Export limit exceeded: 363402 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (9564 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-58751 | 1 Vitejs | 1 Vite | 2025-09-17 | 5.3 Medium |
| Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue. | ||||
| CVE-2025-8815 | 2 Morning-pro, Morning Project | 2 Morning, Morning | 2025-09-16 | 7.3 High |
| A vulnerability was found in 猫宁i Morning up to bc782730c74ff080494f145cc363a0b4f43f7d3e. It has been classified as critical. Affected is an unknown function of the file /index of the component Shiro Configuration. The manipulation leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | ||||
| CVE-2025-8729 | 2 Lmeterx Project, Migoxlab | 2 Lmeterx, Lmeterx | 2025-09-16 | 6.3 Medium |
| A vulnerability has been found in MigoXLab LMeterX 1.2.0 and classified as critical. Affected by this vulnerability is the function process_cert_files of the file backend/service/upload_service.py. The manipulation of the argument task_id leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is f1b00597e293d09452aabd4fa57f3185207350e8. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2025-6925 | 1 Dromara | 1 Ruoyi-vue-plus | 2025-09-16 | 5.3 Medium |
| A vulnerability has been found in Dromara RuoYi-Vue-Plus 5.4.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /src/main/java/org/dromara/demo/controller/MailController.java of the component Mail Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-6853 | 1 Chatchat-space | 1 Langchain-chatchat | 2025-09-16 | 6.3 Medium |
| A vulnerability classified as critical has been found in chatchat-space Langchain-Chatchat up to 0.3.1. This affects the function upload_temp_docs of the file /knowledge_base/upload_temp_docs of the component Backend. The manipulation of the argument flag leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-55526 | 2 Microsoft, N8n | 5 Windows 11, Fastapi, N8n and 2 more | 2025-09-15 | 9.1 Critical |
| n8n-workflows Main Commit ee25413 allows attackers to execute a directory traversal via the download_workflow function within api_server.py | ||||
| CVE-2024-55213 | 1 Dhtmlx | 1 File Explorer | 2025-09-15 | 6.5 Medium |
| Directory Traversal vulnerability in dhtmlxFileExplorer v.8.4.6 allows a remote attacker to obtain sensitive information via the File Listing function. | ||||
| CVE-2024-55214 | 1 Dhtmlx | 1 File Explorer | 2025-09-15 | 6.5 Medium |
| Local File Inclusion vulnerability in dhtmlxFileExplorer v.8.4.6 allows a remote attacker to obtain sensitive information via the file download functionality. | ||||
| CVE-2024-57248 | 1 Gleamtech | 1 Filevista | 2025-09-15 | 6.3 Medium |
| Directory Traversal in File Upload in Gleamtech FileVista 9.2.0.0 allows remote attackers to achieve Code Execution, Information Disclosure, and Escalation of Privileges via injecting malicious payloads in HTTP requests to manipulate file paths, bypass access controls, and upload malicious files. | ||||
| CVE-2025-25223 | 1 Luxsoft | 1 Luxcal Web Calendar | 2025-09-15 | 5.3 Medium |
| The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained. | ||||
| CVE-2024-22809 | 1 Tormach | 3 Pathpilot Controller, Pilotpath Controller, Xstech Cnc Router | 2025-09-15 | 6.5 Medium |
| Incorrect access control in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to access the G code's shared folder and view sensitive information. | ||||
| CVE-2024-22815 | 1 Tormach | 3 Pathpilot Controller, Pilotpath Controller, Xstech Cnc Router | 2025-09-15 | 5.3 Medium |
| An issue in the communication protocol of Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to cause a Denial of Service (DoS) via crafted commands. | ||||
| CVE-2025-6772 | 2 Dbgpt, Eosphoros-ai | 2 Db-gpt, Db-gpt | 2025-09-15 | 7.3 High |
| A vulnerability was found in eosphoros-ai db-gpt up to 0.7.2. It has been classified as critical. Affected is the function import_flow of the file /api/v2/serve/awel/flow/import. The manipulation of the argument File leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-10233 | 2 Kalcaddle, Kodcloud | 2 Kodbox, Kodbox | 2025-09-12 | 6.3 Medium |
| A security vulnerability has been detected in kalcaddle kodbox 1.61. This affects the function fileGet/fileSave of the file app/controller/explorer/editor.class.php. The manipulation of the argument path leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-31220 | 1 Lizardbyte | 1 Sunshine | 2025-09-11 | 7.3 High |
| Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface outside of localhost may be affected, depending on firewall configuration. To exploit vulnerability, attacker could make an http/s request to the `node_modules` endpoint if user exposed Sunshine config web server to internet or attacker is on the LAN. Version 0.18.0 contains a patch for this issue. As a workaround, one may block access to Sunshine via firewall. | ||||
| CVE-2025-5385 | 2 Huayi-tec, Jeewms | 2 Jeewms, Jeewms | 2025-09-11 | 6.3 Medium |
| A vulnerability was found in JeeWMS up to 20250504. It has been declared as critical. This vulnerability affects the function doAdd of the file /cgformTemplateController.do?doAdd. The manipulation leads to path traversal. The attack can be initiated remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | ||||
| CVE-2018-18434 | 1 Linlinjava | 1 Litemall | 2025-09-11 | N/A |
| An issue was discovered in litemall 0.9.0. Arbitrary file download is possible via ../ directory traversal in linlinjava/litemall/wx/web/WxStorageController.java in the litemall-wx-api component. | ||||
| CVE-2025-51463 | 1 Aimstack | 1 Aim | 2025-09-11 | 7 High |
| Path Traversal in restore_run_backup() in AIM 3.28.0 allows remote attackers to write arbitrary files to the server's filesystem via a crafted backup tar file submitted to the run_instruction API, which is extracted without path validation during restoration. | ||||
| CVE-2025-8753 | 1 Linlinjava | 1 Litemall | 2025-09-11 | 5.4 Medium |
| A vulnerability, which was classified as critical, has been found in linlinjava litemall up to 1.8.0. Affected by this issue is the function delete of the file /admin/storage/delete of the component File Handler. The manipulation of the argument key leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-32023 | 1 Bmaltais | 1 Kohya Ss | 2025-09-08 | 6.5 Medium |
| Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Kohya_ss is vulnerable to a path injection in the `common_gui.py` `find_and_replace` function. This vulnerability is fixed in 23.1.5. | ||||