Vulnerabilities (CVE)

Filtered by CWE-22
Total 7143 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-29789 1 Open-emr 1 Openemr 2025-05-06 N/A 7.5 HIGH
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.3.0 are vulnerable to Directory Traversal in the Load Code feature. Version 7.3.0 contains a patch for the issue.
CVE-2022-32938 1 Apple 3 Ipados, Iphone Os, Macos 2025-05-06 N/A 5.3 MEDIUM
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in iOS 16.1 and iPadOS 16, macOS Ventura 13. A shortcut may be able to check the existence of an arbitrary path on the file system.
CVE-2024-24994 1 Ivanti 1 Avalanche 2025-05-06 N/A 8.8 HIGH
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
CVE-2024-24992 1 Ivanti 1 Avalanche 2025-05-06 N/A 8.8 HIGH
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
CVE-2024-23535 1 Ivanti 1 Avalanche 2025-05-06 N/A 8.8 HIGH
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
CVE-2024-24997 1 Ivanti 1 Avalanche 2025-05-06 N/A 8.8 HIGH
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
CVE-2024-24999 1 Ivanti 1 Avalanche 2025-05-06 N/A 8.8 HIGH
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
CVE-2024-25000 1 Ivanti 1 Avalanche 2025-05-06 N/A 8.8 HIGH
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
CVE-2024-25461 1 Creatio 1 Crm Creatio 2025-05-06 N/A 7.5 HIGH
Directory Traversal vulnerability in Terrasoft, Creatio Terrasoft CRM v.7.18.4.1532 allows a remote attacker to obtain sensitive information via a crafted request to the terrasoft.axd component.
CVE-2018-1002205 1 Dotnetzip.semverd Project 1 Dotnetzip.semverd 2025-05-06 4.3 MEDIUM 5.5 MEDIUM
DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
CVE-2024-27976 1 Ivanti 1 Avalanche 2025-05-06 N/A 8.8 HIGH
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
CVE-2024-27977 1 Ivanti 1 Avalanche 2025-05-06 N/A 8.1 HIGH
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete arbitrary files, thereby leading to Denial-of-Service.
CVE-2025-45238 2025-05-06 N/A 9.1 CRITICAL
foxcms v1.2.5 was discovered to contain an arbitrary file deletion vulnerability via the delRestoreSerie method.
CVE-2024-31860 1 Apache 1 Zeppelin 2025-05-06 N/A 6.5 MEDIUM
Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.  This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue.
CVE-2024-27984 1 Ivanti 1 Avalanche 2025-05-06 N/A 7.1 HIGH
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific type of files and/or cause denial of service.
CVE-2022-34662 1 Apache 1 Dolphinscheduler 2025-05-06 N/A 6.5 MEDIUM
When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher
CVE-2022-2711 1 Soflyy 1 Wp All Import 2025-05-05 N/A 7.2 HIGH
The Import any XML or CSV File to WordPress plugin before 3.6.9 is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector.
CVE-2024-25065 1 Apache 1 Ofbiz 2025-05-05 N/A 9.1 CRITICAL
Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue.
CVE-2024-11615 2025-05-05 N/A 5.3 MEDIUM
The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.0 via the 'zetra_deleteLanguageFile' and 'zetra_deleteFontsFile' functions. This is due to the plugin not properly validating a file or its path prior to deleting it. This makes it possible for unauthenticated attackers to delete language files.
CVE-2025-46559 2025-05-05 N/A 5.4 MEDIUM
Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in `Mk:api` allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious AiScript code to prefix a URL with `../` to step out of the `/api` directory, thereby being able to make requests to other endpoints, such as `/files`, `/url`, and `/proxy`. Version 2025.4.1 fixes the issue.