Search Results (9537 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-10268 2 Printcart, Wordpress 2 Web To Print Product Designer, Wordpress 2026-06-29 5.3 Medium
The Printcart Web to Print Product Designer for WooCommerce WordPress plugin through 2.4.8 is vulnerable to path traversal which makes it possible for the attacker to retrieve the directory listing for arbitrary directories on the server.
CVE-2026-13426 1 Mattermost 1 Mattermost Server 2026-06-29 5.4 Medium
The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532
CVE-2026-57321 2 Icc0rz, Wordpress 2 H5p, Wordpress 2026-06-29 7.1 High
Contributor Arbitrary File Deletion in H5P <= 1.17.7 versions.
CVE-2026-29509 1 Wummel 1 Patool 2026-06-29 5.4 Medium
Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper uses os.path.commonprefix() for character-level string comparison instead of path-level comparison, allowing a crafted archive member path to bypass the containment check. Attackers can supply a malicious archive with specially crafted member paths to write arbitrary files.
CVE-2026-28701 1 Daktronics 3 Dmp-5000, Dmp-8000, Vfc-dmp-5000 2026-06-29 9.8 Critical
Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.
CVE-2026-57872 1 Geovision Inc. 2 Gv-lpc2011 Lpc2211, Gv-lpclpc2011 2211 2026-06-29 7.5 High
An unauthenticated directory traversal vulnerability exists in get_fcont.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient validation of user-supplied file path input before the requested file is accessed by the CGI component. A remote attacker may exploit this vulnerability by sending a crafted request to read arbitrary files accessible to the affected process, resulting in information disclosure.
CVE-2026-57346 2 Epiph, Wordpress 2 Embed Privacy, Wordpress 2026-06-29 7.1 High
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Epiphyt Embed Privacy allows Path Traversal. This issue affects Embed Privacy: from n/a through 1.12.3.
CVE-2026-13509 1 Ragapp 1 Ragapp 2026-06-29 6.3 Medium
A vulnerability has been found in RAGapp up to 0.1.5. Affected is the function FileHandler.upload_file/FileHandler.remove_file of the file src/ragapp/backend/controllers/files.py of the component Knowledge File Handler. Such manipulation leads to path traversal. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
CVE-2026-13528 2 Yunaiv, Zhijiantianya 2 Ruoyi-vue-pro, Ruoyi-vue-pro 2026-06-29 7.3 High
A vulnerability was found in YunaiV/zhijiantianya ruoyi-vue-pro up to 2026.04-jdk8-SNAPSHOT. The impacted element is the function generateUploadPath of the file yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java of the component AppFileController File Upload Endpoint. Performing a manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 4ae3f6b2c9883978837638c14e3d18419819eeb0. It is recommended to apply a patch to fix this issue. This product is published by multiple vendors.
CVE-2026-49991 1 Rustfs 1 Rustfs 2026-06-29 8.6 High
RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: No ../ sanitization in tar entry key normalization; IAM wildcard matching uses raw (uncleaned) paths; and Filesystem path cleaning resolves ../ across bucket boundaries.
CVE-2026-13503 1 Antlr 1 Antlr4 2026-06-29 5.3 Medium
A vulnerability was detected in antlr ANTLR4 up to 4.13.2. Affected by this issue is the function getImportedVocabFile of the file tool/src/org/antlr/v4/parse/TokenVocabParser.java of the component tokenVocab Grammar Option Handler. The manipulation results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-57966 1 Redhat 1 Enterprise Linux 2026-06-29 4.4 Medium
A path traversal vulnerability was found in spice-vdagent. This flaw allows a malicious or compromised SPICE host to write arbitrary files to any location on the guest operating system. This occurs because the filename provided by the SPICE host during file transfers is not properly sanitized before being used. An attacker could exploit this to write to sensitive locations with the privileges of the spice-vdagent process, typically the logged-in user. This issue requires the SPICE host to be untrusted or compromised for exploitation.
CVE-2026-45807 1 Kestra-io 1 Kestra 2026-06-29 7.7 High
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard only inspects the literal URI.toString(), so a URL-encoded .. written as %2E%2E slips through. The downstream code then calls URI.getPath(), which decodes %2E%2E back to .., and the resulting path is handed to Paths.get(...) without normalization. The OS resolves the .. segments at open(2) time, so an authenticated user with a single execution can read any file the Kestra process has access to on the host filesystem (/etc/passwd, mounted secrets, other tenants' execution outputs, etc.). This vulnerability is fixed in 1.0.43 and 1.3.19.
CVE-2026-48944 1 Getk2 1 K2 Extension For Joomla 2026-06-28 6.5 Medium
The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user — including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint.
CVE-2026-54352 1 Budibase 1 Budibase 2026-06-27 9.6 Critical
Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with extract-zip@2.0.1 into a temp directory, then for each entry listed in icons.json validates the icon path, opens it, and streams the bytes into MinIO. The resulting object is served back via GET /api/assets/{appId}/pwa/{uuid}.png. extract-zip@2.0.1 preserves absolute symlink targets when restoring symlink entries. The icon-source validator at packages/server/src/api/controllers/static/index.ts:259-268 resolves the icon source string against baseDir (path.resolve), checks resolvedSrc.startsWith(baseDir + path.sep) against that string, and calls fs.existsSync(resolvedSrc) which follows symbolic links to confirm the target exists. None of the three calls reject symbolic-link entries. packages/backend-core/src/objectStore/objectStore.ts:302 then calls (await fsp.open(path)).createReadStream() on the resolved path. fsp.open follows the symlink, the target file's bytes stream into MinIO, and the response of the asset-fetch endpoint returns those bytes verbatim. Result: a workspace-level builder reads any file the server process can open. This vulnerability is fixed in 3.39.9.
CVE-2026-55677 1 Labstack 1 Echo 2026-06-26 7.5 High
Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path (preserving %2F as-is), while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an attacker to bypass route-level access controls and read static files without authorization. This vulnerability is fixed in 4.15.3 and 5.2.0.
CVE-2026-54557 1 Jdx 1 Mise 2026-06-26 5.5 Medium
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlink path uses the raw value. On Unix-like systems, if that version is an absolute path, PathBuf::join discards the intended mise installs root. A repository-controlled .tool-versions file can therefore make mise install create a symlink outside the mise install tree. With bin_path, the same issue can place an executable symlink under an attacker-selected absolute prefix, such as a developer-tool prefix that is later added to PATH. This vulnerability is fixed in 2026.6.1.
CVE-2026-56066 2 Shortpixel, Wordpress 2 Shortpixel Adaptive Images, Wordpress 2026-06-26 5.8 Medium
Unauthenticated Arbitrary File Deletion in ShortPixel Adaptive Images <= 3.11.4 versions.
CVE-2026-54250 1 K3s 1 K3s 2026-06-26 5.8 Medium
K3s is a fully conformant production-ready Kubernetes distribution. Prior to 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1, a path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot. This vulnerability is fixed in 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1.
CVE-2025-64152 1 Apache 1 Iotdb 2026-06-26 9.1 Critical
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.6, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.6 and 2.0.7, which fixes the issue.