Search Results (2289 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-36878 1 Request 1 Serious Play 2026-04-15 N/A
ReQuest Serious Play Media Player 3.0 contains an unauthenticated file disclosure vulnerability when input passed through the 'file' parameter in and script is not properly verified before being used to read web log files. Attackers can exploit this to disclose contents of files from local resources.
CVE-2025-3103 2026-04-15 7.5 High
The CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon plugin for WordPress is vulnerable to arbitrary file read due to insufficient file path validation in the 'history.php' file in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server, which may contain sensitive information including database credentials. The vulnerability was partially patched in version 2.4.
CVE-2025-29930 2026-04-15 N/A
imFAQ is an advanced questions and answers management system for ImpressCMS. Prior to 1.0.1, if the $_GET['seoOp'] parameter is manipulated to include malicious input (e.g., seoOp=php://filter/read=convert.base64-encode/resource=/var/www/html/config.php), the application could allow an attacker to read sensitive files on the server (Local File Inclusion, LFI). The $_GET['seoOp'] and $_GET['seoArg'] parameters are directly used without sanitization or validation. This is partly mitigated by the fact that the ImpressCMS sensitive files are stored outside the web root, in a folder with a randomized name. The issue has been resolved in imFaq 1.0.1.
CVE-2025-4952 2 Eset, Microsoft 13 Endpoint Antivirus, Endpoint Security, File Security and 10 more 2026-04-15 N/A
Tampering of the registry entries might have led to preventing the ESET security products from starting correctly on the next system startup or to unauthorized changes in the product's configuration.
CVE-2024-10018 1 Tecno 1 Com.transsion.aivoiceassistant 2026-04-15 9.8 Critical
Improper permission control in the mobile application (com.transsion.aivoiceassistant) can lead to the launch of any unexported component.
CVE-2024-10209 2026-04-15 N/A
An Incorrect Permission Assignment for Critical Resource vulnerability in the file system used in B&R APROL <4.4-01 may allow an authenticated local attacker to read and alter the configuration of another engineering or runtime user.
CVE-2025-52873 1 Cognex 2 In-sight Camera Firmware, In-sight Explorer 2026-04-15 8.1 High
Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 to allow management operations such as firmware upgrades and device reboots, which require authentication. A user with protected privileges can successfully invoke the SetSystemConfig functionality to modify relevant device properties (such as network settings), contradicting the security model proposed in the user manual.
CVE-2025-10134 2 Bearsthemes, Wordpress 2 Goza Nonprofit Charity Wordpress Theme, Wordpress 2026-04-15 9.1 Critical
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVE-2020-37078 1 I-doit 1 I-doit 2026-04-15 8.8 High
i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from the server's filesystem.
CVE-2025-61969 1 Amd 1 Amd Uprof 2026-04-15 N/A
Incorrect permission assignment in AMD µProf may allow a local user-privileged attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
CVE-2024-12066 1 Wordpress 1 Wordpress 2026-04-15 8.8 High
The SMSA Shipping(official) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the smsa_delete_label() function in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). CVE-2024-49249 is likely a duplicate of this issue.
CVE-2026-4702 1 Mozilla 2 Firefox, Firefox Esr 2026-04-14 9.8 Critical
JIT miscompilation in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
CVE-2026-34450 2 Anthropic, Anthropics 2 Claude Sdk For Python, Anthropic-sdk-python 2026-04-14 4.4 Medium
The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. Both the synchronous and asynchronous memory tool implementations were affected. This issue has been patched in version 0.87.0.
CVE-2026-34522 1 Sillytavern 1 Sillytavern 2026-04-14 8.1 High
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in /api/chats/import allows an authenticated attacker to write attacker-controlled files outside the intended chats directory by injecting traversal sequences into character_name. This issue has been patched in version 1.17.0.
CVE-2026-35174 2 Chyrplite, Xenocrat Project 2 Chyrp Lite, Chyrp-lite 2026-04-14 9.1 Critical
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download any file on the server, including config.json.php with database credentials and overwrite critical system files, leading to remote code execution. This vulnerability is fixed in 2026.01.
CVE-2026-23898 1 Joomla 2 Joomla!, Joomla\! 2026-04-10 7.2 High
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.
CVE-2025-14979 1 Airvpn 1 Eddie 2026-04-09 7.8 High
AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6.
CVE-2025-9920 1 Campcodes 1 Online Recruitment Management System 2026-04-09 4.7 Medium
A security flaw has been discovered in Campcodes Recruitment Management System 1.0. This impacts the function include of the file /admin/index.php. The manipulation of the argument page results in file inclusion. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited.
CVE-2026-30282 2 Uxgroup, Uxgroupllc 2 Cast To Tv Screen Mirroring, Cast To Tv 2026-04-08 9 Critical
An arbitrary file overwrite vulnerability in UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 allows attackers to overwrite critical internal files via the file import process, leading to arbtrary code execution or information exposure.
CVE-2026-33949 2 Ssw, Tina 2 Tinacms\/graphql, Tinacms 2026-04-08 8.1 High
Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.