Total
7918 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14311 | 2025-12-09 | N/A | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in JMRI.This issue affects JMRI: before 5.13.3. | ||||
| CVE-2025-14220 | 1 Orico | 1 Cd3510 | 2025-12-09 | 4.3 Medium |
| A security vulnerability has been detected in ORICO CD3510 1.9.12. This affects an unknown function of the component File Upload. The manipulation leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-12425 | 3 Debian, Libreoffice, The Document Foundation | 3 Debian Linux, Libreoffice, Libreoffice | 2025-12-08 | 3.3 Low |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The Document Foundation LibreOffice allows Absolute Path Traversal. An attacker can write to arbitrary locations, albeit suffixed with ".ttf", by supplying a file in a format that supports embedded font files. This issue affects LibreOffice: from 24.8 before < 24.8.4. | ||||
| CVE-2013-5979 | 1 Xibosignage | 1 Xibo | 2025-12-08 | N/A |
| Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php. | ||||
| CVE-2023-7077 | 1 Sharp | 52 Nec E705, Nec E705 Firmware, Nec E805 and 49 more | 2025-12-08 | 9.8 Critical |
| Sharp NEC Displays (P403, P463, P553, P703, P801, X554UN, X464UN, X554UNS, X464UNV, X474HB, X464UNS, X554UNV, X555UNS, X555UNV, X754HB, X554HB, E705, E805, E905, UN551S, UN551VS, X551UHD, X651UHD, X841UHD, X981UHD, MD551C8) allows an attacker execute remote code by sending unintended parameters in http request. | ||||
| CVE-2025-29843 | 1 Synology | 2 File Station, Router Manager | 2025-12-05 | 5.4 Medium |
| A vulnerability in FileStation thumb cgi allows remote authenticated users to read/write image files. | ||||
| CVE-2025-29844 | 1 Synology | 2 File Station, Router Manager | 2025-12-05 | 4.3 Medium |
| A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and path information. | ||||
| CVE-2025-29845 | 1 Synology | 1 Router Manager | 2025-12-05 | 4.3 Medium |
| A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files. | ||||
| CVE-2025-29846 | 1 Synology | 1 Router Manager | 2025-12-05 | 7.2 High |
| A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages. | ||||
| CVE-2023-47222 | 1 Qnap | 1 Media Streaming Add-on | 2025-12-05 | 9.6 Critical |
| An exposure of sensitive information vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.5 ( 2024/01/22 ) and later | ||||
| CVE-2025-57698 | 1 Astrbot | 1 Astrbot | 2025-12-05 | 7.5 High |
| AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to file_path without checking the validity of the filename. The variable file_path is then passed as a parameter to the function `file.save`, so that the file in the request body can be saved to any location in the file system through directory traversal. | ||||
| CVE-2025-54347 | 1 Desktopalert | 2 Pingalert, Pingalert Application Server | 2025-12-05 | 9.9 Critical |
| A Directory Traversal vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to write arbitrary files under certain conditions. | ||||
| CVE-2025-65346 | 1 Alexusmai | 1 Laravel-file-manager | 2025-12-05 | 9.1 Critical |
| alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The unzip/extraction functionality improperly allows archive contents to be written to arbitrary locations on the filesystem due to insufficient validation of extraction paths. | ||||
| CVE-2025-65345 | 1 Alexusmai | 1 Laravel-file-manager | 2025-12-05 | 6.5 Medium |
| alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The zip/archiving functionality allows an attacker to create archives containing files and directories outside the intended scope due to improper path validation. | ||||
| CVE-2025-54307 | 1 Thermofisher | 1 Torrent Suite | 2025-12-05 | 8.8 High |
| An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. The /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ endpoints allow low-privilege users to upload ZIP files to the server. The plupload_file_upload function handles these file uploads and constructs the destination file path by using either the name parameter or the uploaded filename, neither of which is properly sanitized. The file extension is extracted by splitting the filename, and a format string is used to construct the final file path, leaving the destination path vulnerable to path traversal. An authenticated attacker with network connectivity can write arbitrary files to the server, enabling remote code execution after overwriting an executable file. An example is the pdflatex executable, which is executed through subprocess.Popen in the write_report_pdf function after requests to a /report/latex/(\d+).pdf endpoint. | ||||
| CVE-2025-22167 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2025-12-05 | 6.5 Medium |
| This High severity Path Traversal (Arbitrary Write) vulnerability was introduced in versions: 9.12.0, 10.3.0 and remain present in 11.0.0 of Jira Software Data Center and Server. This Path Traversal (Arbitrary Write) vulnerability, with a CVSS Score of 8.7, allows an attacker to modify any filesystem path writable by the Jira JVM process. Atlassian recommends that Jira Software Data Center and Server customers upgrade to the latest version; if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.28 Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.12 Jira Software Data Center and Server 11.0: Upgrade to a release greater than or equal to 11.1.0 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. This vulnerability was reported via our Atlassian (Internal) program. | ||||
| CVE-2025-54160 | 1 Synology | 1 Beedrive For Desktop | 2025-12-04 | 7.8 High |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors. | ||||
| CVE-2025-34238 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-12-04 | 6.5 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain an absolute path traversal via AjaxStandaloneVpnClientsController.ajaxDownloadRoadWarriorConfigFileAction() that allows an authenticated network administrator to cause the application to read and return the contents of arbitrary files the web user (www-data) can access. | ||||
| CVE-2025-39664 | 1 Checkmk | 1 Checkmk | 2025-12-04 | 6.5 Medium |
| Insufficient escaping in the report scheduler within Checkmk <2.4.0p13, <2.3.0p38, <2.2.0p46 and 2.1.0 (EOL) allows authenticated attackers to define the storage location of report file pairs beyond their intended root directory. | ||||
| CVE-2025-13791 | 1 Scada-lts | 1 Scada-lts | 2025-12-04 | 6.3 Medium |
| A vulnerability was identified in Scada-LTS up to 2.7.8.1. Affected is the function Common.getHomeDir of the file br/org/scadabr/vo/exporter/ZIPProjectManager.java of the component Project Import. Such manipulation leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||