Total
350 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-20310 | 1 Cisco | 1 Unified Communications Manager Im And Presence Service | 2025-08-01 | 6.1 Medium |
| A vulnerability in the web-based interface of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an authenticated user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | ||||
| CVE-2025-54531 | 1 Jetbrains | 1 Teamcity | 2025-07-31 | 7.7 High |
| In JetBrains TeamCity before 2025.07 path traversal was possible via plugin unpacking on Windows | ||||
| CVE-2025-54317 | 1 Logpoint | 1 Logpoint | 2025-07-30 | 8.4 High |
| An issue was discovered in Logpoint before 7.6.0. An attacker with operator privileges can exploit a path traversal vulnerability when creating a Layout Template, which can lead to remote code execution (RCE). | ||||
| CVE-2024-54461 | 1 Flutter | 1 File Selector Android | 2025-07-30 | 7.1 High |
| The file names constructed within file_selector are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select a document file from that provider while using your app and could potentially override internal files in your app cache. Issue patched in 0.5.1+12. It is recommended to update to the latest version of file_selector_android that contains the changes to address this vulnerability. | ||||
| CVE-2024-54462 | 1 Flutter | 1 Image Picker Android | 2025-07-30 | 7.1 High |
| The file names constructed within image_picker are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select an image file from that provider while using your app and could potentially override internal files in your app cache. Issue patched in 0.8.12+18. It is recommended to update to the latest version of image_picker_android that contains the changes to address this vulnerability. | ||||
| CVE-2024-6483 | 1 Aimstack | 1 Aim | 2025-07-23 | N/A |
| A vulnerability in the `runs/delete-batch` endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion. This can be exploited to delete arbitrary files or directories, potentially causing denial of service or data loss. | ||||
| CVE-2025-22859 | 1 Fortinet | 2 Forticlientems, Forticlientems Cloud | 2025-07-16 | 5 Medium |
| A Relative Path Traversal vulnerability [CWE-23] in FortiClientEMS 7.4.0 through 7.4.1 and FortiClientEMS Cloud 7.4.0 through 7.4.1 may allow a remote unauthenticated attacker to perform a limited arbitrary file write on the system via upload requests. | ||||
| CVE-2023-40714 | 1 Fortinet | 1 Fortisiem | 2025-07-15 | 9.7 Critical |
| A relative path traversal in Fortinet FortiSIEM versions 7.0.0, 6.7.0 through 6.7.2, 6.6.0 through 6.6.3, 6.5.1, 6.5.0 allows attacker to escalate privilege via uploading certain GUI elements | ||||
| CVE-2024-6583 | 1 Quivr | 1 Quivr | 2025-07-15 | N/A |
| A path traversal vulnerability exists in the latest version of stangirard/quivr. This vulnerability allows an attacker to upload files to arbitrary paths in an S3 bucket by manipulating the file path in the upload request. | ||||
| CVE-2024-5547 | 1 Stitionai | 1 Devika | 2025-07-15 | N/A |
| A directory traversal vulnerability exists in the /api/download-project-pdf endpoint of the stitionai/devika repository, affecting the latest version. The vulnerability arises due to insufficient sanitization of the 'project_name' parameter in the download_project_pdf function. Attackers can exploit this flaw by manipulating the 'project_name' parameter in a GET request to traverse the directory structure and download arbitrary PDF files from the system. This issue allows attackers to access sensitive information that could be stored in PDF format outside the intended directory. | ||||
| CVE-2025-7619 | 1 Wellchoose | 1 Batchsigncs | 2025-07-15 | 8.8 High |
| BatchSignCS, a background Windows application developed by WellChoose, has an Arbitrary File Write vulnerability. If a user visits a malicious website while the application is running, remote attackers can write arbitrary files to any path and potentially lead to arbitrary code execution. | ||||
| CVE-2024-12019 | 1 Logicaldoc | 1 Logicaldoc | 2025-07-15 | N/A |
| The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read the contents of files on the underlying operating system. An account with ‘read’ and ‘download’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to read the contents of any file available within the privileges of the system user running the application. | ||||
| CVE-2024-10513 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-14 | N/A |
| A path traversal vulnerability exists in the 'document uploads manager' feature of mintplex-labs/anything-llm, affecting the latest version prior to 1.2.2. This vulnerability allows users with the 'manager' role to access and manipulate the 'anythingllm.db' database file. By exploiting the vulnerable endpoint '/api/document/move-files', an attacker can move the database file to a publicly accessible directory, download it, and subsequently delete it. This can lead to unauthorized access to sensitive data, privilege escalation, and potential data loss. | ||||
| CVE-2025-7146 | 1 Jhenggao | 1 Ipublish System | 2025-07-13 | 7.5 High |
| The iPublish System developed by Jhenggao has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to read arbitrary system file. | ||||
| CVE-2025-1588 | 1 Phpgurukul | 1 Online Nurse Hiring System | 2025-07-13 | 6.5 Medium |
| A vulnerability has been found in PHPGurukul Online Nurse Hiring System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/manage-nurse.php. The manipulation of the argument profilepic leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions contradicting vulnerability classes. | ||||
| CVE-2024-35186 | 1 Byron | 1 Gitoxide | 2025-07-12 | 8.8 High |
| gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0. | ||||
| CVE-2024-22398 | 1 Sonicwall | 1 Email Security | 2025-07-12 | 4.9 Medium |
| An improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in SonicWall Email Security Appliance could allow a remote attacker with administrative privileges to conduct a directory traversal attack and delete arbitrary files from the appliance file system. | ||||
| CVE-2024-6433 | 1 Stitionai | 1 Devika | 2025-07-12 | N/A |
| The application zips all the files in the folder specified by the user, which allows an attacker to read arbitrary files on the system by providing a crafted path. This vulnerability can be exploited by sending a request to the application with a malicious snapshot_path parameter. | ||||
| CVE-2024-3025 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-09 | N/A |
| mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by manipulating the logo filename to reference files outside of the restricted directory. This can lead to unauthorized reading or deletion of files by utilizing the `/api/system/upload-logo` and `/api/system/logo` endpoints. The issue stems from the lack of filtering or validation on the logo filename, allowing attackers to target sensitive files such as the application's database. | ||||
| CVE-2024-0549 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-09 | N/A |
| mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including critical database files such as 'anythingllm.db'. The vulnerability stems from insufficient input validation and normalization in the handling of file and folder deletion requests. Successful exploitation results in the compromise of data integrity and availability. | ||||