Total
7580 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-54004 | 1 Jenkins | 1 Filesystem List Parameter | 2025-10-03 | N/A | 4.3 MEDIUM |
| Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter, allowing attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. | |||||
| CVE-2024-39826 | 1 Zoom | 3 Meeting Software Development Kit, Workplace Desktop, Workplace Virtual Desktop Infrastructure | 2025-10-02 | N/A | 6.8 MEDIUM |
| Race condition in Team Chat for some Zoom Workplace Apps and SDKs for Windows may allow an authenticated user to conduct information disclosure via network access. | |||||
| CVE-2025-59744 | 1 Andsoft | 1 E-tms | 2025-10-02 | N/A | 7.5 HIGH |
| Path traversal vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to access files only within the web root using the “docurl” parameter in “/lib/asp/DOCSAVEASASP.ASP”. | |||||
| CVE-2025-6465 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 4.3 MEDIUM |
| Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs. | |||||
| CVE-2025-6233 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 6.8 MEDIUM |
| Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal. | |||||
| CVE-2025-10273 | 1 10oa | 1 10oa | 2025-10-02 | 2.7 LOW | 3.5 LOW |
| A vulnerability was identified in erjinzhi 10OA 1.0. Affected by this vulnerability is an unknown functionality of the file /view/file.aspx. Such manipulation of the argument File leads to path traversal. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-8559 | 2025-10-02 | N/A | 6.5 MEDIUM | ||
| The All in One Music Player plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.1 via the 'theme' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of files on the server, which can contain sensitive information. | |||||
| CVE-2025-43813 | 2025-10-02 | N/A | N/A | ||
| Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to access arbitrary CSS and JSS files and load the files multiple times via the query string in a URL. | |||||
| CVE-2025-54292 | 2025-10-02 | N/A | N/A | ||
| Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths. | |||||
| CVE-2025-54293 | 2025-10-02 | N/A | N/A | ||
| Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links. | |||||
| CVE-2025-11182 | 2025-10-02 | N/A | 6.5 MEDIUM | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Download of Code Without Integrity Check vulnerability in GTONE ChangeFlow allows Path Traversal.This issue affects ChangeFlow: All versions to v9.0.1.1. | |||||
| CVE-2025-11020 | 2025-10-02 | N/A | 8.8 HIGH | ||
| An attacker can obtain server information using Path Traversal vulnerability to conduct SQL Injection, which possibly exploits Unrestricted Upload of File with Dangerous Type vulnerability in MarkAny SafePC Enterprise on Windows, Linux.This issue affects SafePC Enterprise: V7.0.* (V7.0.YYYY.MM.DD) before V7.0.1, and V5.*.*. | |||||
| CVE-2025-11233 | 2025-10-02 | N/A | N/A | ||
| Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (`x86_64-pc-cygwin`) didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations. Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target. While we assess the severity of this vulnerability as "medium", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the `x86_64-pc-cygwin` target you are not affected by this vulnerability. Users of the tier 1 MinGW target (`x86_64-pc-windows-gnu`) are also explicitly not affected. | |||||
| CVE-2025-58769 | 2025-10-02 | N/A | 3.3 LOW | ||
| auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0–8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0. | |||||
| CVE-2025-11221 | 2025-10-02 | N/A | 8.8 HIGH | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type vulnerability in GTONE ChangeFlow allows Path Traversal, Accessing Functionality Not Properly Constrained by ACLs.This issue affects ChangeFlow: from All versions through v9.0.1.1. | |||||
| CVE-2025-49089 | 1 Harry0703 | 1 Moneyprinterturbo | 2025-10-02 | N/A | 6.3 MEDIUM |
| wangxutech MoneyPrinterTurbo 1.2.6 allows path traversal via /api/v1/download/ URIs such as /api/v1/download//etc/passwd. | |||||
| CVE-2024-53537 | 1 Openpanel | 1 Openpanel | 2025-10-02 | N/A | 9.1 CRITICAL |
| An issue in OpenPanel v0.3.4 to v0.2.1 allows attackers to execute a directory traversal in File Actions of File Manager. | |||||
| CVE-2025-25279 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 9.9 CRITICAL |
| Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards. | |||||
| CVE-2025-46565 | 1 Vitejs | 1 Vite | 2025-10-02 | N/A | 5.3 MEDIUM |
| Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14. | |||||
| CVE-2024-55401 | 1 4cstrategies | 1 Exonaut | 2025-10-01 | N/A | 6.5 MEDIUM |
| An issue in 4C Strategies Exonaut before v22.4 allows attackers to execute a directory traversal. | |||||