web app) prior to 0.2.9-alpha.5 allows an attacker who can supply a malicious PSARC or sloppak archive to write files outside the extraction directory, escalating to remote code execution under the default Docker image which runs as root and exposes a writable plugin directory. The CVSS 4.0 vector reports high privileges required (PR:H), reflecting that the attacker must reach the archive-upload/open functionality of an authenticated user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary local file disclosure in the Rust crate tract-onnx (by Sonos) allows an attacker who supplies a malicious ONNX model file to read arbitrary files from the victim's filesystem at model-load time, with file contents surfaced directly in inference tensor output. The root cause is that `get_external_resources()` in `onnx/src/tensor.rs` passes the attacker-controlled `location` field of ONNX external-data tensors directly to `PathBuf::join()` without sanitization, enabling both absolute-path overrides and relative `../` traversal. A secondary denial-of-service (panic) is possible via out-of-bounds `offset`/`length` values. Publicly available exploit code exists (full PoC confirmed on tract-onnx 0.21.16); no active exploitation has been confirmed by CISA KEV at time of analysis.
Path traversal in AIL Framework's `/objects/item/diff` endpoint exposes gzip-compressed server-side files to authenticated users. The Flask blueprint route in `var/www/blueprints/objects_item.py` accepted arbitrary item identifiers via `s1` and `s2` query parameters and attempted to read and compare their contents without first verifying they resolved to legitimate AIL objects, enabling directory traversal sequences to escape the items directory. No active exploitation has been identified at time of analysis; CIRCL reported the issue and an upstream fix is available via a GitHub commit.
Unauthenticated administrator account takeover in FileRise before 3.16.0 is possible via a path traversal flaw in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), where URL-encoded path separators bypass filename validation and allow arbitrary file write outside the upload directory. Any actor holding a valid, non-expired, upload-enabled shared-folder token - tokens explicitly designed to be shared publicly - can overwrite users/users.txt to plant an admin account and, depending on configuration, achieve remote code execution. No public exploit identified at time of analysis, but the upstream fix in v3.16.0 documents the exact bypass, lowering the bar for weaponization.
Path traversal in MicroCeph's remote-import API allows enrolled cluster members or join token holders to manipulate files within the `/var/snap/microceph` snap confinement boundary, enabling daemon disruption and cluster state pollution across the squid and tentacle release tracks. The root cause is missing input validation on `name` and `LocalName` parameters in `cmdRemotePut`, permitting `..` sequences to reach unintended directories. No public exploit has been identified at time of analysis; an upstream fix exists as GitHub PR #758 with no confirmed tagged snap release.
Arbitrary file deletion in the Avada (Fusion) Builder WordPress plugin through version 3.15.3 allows remote unauthenticated attackers to delete any file on the server via path traversal in the maybe_delete_files function, which commonly escalates to remote code execution when wp-config.php is removed and WordPress enters setup mode. Wordfence reports the flaw is reachable through the wp_ajax_nopriv_fusion_form_submit_ajax handler on sites that have a published Avada form saving entries to the database. No public exploit identified at time of analysis, but the CVSS 9.1 score reflects trivial network exploitation with no authentication or user interaction.
Arbitrary file read via path traversal in the Woosa - Marktplaats for WooCommerce WordPress plugin (versions up to and including 2.0.4) permits authenticated WordPress administrators to escape the plugin's log directory and access any file readable by the web server process, including the sensitive wp-config.php file. The flaw exists in the render_logs_ui() function within class-module-logger-hook-settings.php, which decodes a base64-supplied filename from the log_file GET parameter and concatenates it with the log directory path without any boundary enforcement. No public exploit code or active exploitation has been identified at time of analysis; the attack surface is meaningfully constrained by the Administrator-level privilege requirement (PR:H), though successful exploitation could cascade into full site compromise via exposed database credentials.
Remote code execution in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras allows unauthenticated attackers to run arbitrary code by sending a specially crafted web request to the device's HTTP interface. The flaw was reported through CISA's ICS-CERT coordination process and carries a CVSS 4.0 base score of 9.3, but there is no public exploit identified at time of analysis and the CVE is not on the CISA KEV list.
Path traversal in PraisonAI's MultiAgentMonitor component (versions <= 1.5.114) lets remote attackers who can supply agent identifiers read, write, or overwrite arbitrary files on the host by embedding '../' sequences in agent IDs. The flaw, disclosed by VulnCheck and tracked as GHSA-766v-q9x3-g744, enables information disclosure, denial of service, and potential code execution in multi-agent AI deployments; no public exploit identified at time of analysis but a detailed PoC is included in the advisory.
Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.
Arbitrary file write in HKUDS Nanobot's WhatsApp bridge (versions 0.1.5.post3 and prior) allows remote unauthenticated attackers to write attacker-controlled content to arbitrary filesystem locations by sending a WhatsApp document message with a path-traversal sequence in its fileName field. Because both the destination path and the file content are attacker-controlled, exploitation yields a write-anywhere primitive that can be escalated to remote code execution (e.g., by overwriting authorized_keys or shell startup files). No public exploit identified at time of analysis; a fix is planned for version 0.1.5.post4.
Path traversal and query-string injection in the OpenTelemetry Collector Contrib Sentry exporter allows any OTLP span sender to redirect the collector's operator bearer token to arbitrary Sentry API endpoints - including privileged admin, organization, and member management endpoints. The vulnerability stems from the `service.name` span attribute being interpolated directly into Sentry API URLs via `fmt.Sprintf` without validation, while the existing `projectSlugRegexp` safeguard is only applied to operator-configured mappings and never to runtime-derived slugs. No CISA KEV listing exists at time of analysis, but the GHSA advisory provides detailed exploitation steps demonstrating both a universally reliable query-string injection vector and a nginx-dependent path traversal vector, with a fixed version available at 0.154.0.
Grav CMS (getgrav/grav < 1.7.53) exposes admin bcrypt password hashes, SMTP credentials, and full site configuration to any actor who can obtain a session-static admin-nonce value - via XSS, Referrer header leakage, browser history, or proxy logs - because the backup download endpoint enforces only a single URL-embedded nonce with no form-level CSRF token and no session binding. The default backup profile archives the entire GRAV_ROOT directory including user/accounts/ and user/config/ without exclusions, and the download handler Base64-encodes the absolute filesystem path in the response URL, leaking server internals. A fully functional public PoC is available; no CISA KEV listing exists at time of analysis, but downstream risk includes offline hashcat cracking followed by unauthenticated admin login with no server-side rate limiting.
Remote code execution in UBB.threads forum software (version 7.7.5 confirmed) is achievable by authenticated users holding template-edit privileges, who can abuse a path traversal weakness to read and write arbitrary files within the web application's privilege scope. CERT-PL reported the issue after vendor contact attempts failed, and there is no public exploit identified at time of analysis. The flaw escalates a routine administrative capability into full server compromise without requiring user interaction.
Path traversal in libzypp's .repo file processing enables low-privileged network-accessible attackers to write content into arbitrary directories on the host filesystem beyond the intended zypp cache boundary. Affected versions span the 17.x series before 17.38.13 and the 16.x series before 16.22.19, covering systems running SUSE Linux Enterprise and openSUSE derivatives that use zypper as their package manager. The primary real-world impact is disk exhaustion across unexpected filesystem paths, causing a denial of service; no confidentiality impact is attributed in the CVSS assessment. No public exploit or CISA KEV listing has been identified at time of analysis.
Path traversal in SEPPmail Secure Email Gateway versions before 15.0.5 allows authenticated remote attackers to write files outside the intended directory by manipulating attachment filenames processed during encrypted PDF generation. Files can be placed in web-accessible locations, enabling potential webshell deployment and integrity compromise. No public exploit identified at time of analysis; the issue was reported by NCSC.ch and is fixed in 15.0.5.
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visitors of any published bot containing a file-input block to write attacker-controlled HTML, SVG, or JavaScript into arbitrary subpaths of the shared public S3 bucket. The flaw stems from an unauthenticated presigned-URL endpoint that trusts a raw fileName parameter and does not bind Content-Type, enabling stored XSS on the storage origin and content hosting under other tenants' result paths. No public exploit identified at time of analysis, but the CVSS 9.3 (scope-changed) reflects significant cross-tenant impact.
Arbitrary file write in BBOT's postman_download module enables a remote attacker to write files outside the intended output directory on a victim's system by controlling a Postman workspace name containing path traversal sequences. When a user runs the postman_download module, BBOT fetches workspace names from the Postman API and constructs local filesystem paths without sanitization, allowing pathlib to resolve paths into arbitrary locations on the victim's host. No public exploit has been identified at time of analysis, though the attack primitive is straightforward given the publicly committed fix details and low attack complexity.
Path traversal in BBOT's unarchive internal module enables a malicious archive hosted by attacker-controlled infrastructure to write files outside the intended extraction directory when BBOT runs on systems with GNU tar < 1.34. This vulnerability is a residual gap from CVE-2025-10284, which resolved git-specific RCE vectors but left the underlying archive extraction path validation entirely unimplemented, relying instead on inconsistent external tool behavior across platforms. No public exploit has been identified at time of analysis; the CVSS vector (AC:H/UI:R) constrains real-world risk to BBOT operators actively scanning attacker-controlled targets on affected OS distributions, but the high integrity impact (I:H) and zero privilege requirement (PR:N) are significant for red-team and CI/CD BBOT deployments running on legacy base images.
Arbitrary file read in Typemill before 2.24.0 allows authenticated Author-level users to traverse outside the content directory by injecting traversal sequences in the path query parameter when the folder argument is empty, defeating sanitization in Storage::getFolderPath(). Reported by VulnCheck with a vendor patch shipped in 2.24.0/2.24.2; no public exploit identified at time of analysis, and the CVSS 4.0 base score of 7.1 reflects high confidentiality impact with low-privilege network access.
Path traversal in Evil-WinRM through 3.9 lets a malicious or compromised remote Windows server overwrite arbitrary files on the operator's client machine when the user invokes the download_dir() function. Because Evil-WinRM is the offensive operator's tool, this inverts the trust model - the 'target' Windows host becomes the attacker and the red teamer or admin running Evil-WinRM becomes the victim, with realistic outcomes including persistent SSH access via overwritten authorized_keys. No public exploit identified at time of analysis, but a public upstream patch (commit 6ecd570) discloses the exact unsanitized File.join() sink.
Arbitrary file read in jknack handlebars.java versions prior to 4.5.2 allows remote unauthenticated attackers to retrieve files outside the intended template directory when applications pass user-controlled input to Handlebars.compile() with a FileTemplateLoader or ClassPathTemplateLoader. The flaw stems from missing path canonicalization in the template loaders, enabling classic ../ traversal sequences to escape the configured template prefix. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-r4gv-qr8j-p3pg documents the issue and the fix is available in 4.5.2.
Open redirect in Gitea's login flow allows external domain hijacking by bypassing the `urlIsRelative` validation in `modules/httplib/url.go` through a combination of directory traversal sequences and a backslash in the `redirect_to` parameter. All Gitea instances running version 1.25.4 and below are affected; a working proof-of-concept is publicly available in the GitHub Security Advisory. Exploitation enables phishing via trusted Gitea domains, OAuth/SSO authorization code theft, Referer-header leakage of sensitive parameters, and potential cache poisoning — no public exploit identified as confirmed actively exploited (CISA KEV absent).
Authenticated path traversal and SSRF in Open WebUI's terminal-server reverse proxy (versions <= 0.9.5) allows non-admin users with granted terminal access to escape the intended path or policy scope using double-encoded traversal sequences (%252e%252e). The flaw bypasses the project's own _sanitize_proxy_path mitigation, which performs only a single URL-decode pass before the '..' check, letting attackers reach unintended endpoints, files, and internal services routed by the terminal server. No public exploit identified at time of analysis, though the vendor advisory includes working proof-of-concept request strings.
Authenticated remote command execution in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows administrators to run arbitrary OS commands and escalate to root via a crafted HTTP request. The flaw, tracked as CVE-2026-20181 and reported by Cisco with a CVSS 3.1 score of 9.1 (scope-changed), can also crash single-node deployments and deny network access to unauthenticated endpoints. There is no public exploit identified at time of analysis.
Arbitrary file read in picklescan versions before 0.0.35 allows remote unauthenticated attackers to exfiltrate sensitive server files by abusing standard-library callables that the tool's RCE-focused blocklist fails to detect. By chaining io.FileIO and urllib.request.urlopen inside a malicious pickle, an attacker can stream contents of files such as /etc/passwd to an attacker-controlled URL when the scanner processes untrusted model artifacts. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis in the form of in-the-wild abuse.
Sibling-prefix path traversal in open-webui 0.9.5 and earlier allows any authenticated user to read arbitrary files from directories adjacent to the configured cache directory, provided those directories share the string prefix 'cache' (e.g., cache_backup, cached_models). The flaw exists in serve_cache_file() at main.py:2914, where a missing trailing path separator in the startswith boundary check causes os.path.abspath() to validate resolved sibling paths as if they were within the cache root. Publicly available exploit code exists in the GHSA advisory (PoC confirmed against open-webui 0.9.5 via raw ASGI delivery); no confirmed active exploitation (not in CISA KEV) at time of analysis.
Path traversal in EMV JobCareer WordPress theme versions up to and including 7.3 allows remote unauthenticated attackers to delete arbitrary files outside the intended directory, leading to high availability impact with scope change. Reported by Patchstack and tracked under CWE-22, this flaw carries a CVSS 3.1 score of 8.6, though no public exploit identified at time of analysis. The Patchstack advisory characterizes this as an arbitrary file deletion vulnerability rather than a read primitive.
Unauthenticated arbitrary file deletion in the WorkScout-Core WordPress plugin (versions <= 1.7.11) allows any remote attacker to delete files on the underlying server without credentials. The flaw stems from a path traversal weakness (CWE-22) in a file-handling endpoint that fails to sanitize user-supplied input before constructing filesystem paths. Exploitation requires no authentication, no user interaction, and no special configuration, meaning every publicly reachable WordPress installation running this plugin version is exposed; no public exploit or CISA KEV listing has been identified at time of analysis.
Arbitrary file deletion in the Fusion Builder WordPress plugin (versions <= 3.15.4) allows authenticated users with Contributor-level privileges to delete arbitrary files on the underlying server via a path traversal flaw. Deletion of critical files such as wp-config.php can force WordPress into setup mode, enabling site takeover; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in QuantumCloud Conversational Forms for ChatBot allows Path Traversal.1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Arbitrary file download via path traversal in the Client Portal (Pro) WordPress plugin versions 5.6.2 and earlier exposes sensitive server-side files to authenticated low-privilege users. The CWE-22 flaw allows any registered portal user to craft a file request that escapes the intended directory boundary and retrieve arbitrary files accessible to the web server process - including wp-config.php containing database credentials. No public exploit or CISA KEV listing exists at time of analysis, but the high confidentiality impact combined with low attack complexity makes this a meaningful data exposure risk on affected WordPress installations.
Unauthenticated arbitrary file deletion in the OvaTheme BookPro WordPress plugin (versions ≤ 1.1.0) allows remote attackers to delete arbitrary files from the underlying server via a path traversal flaw (CWE-22). Deletion of critical files such as wp-config.php can force a WordPress site into the setup state, enabling site takeover, while the scope-changed CVSS 3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/A:H) and Patchstack disclosure mark this as a high-priority issue despite no public exploit being identified at time of analysis.
Arbitrary file download in the WooCommerce Book Price WordPress plugin (versions 1.3 and earlier) allows remote attackers to retrieve arbitrary files from the underlying server filesystem via path traversal. The CVSS vector indicates network-reachable exploitation without authentication or user interaction, yielding high confidentiality impact with no integrity or availability effects. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated arbitrary file download in JoomUnited's WP Media Folder Addon WordPress plugin versions 4.0.1 and below allows remote attackers to retrieve arbitrary files from the underlying server via a path traversal weakness (CWE-22). The flaw is exploitable over the network without authentication or user interaction, exposing sensitive WordPress and server files such as wp-config.php. No public exploit identified at time of analysis, and the issue is not currently tracked in CISA KEV.
Arbitrary file deletion in QuantumCloud WPBot Pro WordPress Chatbot plugin versions 13.6.5 and earlier allows authenticated subscriber-level users to delete arbitrary files on the WordPress host via a path traversal flaw. With no public exploit identified at time of analysis, the issue still carries elevated risk because exploitation requires only the lowest-privilege WordPress role, which is auto-grantable on sites that allow open registration. Deleting files such as wp-config.php can trigger the WordPress install routine and lead to full site takeover.
Arbitrary file write via path traversal in SOLIDWORKS Visualize (bundled with SOLIDWORKS Desktop 2024 through 2026) allows remote attackers to place files at attacker-chosen locations on the server. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates remote, unauthenticated exploitation with high impact across confidentiality, integrity, and availability. At time of analysis, no public exploit identified and the issue is not on the CISA KEV list.
Authenticated path traversal in Gogs self-hosted Git service (versions <= 0.13.4) allows any user with repository edit permissions to overwrite arbitrary files on the host filesystem via the diff preview endpoint, resulting in denial of service. By abusing the `git diff --output=<file>` flag through the `POST /:user/:repo/_preview/:branch/:path_to_file` handler and bypassing the standard library `path.Clean` filter, an attacker can corrupt critical files such as `gogs.db` or `app.ini`. Publicly available exploit code exists in the form of a detailed researcher write-up with payload examples, though no CISA KEV listing or active exploitation has been reported.
Arbitrary file read in Runtipi 4.9.1-4.9.3 exposes sensitive container secrets via symlink following in an unauthenticated app-store logo endpoint. An attacker who controls a Git-based app-store repository can embed a symbolic link as a marketplace logo file; because the path guard performs only lexical validation before Node.js reads the file, Runtipi resolves and returns the symlink target, potentially leaking /data/.env, JWT secrets, service credentials, and seed values to any unauthenticated requester. No public exploit code has been identified at time of analysis and the issue is not listed in CISA KEV; a vendor-confirmed fix is available in v4.10.0.
Arbitrary file deletion in evolution-data-server's addressbook file backend exposes host filesystem to manipulation by a Flatpak application with D-Bus access. The vulnerability exploits split validation logic: a crafted URI embedding directory traversal sequences (e.g., '../') is accepted without sufficient sanitization during contact creation or modification, but when the same URI is later processed at deletion time, a second, less restrictive check fails to catch the traversal - allowing files outside the intended addressbook directory to be removed. Critically, deletion of Flatpak override files could be leveraged to silently weaken sandbox restrictions for subsequent application runs. No public exploit has been identified at time of analysis.
Authorization bypass in Caddy web server on Windows allows unauthenticated remote attackers to access files in path-protected directories by substituting forward slashes with URL-encoded backslashes (%5C). The flaw stems from an inconsistency between Caddy's `path` matcher and `file_server` handler, where the matcher treats `\` as a literal character while Windows-native filesystem code treats it as a separator. A detailed proof-of-concept is published in the vendor advisory, though no public exploit identified at time of analysis in exploitation databases.
Arbitrary file write in Streambert Electron desktop app (versions ≤2.4.0) allows remote attackers to drop files anywhere the app process can write by serving a malicious subtitle ZIP archive. The subtitle extraction routine concatenates raw archive entry names to the destination path without sanitization, enabling classic Zip Slip path traversal that can be escalated to code execution by overwriting startup or configuration files. No public exploit identified at time of analysis, but the upstream advisory (GHSA-3q2x-3q9p-qwfc) and fix in v2.5.0 confirm the issue.
Arbitrary file deletion in the Car Zone WordPress theme (versions through 3.7) by Aivah Themes lets remote, unauthenticated attackers remove files on the underlying server through a path-traversal flaw. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/A:H) reflects that file deletion crosses scope into the broader WordPress installation, enabling denial-of-service or forced reinstall scenarios. No public exploit identified at time of analysis and the CVE is not in CISA KEV.
Unauthenticated arbitrary file download affects the 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' plugin by Extendons in versions up to and including 1.0.7. Remote attackers can exploit a path traversal weakness (CWE-22) to retrieve arbitrary files from the underlying web server without any authentication, exposing sensitive data such as wp-config.php credentials. No public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS profile (7.5) makes opportunistic mass-scanning by WordPress vulnerability scanners likely once disclosed.
Path manipulation in the LangGraph Python SDK (langgraph-sdk) version 0.3.14 and earlier lets caller-supplied identifier values containing URL-special characters redirect an HTTP request to a different resource — or resource type — than the SDK call intended. When applications forward untrusted, unvalidated identifiers into SDK methods and rely on upstream URL-prefix authorization, an attacker can reach, modify, or delete resources outside their authorization scope. There is no public exploit identified at time of analysis and EPSS is low (0.22%), but CVSS is rated 9.1 due to high confidentiality and integrity impact.
Replication Fullsync in Apache Kvrocks fails to validate filenames transmitted from a master node to a replica during full synchronization, enabling path traversal to arbitrary filesystem locations. Deployments using Kvrocks master-replica replication are affected; standalone instances with no replication configured are not exposed. An attacker who controls or can impersonate a master node can cause a replica to read or write files outside its intended data directory - no public exploit has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Memory corruption in Apache Kvrocks' embedded Lua scripting engine allows a client able to run EVAL/EVALSHA commands to trigger a stack buffer overflow in the bit.tohex() function, potentially crashing the server or corrupting process memory toward code execution. Kvrocks is a Redis-protocol-compatible distributed key-value store, and this flaw was disclosed via the oss-security mailing list on 2026-06-25 alongside three other Kvrocks issues. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Lua sandbox escape in Apache Kvrocks exposes the host environment to authenticated users who hold EVAL command privileges. The database fails to strip the `loadstring` function from its Lua scripting environment, which is a standard hardening step in Redis-protocol-compatible systems; retaining it allows a sandboxed Lua script to load and execute arbitrary Lua bytecode dynamically, effectively escaping the intended script isolation. No public exploit code or CISA KEV listing exists at time of analysis; however, sandbox escapes of this class are well-understood and exploitable by any user granted EVAL access.
Path traversal in Rapid7 InsightConnect's Compression Plugin on Linux allows authenticated attackers with high privileges to write files to arbitrary paths on the underlying host via crafted archive filenames passed to the create_archive function. Impact is constrained to file corruption - the attacker can control write destination but not write content, preventing code execution via this vector alone. No public exploit code exists and no KEV listing is present; the low CVSS score of 3.3 reflects the high authentication bar and limited impact scope.
Arbitrary file read in Rapid7's InsightConnect Sed Plugin on Linux exposes sensitive host filesystem contents to authenticated attackers through an unsanitized expression parameter. All versions are affected per the CPE wildcard, and exploitation requires only a low-privilege authenticated InsightConnect session over the network with no user interaction. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CWE-22 path traversal class is well-understood and mechanically straightforward to exploit once authentication is obtained.
Arbitrary file write in the Rapid7 InsightConnect Sed Plugin on Linux lets an authenticated attacker supply a crafted expression parameter to write attacker-controlled content to any filesystem path the plugin process can reach. The flaw (CWE-22 path traversal) carries a CVSS 7.1 with high integrity impact and there is no public exploit identified at time of analysis, but it is dangerous because arbitrary writes can be leveraged toward code execution or configuration tampering within the SOAR plugin runtime.
Authenticated remote code execution in ATEN Unizon arises from a directory traversal flaw in the ImportDeviceList method, where a user-supplied file path is used in file operations without proper validation. A high-privileged remote attacker can traverse outside intended directories to write or manipulate files and ultimately execute arbitrary code in the SYSTEM context, fully compromising the host. Discovered and reported via the Zero Day Initiative (ZDI-26-382 / ZDI-CAN-28579); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authenticated remote code execution in ATEN Unizon arises from a directory traversal flaw in the restoreDB method, where a user-supplied path is used in file operations without validation, letting a high-privileged attacker write or restore files outside the intended directory and run code as SYSTEM. The flaw was reported through Trend Micro's Zero Day Initiative (ZDI-CAN-28578 / ZDI-26-381) and carries a CVSS 3.0 base score of 7.2 (PR:H). There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Unauthenticated information disclosure in ATEN Unizon allows remote attackers to read arbitrary files from affected installations by abusing a path-traversal weakness in the writeFileToHttpServletResponse method. Because the underlying service runs with SYSTEM privileges, an attacker can exfiltrate sensitive files including configuration, credentials, and OS-level data. Cataloged via ZDI (ZDI-26-380 / ZDI-CAN-28505) with no public exploit identified at time of analysis; not listed in CISA KEV and no EPSS score was provided.
Arbitrary file deletion via directory traversal in ATEN Unizon's uploadSSL method allows authenticated remote attackers with high-privilege credentials to delete files anywhere on the underlying filesystem. All versions are indicated as affected by the wildcard CPE. Exploitation can be used to destroy configuration or system files, inducing a denial-of-service condition; no confirmed active exploitation or public exploit code has been identified at time of analysis.
Arbitrary file deletion in ATEN Unizon exposes all installations to destructive denial-of-service attacks via a path traversal flaw in the updateLicense method, reachable over the network by any authenticated high-privilege user. The CVSS PR:H constraint confirms exploitation requires high-privilege credentials, limiting opportunistic mass exploitation, but a motivated insider or attacker with stolen admin credentials can delete critical system files and render the host inoperable. No public exploit or CISA KEV listing has been identified at time of analysis, but the straightforward AC:L nature of the flaw means exploitation is trivial once credentials are obtained.
Symlink-based workspace boundary bypass in chrome-devtools-mcp (versions 0.24.0 through before 1.1.0) allows a local low-privileged actor - including an AI coding agent itself - to read or overwrite files outside the configured workspace root. The McpContext.validatePath() function performs only a lexical prefix check on the resolved path and never canonicalizes symbolic links, so an in-root symlink whose target lies outside the root passes validation and causes downstream file operations to act on the real out-of-workspace target. No public exploit has been identified and the CVE is not listed in CISA KEV; a vendor-released patch is available in version 1.1.0.
Arbitrary file disclosure in SiYuan personal knowledge management system before 3.7.0 lets an unauthenticated remote attacker read any file inside the workspace directory through its publish-mode HTTP endpoint (default port 6808). The flaw is an incomplete fix for CVE-2026-41894: the earlier patch sanitized the /export/ route but left the identical double-URL-encoding path traversal in the /assets/*path route, exposing conf/conf.json (AccessAuthCode SHA256 hash, API token, sync keys), the temp SQLite databases, and siyuan.log. Publicly available exploit code exists; no public active exploitation has been confirmed.
Path traversal in Jellyfin prior to 10.11.10 enables an attacker who can place a crafted MKV file in a victim's Jellyfin library to redirect the server's MKV attachment extraction routine to arbitrary absolute filesystem paths on the host. The flaw originates in .NET's Path.Combine behavior: Jellyfin passes the unsanitized MKV filename tag directly into Path.Combine(attachmentFolder, fileName), and .NET silently ignores the base path when the second argument is rooted, enabling full path override. Exploitation is triggered automatically whenever any Jellyfin client plays the affected file with subtitle burning enabled, which is the default behavior. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 1.7 reflects high complexity and low integrity-only impact.
Arbitrary file write in Jellyfin media server (10.9.0 through 10.11.9) lets any authenticated non-admin user abuse the POST /ClientLog/Document endpoint to plant attacker-controlled content outside the intended log directory. The endpoint trusts the Client and Version fields of the Authorization header and uses them unsanitized to build the on-disk filename, so embedding ../ sequences in the Client field redirects writes to any path reachable by the Jellyfin service account, with a forced .log extension. No public exploit has been identified at time of analysis, and the issue is fixed in 10.11.10.
Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to enumerate directories outside the intended documents directory. The root cause is a platform-specific gap in the shared path containment helper: it correctly rejects POSIX-style '../' sequences but fails to reject Windows-style parent path segments produced by Node.js path.relative(), such as bare '..'. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, consistent with the Medium CVSS score of 4.3 and the authentication requirement.
Path traversal in the Jenkins External Workspace Manager Plugin (versions 1.3.2 and earlier) lets an attacker with Item/Configure permission supply traversal sequences in the custom workspace path of the exwsAllocate Pipeline step to read arbitrary files from the Jenkins controller filesystem, which the vendor notes can escalate to remote code execution. The flaw requires an authenticated low-privileged user (CVSS:3.1 PR:L, base 8.8) and is reported directly by the Jenkins security team. No public exploit identified at time of analysis, and CISA SSVC marks exploitation as none.
Arbitrary file read in motionEye versions before 0.44.0 lets remote attackers retrieve any file readable by the motionEye process by supplying an absolute path to the media playback, download, and preview handlers. The flaw stems from os.path.join() discarding the configured media directory when given an absolute path, compounded by MoviePlaybackHandler deliberately overriding Tornado's StaticFileHandler path-safety checks. A proof-of-concept exists and the CVSS 4.0 exploit-maturity is rated Proof-of-Concept, but there is no public evidence of active exploitation.
Path traversal in the mise HTTP backend allows a repository-controlled `.tool-versions` file to direct `mise install` to create symlinks at arbitrary filesystem locations outside the designated mise installs root on Unix-like systems. Affecting mise up to version 2026.5.16, a developer or CI system that runs `mise install` against a malicious project can have executable symlinks silently placed under attacker-chosen `PATH` directories, enabling replacement of trusted commands with attacker-controlled HTTP content. No public exploit identified at time of analysis beyond the detailed proof-of-concept published in GitHub Security Advisory GHSA-f94h-j2qg-fxw3, and no CISA KEV listing confirms active in-the-wild exploitation.
Arbitrary file write and command execution in Glances (Python system monitoring tool) versions 4.0.8 through 4.5.4 allows attackers with the ability to modify glances.conf to abuse shell-like operators (`>`, `|`, `&&`) interpreted by the `secure_popen()` function inside AMP module command configuration. The flaw bypasses the `--disable-config-exec` mitigation introduced for CVE-2026-33641, since that flag only blocks backtick execution in `config.get_value()` and not operator parsing in `secure_popen()`. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-3vwc-qwhc-3mj7), but no public exploit identified in active campaigns at time of analysis.
Remote code execution in Gogs self-hosted Git service before 0.14.3 allows unauthenticated attackers (where self-registration is enabled) to abuse unsanitized organization names containing '../' sequences to write Git repository files outside the intended storage root, then overwrite a repository's hooks/update script and trigger arbitrary command execution as the git user. The flaw carries a CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C) rating, and a fully working public proof-of-concept is published alongside the GHSA advisory, though no CISA KEV listing or EPSS data is provided in the input.
Authenticated arbitrary file write in Gogs (self-hosted Git service) versions below 0.14.3 on Linux/macOS lets a user with repository write access escape the working tree and overwrite any file the gogs UID can touch, escalating to remote code execution. The flaw stems from `UploadRepoFiles` validating symlinks only on the leaf path while sibling functions correctly walk every component; combined with a crafted multipart filename containing a literal backslash, the write is redirected through a previously committed directory symlink to targets like `~git/.ssh/authorized_keys` or `<repo>.git/hooks/post-receive`. No CISA KEV listing and no EPSS provided, but a detailed, tested proof-of-concept is published in the vendor advisory, so publicly available exploit code exists.
Open redirect in Gogs versions up to and including 0.14.2 allows unauthenticated remote attackers to craft login URLs that redirect authenticated users to arbitrary external sites after successful login. The root cause is a two-character-only URL validation in the `IsSameSite()` function: the path `/a/../\example.com` passes server-side inspection but resolves to `//example.com` after browsers normalize backslashes to forward slashes. A publicly available proof-of-concept with screenshots exists; this vulnerability is not in CISA KEV and active exploitation has not been confirmed at time of analysis.
Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filters and create a symlink pointing outside the destination directory, enabling out-of-destination file reads or writes when extractall() is later used or the resulting symlink is followed. The flaw is an incomplete fix of CVE-2025-4330: a hardlink referencing a symlink stored at a deeper path than the hardlink itself causes the fallback to validate the symlink at its archived (deep) location but recreate it at the hardlink's shallower path, making a previously 'contained' relative target escape the extraction root. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary file write in Crawl4AI Docker API server before 0.8.8 lets unauthenticated remote attackers escape the ALLOWED_OUTPUT_DIR via symlinks and a TOCTOU race on the output_path parameter of the /screenshot and /pdf endpoints, potentially escalating to code execution where the runtime user can write to executable or cron paths. No public exploit identified at time of analysis, but the API is unauthenticated by default and the GHSA confirms the issue was found in an internal security audit.
Out-of-bounds read and denial-of-service in Zephyr RTOS's ext2 filesystem parser expose embedded devices to filesystem-level attacks via maliciously crafted disk images. The flaw resides in ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), where insufficient validation of on-disk directory entry fields - specifically de_rec_len and de_name_len against block boundaries - allows a crafted ext2 image to trigger an oversized memcpy (out-of-bounds read) or a zero-progress infinite loop when de_rec_len equals zero. All Zephyr versions are indicated as affected per the wildcard CPE, no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.
Arbitrary file read in Budibase self-hosted server (@budibase/server <= 3.39.0) allows an authenticated workspace builder to exfiltrate any file readable by the server process by uploading a crafted PWA zip containing a symlink entry. Because the default `budibase/budibase:latest` Docker image runs Node as root, attackers can retrieve `/data/.env` (JWT_SECRET, INTERNAL_API_KEY, MinIO/Redis/CouchDB credentials, DATABASE_URL) and even `/etc/shadow`, enabling JWT forgery and full global-admin takeover. Publicly available exploit code exists - a complete working PoC is published in the GHSA advisory - though there is no public exploit identified at time of analysis beyond that disclosure write-up.
Arbitrary file read in WebP Server Go through 0.14.4 on Windows deployments allows unauthenticated remote attackers to retrieve files outside the configured IMG_PATH by sending HTTP requests containing percent-encoded backslashes (%5C), bypassing the path.Clean() sanitization in handler/router.go. The flaw is platform-specific to Windows hosts because Go normalizes only forward slashes while the Windows file API treats backslashes equivalently; no public exploit identified at time of analysis, though VulnCheck has published an advisory and an upstream fix is merged in 0.15.0.
Path traversal and sandbox escape in LangChain prior to 1.3.9 allow untrusted inputs - including LLM-generated content steered by adversarial prompts - to escape a configured filesystem root boundary. Three components are affected: a file-search agent middleware that validates a starting directory but not glob patterns or symlink targets; prompt and chain/agent configuration loaders that resolve path fields without root confinement; and path-prefix authorization logic that performs string-prefix comparison without segment boundaries, allowing sibling paths to bypass access controls. No public exploit code has been identified at time of analysis and this CVE does not appear in CISA KEV, but the risk is meaningful for any deployment that exposes LangChain filesystem agents to untrusted user input or LLM prompt injection.
Path traversal in motionEye v0.43.1 allows any authenticated user - including those with normal (non-admin) privileges - to read arbitrary files from the server filesystem via the picture and movie preview API endpoints. The root cause is inconsistent input validation: `get_media_preview()` and `del_media_content()` in `mediafiles.py` omit the `..` sequence check that `get_media_content()` correctly implements, and the Tornado web framework passes percent-encoded slashes (`%2F`) through unmodified to `os.path.join()`. A fully functional public proof-of-concept demonstrating retrieval of `/etc/passwd` is published in the GitHub security advisory; no public exploit identified at time of analysis for CISA KEV, but the low exploitation complexity and pre-computable default-credential signature make exposed instances an immediate practical target.
Path traversal in Keras 3.14.0 exposes local file systems to arbitrary file and directory creation when processing maliciously crafted model files. The DiskIOStore.make method constructs directory paths from user-supplied layer names without sanitizing directory traversal sequences (..); since only forward slashes are blocked, embedding .. components in a layer name allows escape from the intended temporary working directory during model save or load operations. No active exploitation (CISA KEV) and no public proof-of-concept has been identified at time of analysis; however, EPSS data was not provided, leaving probabilistic exploitation likelihood unquantified.
Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. No public exploit identified at time of analysis, but the upstream advisory and Bugzilla entry document the issue in detail.
Authenticated path traversal in AIL Framework (CIRCL's Analysis Information Leak threat-intel platform) lets a low-privileged user abuse the investigation workflow to read arbitrary files readable by the AIL process and exfiltrate them inside a generated archive. The flaw is fixed in commit 0041456af25da0cdea1c1c4624e46baff2731d8f, and no public exploit is identified at time of analysis. CVSS 4.0 is 8.3 (High), driven by a scope change where the leaked filesystem content is considered subsequent-system confidentiality impact.
GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fetch_webpage. Therefore, exfiltration could occur if there is indirect prompt injection.
Path traversal in FlowiseAI Flowise's S3 Document Loader component (packages/components/nodes/documentloaders/S3/S3.ts) enables authenticated remote attackers to manipulate S3 object key inputs to access files outside the intended storage scope. Versions 3.1.0 through 3.1.2 are confirmed affected. Publicly available exploit code exists (E:P in the CVSS 4.0 vector), and the vendor did not respond to responsible disclosure, leaving no vendor-confirmed patch at time of analysis.
Authenticated path traversal in Craft CMS (4.0.0-RC1 through 4.17.6 and 5.0.0-RC1 through 5.9.12) allows low-privileged users to read arbitrary SVG files on the server via the assets/icon endpoint's extension parameter, which was passed to file existence checks without validation. No public exploit identified at time of analysis, though VulnCheck published an advisory and the upstream fix is visible in commit 30f5f1a. Confidentiality impact is high but no integrity or availability impact, and exploitation requires valid authenticated session.
Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows remote attackers to delete any file the web server can write to, including wp-config.php, which can escalate to remote code execution. The flaw lives in the eeSFL_DeleteFile function and is reachable via the simplefilelist_edit_job AJAX action registered through wp_ajax_nopriv_, with the is_admin() guard rendered ineffective because that function always returns true on admin-ajax.php. No public exploit identified at time of analysis, but the trivial reachability and high-value target (WordPress) make weaponization straightforward.
Arbitrary file deletion in the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin (versions ≤1.5.1) allows remote unauthenticated attackers to poison form entries with traversal payloads that, when later viewed by an administrator, delete arbitrary server files and can be escalated to remote code execution by removing wp-config.php. Reported by Wordfence with publicly available exploit code exists via the Wordfence advisory; no public exploit identified at time of analysis as weaponized in-the-wild attacks, and the issue is not in CISA KEV.
Arbitrary file write and read in Symfony UX Toolkit's `ux:install` console command allows a crafted or compromised recipe kit to escape the intended installation directory and overwrite or read attacker-controlled files on a developer's machine or CI runner. Because overwriting controllers, git hooks, or `.env` files yields code execution, this path-traversal flaw escalates to local RCE, and no public exploit identified at time of analysis though the fix and root cause are documented in the upstream GHSA.
Path traversal in Allure Report's built-in HTTP server (allure-commandline <= 2.38.1) allows any client that can reach the server port to read arbitrary files accessible to the Allure process. The vulnerability exists in Commands.setUpServer() where request URI paths are resolved against the report directory without normalization or containment checks, and Java's URI.getPath() additionally percent-decodes sequences like %2e%2e to .., bypassing client-side normalization. A proof-of-concept is publicly available via the GitHub Security Advisory GHSA-82cg-3hv7-74gc; no CISA KEV listing has been confirmed at time of analysis, though real-world risk is materially elevated in CI/CD environments where --host 0.0.0.0 is commonly used.
Symlink-chain path traversal in the go.qbee.io/transport library's extractTar routine allows a crafted tar archive to write or overwrite files one directory level above the intended extraction path. Applications using this library with elevated privileges - specifically qbee-agent, which runs as root - face the most severe impact, as exploitation enables root-privileged arbitrary file writes outside the extraction sandbox. No public exploit is identified at time of analysis; vendor-released patch v1.26.25 resolves the issue.
Path traversal in Kestra's `inputFiles` task mechanism allows remote attackers to write arbitrary files to the worker filesystem when flows forward untrusted webhook or execution data as file names. Affected across four release branches (prior to 1.3.19, 1.2.19, 1.1.19, and 1.0.43), exploitation depends on a specific flow design pattern but requires no authentication if the target webhook is publicly accessible. No public exploit code or active exploitation has been identified at time of analysis, but the CVSS integrity impact is rated High due to the ability to create or overwrite files outside the task working directory.
Path traversal in the YARD Ruby documentation server (prior to 0.9.44) allows unauthenticated remote attackers to read arbitrary `.html` files from directories outside the configured document root by supplying crafted `../`-containing request paths such as `/../yard-cache-secret.html`. The flaw exists because the static cache lookup in `StaticCaching#check_static_cache` constructs a filesystem path from the raw `request.path` before the router's own path-sanitization logic runs, enabling traversal to sibling directories. No active exploitation has been identified (not in CISA KEV) and no public POC exists at time of analysis; the vendor-released fix is version 0.9.44.
Arbitrary file write in gonic music streaming server prior to v0.21.0 allows any authenticated Subsonic user - including non-admin accounts - to write attacker-controlled M3U playlist content to any absolute filesystem path on the host, while also creating intermediate directories with world-writable 0o777 permissions. The flaw stems from an unreachable guard clause in ServeCreateOrUpdatePlaylist combined with missing path containment in Store.Write. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-4gxv-p5g5-j7w7 documents the issue and a fix is available.
Authenticated path traversal in gonic music streaming server allows any Subsonic user to read or delete other users' playlists and probe arbitrary host file paths by smuggling `..` segments into the playlist `id` parameter. The flaw bypasses the ownership check introduced in commit 6dd71e6, which derived `playlist.UserID` from the first path segment of the attacker-controlled ID without containing the resolved file path. No public exploit identified at time of analysis, but a proof-of-concept test case is embedded in the upstream patch.
Arbitrary file write via path traversal in Slopsmith (a self-hosted Rocksmith 2014 CDLC web app) prior to 0.2.9-alpha.5 allows an attacker who can supply a malicious PSARC or sloppak archive to write files outside the extraction directory, escalating to remote code execution under the default Docker image which runs as root and exposes a writable plugin directory. The CVSS 4.0 vector reports high privileges required (PR:H), reflecting that the attacker must reach the archive-upload/open functionality of an authenticated user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary local file disclosure in the Rust crate tract-onnx (by Sonos) allows an attacker who supplies a malicious ONNX model file to read arbitrary files from the victim's filesystem at model-load time, with file contents surfaced directly in inference tensor output. The root cause is that `get_external_resources()` in `onnx/src/tensor.rs` passes the attacker-controlled `location` field of ONNX external-data tensors directly to `PathBuf::join()` without sanitization, enabling both absolute-path overrides and relative `../` traversal. A secondary denial-of-service (panic) is possible via out-of-bounds `offset`/`length` values. Publicly available exploit code exists (full PoC confirmed on tract-onnx 0.21.16); no active exploitation has been confirmed by CISA KEV at time of analysis.
Path traversal in AIL Framework's `/objects/item/diff` endpoint exposes gzip-compressed server-side files to authenticated users. The Flask blueprint route in `var/www/blueprints/objects_item.py` accepted arbitrary item identifiers via `s1` and `s2` query parameters and attempted to read and compare their contents without first verifying they resolved to legitimate AIL objects, enabling directory traversal sequences to escape the items directory. No active exploitation has been identified at time of analysis; CIRCL reported the issue and an upstream fix is available via a GitHub commit.
Unauthenticated administrator account takeover in FileRise before 3.16.0 is possible via a path traversal flaw in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), where URL-encoded path separators bypass filename validation and allow arbitrary file write outside the upload directory. Any actor holding a valid, non-expired, upload-enabled shared-folder token - tokens explicitly designed to be shared publicly - can overwrite users/users.txt to plant an admin account and, depending on configuration, achieve remote code execution. No public exploit identified at time of analysis, but the upstream fix in v3.16.0 documents the exact bypass, lowering the bar for weaponization.
Path traversal in MicroCeph's remote-import API allows enrolled cluster members or join token holders to manipulate files within the `/var/snap/microceph` snap confinement boundary, enabling daemon disruption and cluster state pollution across the squid and tentacle release tracks. The root cause is missing input validation on `name` and `LocalName` parameters in `cmdRemotePut`, permitting `..` sequences to reach unintended directories. No public exploit has been identified at time of analysis; an upstream fix exists as GitHub PR #758 with no confirmed tagged snap release.
Arbitrary file deletion in the Avada (Fusion) Builder WordPress plugin through version 3.15.3 allows remote unauthenticated attackers to delete any file on the server via path traversal in the maybe_delete_files function, which commonly escalates to remote code execution when wp-config.php is removed and WordPress enters setup mode. Wordfence reports the flaw is reachable through the wp_ajax_nopriv_fusion_form_submit_ajax handler on sites that have a published Avada form saving entries to the database. No public exploit identified at time of analysis, but the CVSS 9.1 score reflects trivial network exploitation with no authentication or user interaction.
Arbitrary file read via path traversal in the Woosa - Marktplaats for WooCommerce WordPress plugin (versions up to and including 2.0.4) permits authenticated WordPress administrators to escape the plugin's log directory and access any file readable by the web server process, including the sensitive wp-config.php file. The flaw exists in the render_logs_ui() function within class-module-logger-hook-settings.php, which decodes a base64-supplied filename from the log_file GET parameter and concatenates it with the log directory path without any boundary enforcement. No public exploit code or active exploitation has been identified at time of analysis; the attack surface is meaningfully constrained by the Administrator-level privilege requirement (PR:H), though successful exploitation could cascade into full site compromise via exposed database credentials.
Remote code execution in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras allows unauthenticated attackers to run arbitrary code by sending a specially crafted web request to the device's HTTP interface. The flaw was reported through CISA's ICS-CERT coordination process and carries a CVSS 4.0 base score of 9.3, but there is no public exploit identified at time of analysis and the CVE is not on the CISA KEV list.
Path traversal in PraisonAI's MultiAgentMonitor component (versions <= 1.5.114) lets remote attackers who can supply agent identifiers read, write, or overwrite arbitrary files on the host by embedding '../' sequences in agent IDs. The flaw, disclosed by VulnCheck and tracked as GHSA-766v-q9x3-g744, enables information disclosure, denial of service, and potential code execution in multi-agent AI deployments; no public exploit identified at time of analysis but a detailed PoC is included in the advisory.
Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.
Arbitrary file write in HKUDS Nanobot's WhatsApp bridge (versions 0.1.5.post3 and prior) allows remote unauthenticated attackers to write attacker-controlled content to arbitrary filesystem locations by sending a WhatsApp document message with a path-traversal sequence in its fileName field. Because both the destination path and the file content are attacker-controlled, exploitation yields a write-anywhere primitive that can be escalated to remote code execution (e.g., by overwriting authorized_keys or shell startup files). No public exploit identified at time of analysis; a fix is planned for version 0.1.5.post4.
Path traversal and query-string injection in the OpenTelemetry Collector Contrib Sentry exporter allows any OTLP span sender to redirect the collector's operator bearer token to arbitrary Sentry API endpoints - including privileged admin, organization, and member management endpoints. The vulnerability stems from the `service.name` span attribute being interpolated directly into Sentry API URLs via `fmt.Sprintf` without validation, while the existing `projectSlugRegexp` safeguard is only applied to operator-configured mappings and never to runtime-derived slugs. No CISA KEV listing exists at time of analysis, but the GHSA advisory provides detailed exploitation steps demonstrating both a universally reliable query-string injection vector and a nginx-dependent path traversal vector, with a fixed version available at 0.154.0.
Grav CMS (getgrav/grav < 1.7.53) exposes admin bcrypt password hashes, SMTP credentials, and full site configuration to any actor who can obtain a session-static admin-nonce value - via XSS, Referrer header leakage, browser history, or proxy logs - because the backup download endpoint enforces only a single URL-embedded nonce with no form-level CSRF token and no session binding. The default backup profile archives the entire GRAV_ROOT directory including user/accounts/ and user/config/ without exclusions, and the download handler Base64-encodes the absolute filesystem path in the response URL, leaking server internals. A fully functional public PoC is available; no CISA KEV listing exists at time of analysis, but downstream risk includes offline hashcat cracking followed by unauthenticated admin login with no server-side rate limiting.
Remote code execution in UBB.threads forum software (version 7.7.5 confirmed) is achievable by authenticated users holding template-edit privileges, who can abuse a path traversal weakness to read and write arbitrary files within the web application's privilege scope. CERT-PL reported the issue after vendor contact attempts failed, and there is no public exploit identified at time of analysis. The flaw escalates a routine administrative capability into full server compromise without requiring user interaction.
Path traversal in libzypp's .repo file processing enables low-privileged network-accessible attackers to write content into arbitrary directories on the host filesystem beyond the intended zypp cache boundary. Affected versions span the 17.x series before 17.38.13 and the 16.x series before 16.22.19, covering systems running SUSE Linux Enterprise and openSUSE derivatives that use zypper as their package manager. The primary real-world impact is disk exhaustion across unexpected filesystem paths, causing a denial of service; no confidentiality impact is attributed in the CVSS assessment. No public exploit or CISA KEV listing has been identified at time of analysis.
Path traversal in SEPPmail Secure Email Gateway versions before 15.0.5 allows authenticated remote attackers to write files outside the intended directory by manipulating attachment filenames processed during encrypted PDF generation. Files can be placed in web-accessible locations, enabling potential webshell deployment and integrity compromise. No public exploit identified at time of analysis; the issue was reported by NCSC.ch and is fixed in 15.0.5.
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visitors of any published bot containing a file-input block to write attacker-controlled HTML, SVG, or JavaScript into arbitrary subpaths of the shared public S3 bucket. The flaw stems from an unauthenticated presigned-URL endpoint that trusts a raw fileName parameter and does not bind Content-Type, enabling stored XSS on the storage origin and content hosting under other tenants' result paths. No public exploit identified at time of analysis, but the CVSS 9.3 (scope-changed) reflects significant cross-tenant impact.
Arbitrary file write in BBOT's postman_download module enables a remote attacker to write files outside the intended output directory on a victim's system by controlling a Postman workspace name containing path traversal sequences. When a user runs the postman_download module, BBOT fetches workspace names from the Postman API and constructs local filesystem paths without sanitization, allowing pathlib to resolve paths into arbitrary locations on the victim's host. No public exploit has been identified at time of analysis, though the attack primitive is straightforward given the publicly committed fix details and low attack complexity.
Path traversal in BBOT's unarchive internal module enables a malicious archive hosted by attacker-controlled infrastructure to write files outside the intended extraction directory when BBOT runs on systems with GNU tar < 1.34. This vulnerability is a residual gap from CVE-2025-10284, which resolved git-specific RCE vectors but left the underlying archive extraction path validation entirely unimplemented, relying instead on inconsistent external tool behavior across platforms. No public exploit has been identified at time of analysis; the CVSS vector (AC:H/UI:R) constrains real-world risk to BBOT operators actively scanning attacker-controlled targets on affected OS distributions, but the high integrity impact (I:H) and zero privilege requirement (PR:N) are significant for red-team and CI/CD BBOT deployments running on legacy base images.
Arbitrary file read in Typemill before 2.24.0 allows authenticated Author-level users to traverse outside the content directory by injecting traversal sequences in the path query parameter when the folder argument is empty, defeating sanitization in Storage::getFolderPath(). Reported by VulnCheck with a vendor patch shipped in 2.24.0/2.24.2; no public exploit identified at time of analysis, and the CVSS 4.0 base score of 7.1 reflects high confidentiality impact with low-privilege network access.
Path traversal in Evil-WinRM through 3.9 lets a malicious or compromised remote Windows server overwrite arbitrary files on the operator's client machine when the user invokes the download_dir() function. Because Evil-WinRM is the offensive operator's tool, this inverts the trust model - the 'target' Windows host becomes the attacker and the red teamer or admin running Evil-WinRM becomes the victim, with realistic outcomes including persistent SSH access via overwritten authorized_keys. No public exploit identified at time of analysis, but a public upstream patch (commit 6ecd570) discloses the exact unsanitized File.join() sink.
Arbitrary file read in jknack handlebars.java versions prior to 4.5.2 allows remote unauthenticated attackers to retrieve files outside the intended template directory when applications pass user-controlled input to Handlebars.compile() with a FileTemplateLoader or ClassPathTemplateLoader. The flaw stems from missing path canonicalization in the template loaders, enabling classic ../ traversal sequences to escape the configured template prefix. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-r4gv-qr8j-p3pg documents the issue and the fix is available in 4.5.2.
Open redirect in Gitea's login flow allows external domain hijacking by bypassing the `urlIsRelative` validation in `modules/httplib/url.go` through a combination of directory traversal sequences and a backslash in the `redirect_to` parameter. All Gitea instances running version 1.25.4 and below are affected; a working proof-of-concept is publicly available in the GitHub Security Advisory. Exploitation enables phishing via trusted Gitea domains, OAuth/SSO authorization code theft, Referer-header leakage of sensitive parameters, and potential cache poisoning — no public exploit identified as confirmed actively exploited (CISA KEV absent).
Authenticated path traversal and SSRF in Open WebUI's terminal-server reverse proxy (versions <= 0.9.5) allows non-admin users with granted terminal access to escape the intended path or policy scope using double-encoded traversal sequences (%252e%252e). The flaw bypasses the project's own _sanitize_proxy_path mitigation, which performs only a single URL-decode pass before the '..' check, letting attackers reach unintended endpoints, files, and internal services routed by the terminal server. No public exploit identified at time of analysis, though the vendor advisory includes working proof-of-concept request strings.
Authenticated remote command execution in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows administrators to run arbitrary OS commands and escalate to root via a crafted HTTP request. The flaw, tracked as CVE-2026-20181 and reported by Cisco with a CVSS 3.1 score of 9.1 (scope-changed), can also crash single-node deployments and deny network access to unauthenticated endpoints. There is no public exploit identified at time of analysis.
Arbitrary file read in picklescan versions before 0.0.35 allows remote unauthenticated attackers to exfiltrate sensitive server files by abusing standard-library callables that the tool's RCE-focused blocklist fails to detect. By chaining io.FileIO and urllib.request.urlopen inside a malicious pickle, an attacker can stream contents of files such as /etc/passwd to an attacker-controlled URL when the scanner processes untrusted model artifacts. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis in the form of in-the-wild abuse.
Sibling-prefix path traversal in open-webui 0.9.5 and earlier allows any authenticated user to read arbitrary files from directories adjacent to the configured cache directory, provided those directories share the string prefix 'cache' (e.g., cache_backup, cached_models). The flaw exists in serve_cache_file() at main.py:2914, where a missing trailing path separator in the startswith boundary check causes os.path.abspath() to validate resolved sibling paths as if they were within the cache root. Publicly available exploit code exists in the GHSA advisory (PoC confirmed against open-webui 0.9.5 via raw ASGI delivery); no confirmed active exploitation (not in CISA KEV) at time of analysis.
Path traversal in EMV JobCareer WordPress theme versions up to and including 7.3 allows remote unauthenticated attackers to delete arbitrary files outside the intended directory, leading to high availability impact with scope change. Reported by Patchstack and tracked under CWE-22, this flaw carries a CVSS 3.1 score of 8.6, though no public exploit identified at time of analysis. The Patchstack advisory characterizes this as an arbitrary file deletion vulnerability rather than a read primitive.
Unauthenticated arbitrary file deletion in the WorkScout-Core WordPress plugin (versions <= 1.7.11) allows any remote attacker to delete files on the underlying server without credentials. The flaw stems from a path traversal weakness (CWE-22) in a file-handling endpoint that fails to sanitize user-supplied input before constructing filesystem paths. Exploitation requires no authentication, no user interaction, and no special configuration, meaning every publicly reachable WordPress installation running this plugin version is exposed; no public exploit or CISA KEV listing has been identified at time of analysis.
Arbitrary file deletion in the Fusion Builder WordPress plugin (versions <= 3.15.4) allows authenticated users with Contributor-level privileges to delete arbitrary files on the underlying server via a path traversal flaw. Deletion of critical files such as wp-config.php can force WordPress into setup mode, enabling site takeover; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in QuantumCloud Conversational Forms for ChatBot allows Path Traversal.1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Arbitrary file download via path traversal in the Client Portal (Pro) WordPress plugin versions 5.6.2 and earlier exposes sensitive server-side files to authenticated low-privilege users. The CWE-22 flaw allows any registered portal user to craft a file request that escapes the intended directory boundary and retrieve arbitrary files accessible to the web server process - including wp-config.php containing database credentials. No public exploit or CISA KEV listing exists at time of analysis, but the high confidentiality impact combined with low attack complexity makes this a meaningful data exposure risk on affected WordPress installations.
Unauthenticated arbitrary file deletion in the OvaTheme BookPro WordPress plugin (versions ≤ 1.1.0) allows remote attackers to delete arbitrary files from the underlying server via a path traversal flaw (CWE-22). Deletion of critical files such as wp-config.php can force a WordPress site into the setup state, enabling site takeover, while the scope-changed CVSS 3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/A:H) and Patchstack disclosure mark this as a high-priority issue despite no public exploit being identified at time of analysis.
Arbitrary file download in the WooCommerce Book Price WordPress plugin (versions 1.3 and earlier) allows remote attackers to retrieve arbitrary files from the underlying server filesystem via path traversal. The CVSS vector indicates network-reachable exploitation without authentication or user interaction, yielding high confidentiality impact with no integrity or availability effects. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated arbitrary file download in JoomUnited's WP Media Folder Addon WordPress plugin versions 4.0.1 and below allows remote attackers to retrieve arbitrary files from the underlying server via a path traversal weakness (CWE-22). The flaw is exploitable over the network without authentication or user interaction, exposing sensitive WordPress and server files such as wp-config.php. No public exploit identified at time of analysis, and the issue is not currently tracked in CISA KEV.
Arbitrary file deletion in QuantumCloud WPBot Pro WordPress Chatbot plugin versions 13.6.5 and earlier allows authenticated subscriber-level users to delete arbitrary files on the WordPress host via a path traversal flaw. With no public exploit identified at time of analysis, the issue still carries elevated risk because exploitation requires only the lowest-privilege WordPress role, which is auto-grantable on sites that allow open registration. Deleting files such as wp-config.php can trigger the WordPress install routine and lead to full site takeover.
Arbitrary file write via path traversal in SOLIDWORKS Visualize (bundled with SOLIDWORKS Desktop 2024 through 2026) allows remote attackers to place files at attacker-chosen locations on the server. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates remote, unauthenticated exploitation with high impact across confidentiality, integrity, and availability. At time of analysis, no public exploit identified and the issue is not on the CISA KEV list.
Authenticated path traversal in Gogs self-hosted Git service (versions <= 0.13.4) allows any user with repository edit permissions to overwrite arbitrary files on the host filesystem via the diff preview endpoint, resulting in denial of service. By abusing the `git diff --output=<file>` flag through the `POST /:user/:repo/_preview/:branch/:path_to_file` handler and bypassing the standard library `path.Clean` filter, an attacker can corrupt critical files such as `gogs.db` or `app.ini`. Publicly available exploit code exists in the form of a detailed researcher write-up with payload examples, though no CISA KEV listing or active exploitation has been reported.
Arbitrary file read in Runtipi 4.9.1-4.9.3 exposes sensitive container secrets via symlink following in an unauthenticated app-store logo endpoint. An attacker who controls a Git-based app-store repository can embed a symbolic link as a marketplace logo file; because the path guard performs only lexical validation before Node.js reads the file, Runtipi resolves and returns the symlink target, potentially leaking /data/.env, JWT secrets, service credentials, and seed values to any unauthenticated requester. No public exploit code has been identified at time of analysis and the issue is not listed in CISA KEV; a vendor-confirmed fix is available in v4.10.0.
Arbitrary file deletion in evolution-data-server's addressbook file backend exposes host filesystem to manipulation by a Flatpak application with D-Bus access. The vulnerability exploits split validation logic: a crafted URI embedding directory traversal sequences (e.g., '../') is accepted without sufficient sanitization during contact creation or modification, but when the same URI is later processed at deletion time, a second, less restrictive check fails to catch the traversal - allowing files outside the intended addressbook directory to be removed. Critically, deletion of Flatpak override files could be leveraged to silently weaken sandbox restrictions for subsequent application runs. No public exploit has been identified at time of analysis.
Authorization bypass in Caddy web server on Windows allows unauthenticated remote attackers to access files in path-protected directories by substituting forward slashes with URL-encoded backslashes (%5C). The flaw stems from an inconsistency between Caddy's `path` matcher and `file_server` handler, where the matcher treats `\` as a literal character while Windows-native filesystem code treats it as a separator. A detailed proof-of-concept is published in the vendor advisory, though no public exploit identified at time of analysis in exploitation databases.
Arbitrary file write in Streambert Electron desktop app (versions ≤2.4.0) allows remote attackers to drop files anywhere the app process can write by serving a malicious subtitle ZIP archive. The subtitle extraction routine concatenates raw archive entry names to the destination path without sanitization, enabling classic Zip Slip path traversal that can be escalated to code execution by overwriting startup or configuration files. No public exploit identified at time of analysis, but the upstream advisory (GHSA-3q2x-3q9p-qwfc) and fix in v2.5.0 confirm the issue.
Arbitrary file deletion in the Car Zone WordPress theme (versions through 3.7) by Aivah Themes lets remote, unauthenticated attackers remove files on the underlying server through a path-traversal flaw. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/A:H) reflects that file deletion crosses scope into the broader WordPress installation, enabling denial-of-service or forced reinstall scenarios. No public exploit identified at time of analysis and the CVE is not in CISA KEV.
Unauthenticated arbitrary file download affects the 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' plugin by Extendons in versions up to and including 1.0.7. Remote attackers can exploit a path traversal weakness (CWE-22) to retrieve arbitrary files from the underlying web server without any authentication, exposing sensitive data such as wp-config.php credentials. No public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS profile (7.5) makes opportunistic mass-scanning by WordPress vulnerability scanners likely once disclosed.
Path manipulation in the LangGraph Python SDK (langgraph-sdk) version 0.3.14 and earlier lets caller-supplied identifier values containing URL-special characters redirect an HTTP request to a different resource — or resource type — than the SDK call intended. When applications forward untrusted, unvalidated identifiers into SDK methods and rely on upstream URL-prefix authorization, an attacker can reach, modify, or delete resources outside their authorization scope. There is no public exploit identified at time of analysis and EPSS is low (0.22%), but CVSS is rated 9.1 due to high confidentiality and integrity impact.