Search Results (9632 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-26292 2026-04-15 N/A
An authenticated Arbitrary File Deletion vulnerability enables an attacker to delete critical files. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.
CVE-2025-52926 2026-04-15 2.7 Low
In scan.rs in spytrap-adb before 0.3.5, matches for known stalkerware are not rendered in the interactive user interface.
CVE-2024-51998 1 Dgtlmoon 1 Changedetection.io 2026-04-15 8.6 High
changedetection.io is a free open source web page change detection tool. The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and `ALLOW_FILE_URI` false or not defined. The check used for URL protocol, `is_safe_url`, allows `file:` as a URL scheme. It later checks if local files are permitted, but one of the preconditions for the check is that the URL starts with `file://`. The issue comes with the fact that the file URI scheme is not required to have double slashes. This issue has been addressed in version 0.47.06 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-51990 1 Martinvonz 1 Jj 2026-04-15 N/A
jj, or Jujutsu, is a Git-compatible VCS written in rust. In affected versions specially crafted Git repositories can cause `jj` to write files outside the clone. This issue has been addressed in version 0.23.0. Users are advised to upgrade. Users unable to upgrade should avoid cloning repos from unknown sources.
CVE-2024-51483 1 Changedetection 1 Changedetection 2026-04-15 N/A
changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source:file:///etc/passwd` can be used to retrieve local system files, where the more traditional `file:///etc/passwd` gets blocked. Version 0.47.5 fixes the issue.
CVE-2024-38709 1 Wordpress 1 Wordpress 2026-04-15 5.3 Medium
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Milan Petrovic GD Rating System allows PHP Local File Inclusion.This issue affects GD Rating System: from n/a through 3.6.
CVE-2024-5040 1 Lcds 1 Laquis Scada 2026-04-15 7.8 High
There are multiple ways in LCDS LAquis SCADA for an attacker to access locations outside of their own directory.
CVE-2024-0980 2026-04-15 7.1 High
The Auto-update service for Okta Verify for Windows is vulnerable to two flaws which in combination could be used to execute arbitrary code.
CVE-2024-13471 1 Wordpress 1 Wordpress 2026-04-15 7.5 High
The DesignThemes Core Features plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the dt_process_imported_file function in all versions up to, and including, 4.7. This makes it possible for unauthenticated attackers to read arbitrary files on the underlying operating system.
CVE-2025-59372 1 Asus 1 Router 2026-04-15 N/A
A path traversal vulnerability has been identified in certain router models. A remote, authenticated attacker could exploit this vulnerability to write files outside the intended directory, potentially affecting device integrity. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information.
CVE-2025-41428 2026-04-15 N/A
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in TimeWorks 10.0 to 10.3. If exploited, arbitrary JSON files on the server may be viewed by a remote unauthenticated attacker.
CVE-2025-12824 1 Wordpress 1 Wordpress 2026-04-15 8.8 High
The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. This is due to the plugin using an unsanitized user-supplied value from the shortcode's 'mode' attribute in a call to include() without proper path validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve full remote code execution if combined with file upload capabilities.
CVE-2024-52600 1 Statamic 1 Statamic 2026-04-15 5.3 Medium
Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets` fields and other places where assets can be uploaded, although users would need upload permissions anyway. Files can be uploaded so they would be located on the server in a different location, and potentially override existing files. Traversal outside an asset container is not possible. This path traversal vulnerability has been fixed in 5.17.0.
CVE-2025-12060 1 Keras 1 Keras 2026-04-15 8.3 High
The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder. This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517. Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12).
CVE-2024-47464 2026-04-15 6.8 Medium
An authenticated Path Traversal vulnerability exists in Instant AOS-8 and AOS-10. Successful exploitation of this vulnerability allows an attacker to copy arbitrary files to a user readable location from the command line interface of the underlying operating system, which could lead to a remote unauthorized access to files.
CVE-2024-6281 1 Parisneo 1 Lollms 2026-04-15 N/A
A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to important system folders.
CVE-2025-22240 2026-04-15 6.3 Medium
Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using unvalidated input from the “tgt_env” variable. This can be exploited by an attacker to delete any file on the Master's process has permissions to.
CVE-2019-25246 2026-04-15 8.8 High
Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability that allows attackers to read arbitrary system files via the 'READ.filePath' parameter. Attackers can exploit the fileread script or SendCGICMD API to access sensitive files like /etc/passwd and /etc/issue by supplying absolute file paths.
CVE-2025-22238 2026-04-15 4.2 Medium
Directory traversal attack in minion file cache creation. The master's default cache is vulnerable to a directory traversal attack. Which could be leveraged to write or overwrite 'cache' files outside of the cache directory.
CVE-2025-21095 2026-04-15 4.9 Medium
Path traversal may lead to arbitrary file download. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25.