Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-43691

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-29 Nov, 2021 | 15:04
Updated At-04 Aug, 2024 | 04:03
Rejected At-
Credits

tripexpress v1.1 is affected by a path manipulation vulnerability in file system/helpers/dompdf/load_font.php. The variable src is coming from $_SERVER["argv"] then there is a path manipulation vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:29 Nov, 2021 | 15:04
Updated At:04 Aug, 2024 | 04:03
Rejected At:
▼CVE Numbering Authority (CNA)

tripexpress v1.1 is affected by a path manipulation vulnerability in file system/helpers/dompdf/load_font.php. The variable src is coming from $_SERVER["argv"] then there is a path manipulation vulnerability.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/toocool/tripexpress/issues/40
x_refsource_MISC
Hyperlink: https://github.com/toocool/tripexpress/issues/40
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/toocool/tripexpress/issues/40
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/toocool/tripexpress/issues/40
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:29 Nov, 2021 | 16:15
Updated At:01 Dec, 2021 | 16:20

tripexpress v1.1 is affected by a path manipulation vulnerability in file system/helpers/dompdf/load_font.php. The variable src is coming from $_SERVER["argv"] then there is a path manipulation vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches

tripexpress_project
tripexpress_project
>>tripexpress>>1.1
cpe:2.3:a:tripexpress_project:tripexpress:1.1:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-22Primarynvd@nist.gov
CWE ID: CWE-22
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/toocool/tripexpress/issues/40cve@mitre.org
Exploit
Third Party Advisory
Hyperlink: https://github.com/toocool/tripexpress/issues/40
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1071Records found

CVE-2019-7267
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-21.45% / 97.34%
||
7 Day CHG~0.00%
Published-02 Jul, 2019 | 16:45
Updated-04 Aug, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Linear eMerge 50P/5000P devices allow Cookie Path Traversal.

Action-Not Available
Vendor-nortekcontroln/a
Product-linear_emerge_50p_firmwarelinear_emerge_50plinear_emerge_5000p_firmwarelinear_emerge_5000pn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-34939
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.03% / 91.31%
||
7 Day CHG~0.00%
Published-22 Jun, 2023 | 00:00
Updated-06 Dec, 2024 | 18:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Onlyoffice Community Server before v12.5.2 was discovered to contain a remote code execution (RCE) vulnerability via the component UploadProgress.ashx.

Action-Not Available
Vendor-onlyofficen/a
Product-onlyofficen/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2019-9642
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.43% / 82.43%
||
7 Day CHG~0.00%
Published-05 Jun, 2019 | 16:15
Updated-04 Aug, 2024 | 21:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in proxy.php in pydio-core in Pydio through 8.2.2. Through an unauthenticated request, it possible to evaluate malicious PHP code by placing it on the fourth line of a .php file, as demonstrated by a PoC.php created by the guest account, with execution via a proxy.php?hash=../../../../../var/lib/pydio/data/personal/guest/PoC.php request. This is related to plugins/action.share/src/Store/ShareStore.php.

Action-Not Available
Vendor-pydion/a
Product-pydion/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2007-4825
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.43% / 87.63%
||
7 Day CHG~0.00%
Published-12 Sep, 2007 | 01:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in PHP 5.2.4 and earlier allows attackers to bypass open_basedir restrictions and possibly execute arbitrary code via a .. (dot dot) in the dl function.

Action-Not Available
Vendor-n/aThe PHP Group
Product-phpn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-15639
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-9.8||CRITICAL
EPSS-11.55% / 95.55%
||
7 Day CHG~0.00%
Published-25 Aug, 2020 | 20:21
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole 5.5.0.64. Authentication is not required to exploit this vulnerability. The specific flaw exists within the decryptFile method of the FlashValidatorServiceImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10496.

Action-Not Available
Vendor-marvellMarvell
Product-qconvergeconsoleQConvergeConsole
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-34865
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.21% / 65.01%
||
7 Day CHG~0.00%
Published-14 Jun, 2023 | 00:00
Updated-03 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in ujcms 6.0.2 allows attackers to move files via the rename feature.

Action-Not Available
Vendor-ujcmsn/aLinux Kernel Organization, Inc
Product-linux_kernelujcmsn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-6127
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.8||CRITICAL
EPSS-10.26% / 95.17%
||
7 Day CHG~0.00%
Published-27 Jun, 2024 | 19:25
Updated-14 Jul, 2026 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BC Security Empire Path Traversal RCE

BC Security Empire before 5.9.3 is vulnerable to a path traversal issue that can lead to remote code execution. A remote, unauthenticated attacker can exploit this vulnerability over HTTP by acting as a normal agent, completing all cryptographic handshakes, and then triggering an upload of payload data containing a malicious path.

Action-Not Available
Vendor-BC Securitybcsecurity
Product-Empireempire
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-5980
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.1||CRITICAL
EPSS-1.31% / 67.37%
||
7 Day CHG~0.00%
Published-27 Jun, 2024 | 18:46
Updated-21 Oct, 2025 | 14:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary File Write via /v1/runs API endpoint in lightning-ai/pytorch-lightning

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path traversal vulnerabilities. This can result in arbitrary files being written to any directory in the victim's local file system, potentially leading to remote code execution.

Action-Not Available
Vendor-lightningailightning-ailightning_ai
Product-pytorch_lightninglightning-ai/pytorch-lightninglightning_ai\/pytorch_lightning
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-14507
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-4.89% / 91.09%
||
7 Day CHG~0.00%
Published-15 Jul, 2020 | 01:48
Updated-04 Aug, 2024 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Advantech iView, versions 5.6 and prior, is vulnerable to multiple path traversal vulnerabilities that could allow an attacker to create/download arbitrary files, limit system availability, and remotely execute code.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-iviewAdvantech iView
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2007-4008
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.90% / 85.41%
||
7 Day CHG~0.00%
Published-26 Jul, 2007 | 00:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in custom.php in Entertainment Media Sharing CMS allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the pagename parameter.

Action-Not Available
Vendor-entertainment_cmsn/a
Product-entertainment_cmsn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-14523
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.3||HIGH
EPSS-2.25% / 80.98%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 17:40
Updated-16 Apr, 2025 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mitsubishi Electric Factory Automation Products Path Traversal

Multiple Mitsubishi Electric Factory Automation products have a vulnerability that allows an attacker to execute arbitrary code.

Action-Not Available
Vendor-Mitsubishi Electric Corporation
Product-rd78g4rd78ghviu_configuration_toolfr_configurator2rd78g16_firmwaremx_componentgx_works3rd78g64melsoft_iq_appportalrd78ghv_firmwarerd78g8rd78g32_firmwaremt_works2cw_configuratorrd78g16rd78g8_firmwarerd78g64_firmwaremelsoft_navigatorrd78ghw_firmwareiu_developer2rd78g32rd78ghwgx_works2mr_configurator2mi_configuratorrd78g4_firmwarert_toolbox3RT ToolBox3CW ConfiguratorGX Works3MI ConfiguratorMR Configurator2GX Works2MELSOFT NavigatorMX ComponentFR Configurator2MELSEC iQ-R Series Motion ModuleMELSOFT iQ AppPortalMT Works2
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-13450
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.59% / 92.03%
||
7 Day CHG~0.00%
Published-07 Jan, 2021 | 21:17
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A directory traversal vulnerability in file upload function of Gotenberg through 6.2.1 allows an attacker to upload and overwrite any writable files outside the intended folder. This can lead to DoS, a change to program behavior, or code execution.

Action-Not Available
Vendor-thecodingmachinen/a
Product-gotenbergn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-12640
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.73% / 93.20%
||
7 Day CHG~0.00%
Published-04 May, 2020 | 14:58
Updated-04 Aug, 2024 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.

Action-Not Available
Vendor-n/aRoundcube Webmail ProjectopenSUSE
Product-webmailbackports_sleleapn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-11819
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-26.78% / 97.81%
||
7 Day CHG~0.00%
Published-16 Apr, 2020 | 17:42
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.

Action-Not Available
Vendor-rukovoditeln/a
Product-rukovoditeln/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-7134
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.94% / 56.97%
||
7 Day CHG~0.00%
Published-28 Dec, 2023 | 20:00
Updated-20 Nov, 2024 | 21:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Medicine Tracking System path traversal

A vulnerability was found in SourceCodester Medicine Tracking System 1.0. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument page leads to path traversal: '../filedir'. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249137 was assigned to this vulnerability.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-medicine_tracker_systemMedicine Tracking System
CWE ID-CWE-24
Path Traversal: '../filedir'
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-5509
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.59% / 44.47%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 16:00
Updated-09 Jun, 2025 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
quequnlong shiyi-blog upload path traversal

A vulnerability classified as critical has been found in quequnlong shiyi-blog up to 1.2.1. This affects an unknown part of the file /api/file/upload. The manipulation of the argument file/source leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-quequnlongquequnlong
Product-shiyi-blogshiyi-blog
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-54387
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.67% / 47.78%
||
7 Day CHG~0.00%
Published-05 Aug, 2025 | 00:10
Updated-09 Oct, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IPX is Vulnerable to Path Traversal via Prefix Matching Bypass

IPX is an image optimizer powered by sharp and svgo. In versions 1.3.1 and below, 2.0.0-0 through 2.1.0, and 3.0.0 through 3.1.0, the approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directories do not end with a path separator. This occurs because the check relies on a raw string prefix comparison. This is fixed in versions 1.3.2, 2.1.1 and 3.1.1.

Action-Not Available
Vendor-unjsunjs
Product-ipxipx
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-54386
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-1.07% / 61.13%
||
7 Day CHG~0.00%
Published-01 Aug, 2025 | 23:32
Updated-26 Nov, 2025 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Traefik's Client Plugin is Vulnerable to Path Traversal, Arbitrary File Overwrites and Remote Code Execution

Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.

Action-Not Available
Vendor-traefiktraefik
Product-traefiktraefik
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-30
Path Traversal: '\dir\..\filename'
CVE-2023-35169
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-3.19% / 86.67%
||
7 Day CHG~0.00%
Published-23 Jun, 2023 | 20:37
Updated-27 Nov, 2024 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
php-imap vulnerable to RCE through a directory traversal vulnerability

PHP-IMAP is a wrapper for common IMAP communication without the need to have the php-imap module installed / enabled. Prior to version 5.3.0, an unsanitized attachment filename allows any unauthenticated user to leverage a directory traversal vulnerability, which results in a remote code execution vulnerability. Every application that stores attachments with `Attachment::save()` without providing a `$filename` or passing unsanitized user input is affected by this attack. An attacker can send an email with a malicious attachment to the inbox, which gets crawled with `webklex/php-imap` or `webklex/laravel-imap`. Prerequisite for the vulnerability is that the script stores the attachments without providing a `$filename`, or providing an unsanitized `$filename`, in `src/Attachment::save(string $path, string $filename = null)`. In this case, where no `$filename` gets passed into the `Attachment::save()` method, the package would use a series of unsanitized and insecure input values from the mail as fallback. Even if a developer passes a `$filename` into the `Attachment::save()` method, e.g. by passing the name or filename of the mail attachment itself (from email headers), the input values never get sanitized by the package. There is also no restriction about the file extension (e.g. ".php") or the contents of a file. This allows an attacker to upload malicious code of any type and content at any location where the underlying user has write permissions. The attacker can also overwrite existing files and inject malicious code into files that, e.g. get executed by the system via cron or requests. Version 5.3.0 contains a patch for this issue.

Action-Not Available
Vendor-webklexWebklex
Product-php-imapphp-imap
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-12265
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.15% / 80.06%
||
7 Day CHG~0.00%
Published-26 Apr, 2020 | 16:46
Updated-04 Aug, 2024 | 11:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.

Action-Not Available
Vendor-decompress_projectn/a
Product-decompressn/a
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-12315
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.73% / 75.02%
||
7 Day CHG~0.00%
Published-12 Nov, 2020 | 18:14
Updated-04 Aug, 2024 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Path traversal in the Intel(R) EMA before version 1.3.3 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-endpoint_management_assistantIntel(R) EMA
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-11705
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.91% / 55.92%
||
7 Day CHG~0.00%
Published-12 Apr, 2020 | 02:43
Updated-04 Aug, 2024 | 11:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in ProVide (formerly zFTPServer) through 13.1. /ajax/ImportCertificate allows an attacker to load an arbitrary certificate in .pfx format or overwrite arbitrary files via the fileName parameter.

Action-Not Available
Vendor-provideservern/a
Product-provide_ftp_servern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-54443
Matching Score-4
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-4
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.57% / 43.60%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:34
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-54446
Matching Score-4
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-4
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.61% / 45.25%
||
7 Day CHG-0.01%
Published-23 Jul, 2025 | 05:32
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0

Action-Not Available
Vendor-Samsung Electronics
Product-MagicINFO 9 Server
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-10564
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-8.58% / 94.47%
||
7 Day CHG~0.00%
Published-13 Mar, 2020 | 22:07
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the File Upload plugin before 4.13.0 for WordPress. A directory traversal can lead to remote code execution by uploading a crafted txt file into the lib directory, because of a wfu_include_lib call.

Action-Not Available
Vendor-iptanusn/a
Product-wordpress_file_uploadn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-54450
Matching Score-4
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-4
Assigner-Samsung TV & Appliance
CVSS Score-7.2||HIGH
EPSS-0.59% / 44.24%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:28
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-34880
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.07% / 61.13%
||
7 Day CHG~0.00%
Published-15 Jun, 2023 | 00:00
Updated-18 Dec, 2024 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cmseasy v7.7.7.7 20230520 was discovered to contain a path traversal vulnerability via the add_action method at lib/admin/language_admin.php. This vulnerability allows attackers to execute arbitrary code and perform a local file inclusion.

Action-Not Available
Vendor-cmseasyn/a
Product-cmseasyn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-35187
Matching Score-4
Assigner-SolarWinds
ShareView Details
Matching Score-4
Assigner-SolarWinds
CVSS Score-8.8||HIGH
EPSS-2.97% / 85.71%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:24
Updated-13 Sep, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-10631
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-1.48% / 71.10%
||
7 Day CHG~0.00%
Published-09 Apr, 2020 | 13:08
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An attacker could use a specially crafted URL to delete or read files outside the WebAccess/NMS's (versions prior to 3.0.2) control.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccess\/nmsWebAccess/NMS
CWE ID-CWE-23
Relative Path Traversal
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-54438
Matching Score-4
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-4
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.61% / 45.25%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:36
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-10794
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.45% / 70.36%
||
7 Day CHG~0.00%
Published-07 May, 2020 | 20:31
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to unauthenticated path traversal that allows an attacker to download the application database. This can be combined with CVE-2020-10795 for remote root access.

Action-Not Available
Vendor-giran/a
Product-tks-ip-gatewaytks-ip-gateway_firmwaren/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-32563
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.8||HIGH
EPSS-90.17% / 99.78%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 19:04
Updated-13 Feb, 2025 | 16:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unauthenticated attacker could achieve the code execution through a RemoteControl server.

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalanche
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-32557
Matching Score-4
Assigner-Trend Micro, Inc.
ShareView Details
Matching Score-4
Assigner-Trend Micro, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.22% / 65.31%
||
7 Day CHG~0.00%
Published-26 Jun, 2023 | 21:57
Updated-04 Dec, 2024 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A path traversal vulnerability in the Trend Micro Apex One and Apex One as a Service could allow an unauthenticated attacker to upload an arbitrary file to the Management Server which could lead to remote code execution with system privileges.

Action-Not Available
Vendor-Microsoft CorporationTrend Micro Incorporated
Product-apex_onewindowsTrend Micro Apex Onetrend_micro_apex_one
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-5991
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-3.31% / 87.19%
||
7 Day CHG~0.00%
Published-26 Dec, 2023 | 18:33
Updated-02 Aug, 2024 | 08:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hotel Booking Lite < 4.8.5 - Unauthenticated Arbitrary File Download & Deletion

The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server

Action-Not Available
Vendor-motopressUnknown
Product-hotel_booking_liteHotel Booking Lite
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-7195
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-89.68% / 99.77%
||
7 Day CHG~0.00%
Published-05 Dec, 2019 | 16:34
Updated-27 Oct, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-06-22||Apply updates per vendor instructions.

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

Action-Not Available
Vendor-n/aQNAP Systems, Inc.
Product-qtsphoto_stationQNAP NAS devices running Photo StationPhoto Station
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-52913
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 41.10%
||
7 Day CHG~0.00%
Published-08 Aug, 2025 | 00:00
Updated-26 Feb, 2026 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP2 (9.8.2.12) could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-30967
Matching Score-4
Assigner-Palantir Technologies
ShareView Details
Matching Score-4
Assigner-Palantir Technologies
CVSS Score-9.8||CRITICAL
EPSS-0.62% / 45.52%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 23:18
Updated-10 Sep, 2024 | 16:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gotham Orbital Simulator path traversal

Gotham Orbital-Simulator service prior to 0.692.0 was found to be vulnerable to a Path traversal issue allowing an unauthenticated user to read arbitrary files on the file system.

Action-Not Available
Vendor-palantirPalantir
Product-orbital_simulatorcom.palantir.meta:orbital-simulator
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-287
Improper Authentication
CVE-2019-7678
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.49% / 82.82%
||
7 Day CHG~0.00%
Published-09 Feb, 2019 | 22:00
Updated-04 Aug, 2024 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888.

Action-Not Available
Vendor-enphasen/a
Product-envoyn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2019-6714
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-31.72% / 98.10%
||
7 Day CHG~0.00%
Published-17 Mar, 2019 | 17:40
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in BlogEngine.NET through 3.3.6.0. A path traversal and Local File Inclusion vulnerability in PostList.ascx.cs can cause unauthenticated users to load a PostView.ascx component from a potentially untrusted location on the local filesystem. This is especially dangerous if an authenticated user uploads a PostView.ascx file using the file manager utility, which is currently allowed. This results in remote code execution for an authenticated user.

Action-Not Available
Vendor-blogenginen/a
Product-blogengine.netn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-30945
Matching Score-4
Assigner-Palantir Technologies
ShareView Details
Matching Score-4
Assigner-Palantir Technologies
CVSS Score-9.8||CRITICAL
EPSS-0.73% / 49.97%
||
7 Day CHG~0.00%
Published-26 Jun, 2023 | 23:00
Updated-05 Dec, 2024 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2023-30945

Multiple Services such as VHS(Video History Server) and VCD(Video Clip Distributor) and Clips2 were discovered to be vulnerable to an unauthenticated arbitrary file read/write vulnerability due to missing input validation on filenames. A malicious attacker could read sensitive files from the filesystem or write/delete arbitrary files on the filesystem as well.

Action-Not Available
Vendor-palantirPalantir
Product-clips2video_history_servicevideo_clip_distributorcom.palantir.video:video-history-servercom.palantir.gotham:clips2com.palantir.video:video-clip-distributor
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-287
Improper Authentication
CVE-2022-0223
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-6.5||MEDIUM
EPSS-0.78% / 51.70%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)

Action-Not Available
Vendor-Schneider Electric SE
Product-ecostruxure_power_commissionEcoStruxure Power Commission
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2019-7194
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-82.97% / 99.64%
||
7 Day CHG~0.00%
Published-05 Dec, 2019 | 16:30
Updated-27 Oct, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-06-22||Apply updates per vendor instructions.

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

Action-Not Available
Vendor-n/aQNAP Systems, Inc.
Product-qtsphoto_stationQNAP NAS devices running Photo StationPhoto Station
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2019-7253
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.01% / 85.90%
||
7 Day CHG~0.00%
Published-02 Jul, 2019 | 18:53
Updated-04 Aug, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Linear eMerge E3-Series devices allow Directory Traversal.

Action-Not Available
Vendor-nortekcontroln/a
Product-linear_emerge_essential_firmwarelinear_emerge_elitelinear_emerge_elite_firmwarelinear_emerge_essentialn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2019-5956
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.5||MEDIUM
EPSS-1.86% / 76.90%
||
7 Day CHG~0.00%
Published-12 Sep, 2019 | 15:58
Updated-04 Aug, 2024 | 20:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in WonderCMS 2.6.0 and earlier allows remote attackers to delete arbitrary files via unspecified vectors.

Action-Not Available
Vendor-wondercmsWonderCMS
Product-wondercms2.6.0 and earlier
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-6190
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.8||CRITICAL
EPSS-0.76% / 51.29%
||
7 Day CHG~0.00%
Published-27 Dec, 2023 | 14:36
Updated-20 May, 2026 | 12:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenicated Path Traversal in İzmir Katip Çelebi University

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in İzmir Katip Çelebi University University Information Management System allows Absolute Path Traversal. This issue affects University Information Management System: before 30.11.2023.

Action-Not Available
Vendor-ikcuİzmir Katip Çelebi University
Product-university_information_management_systemUniversity Information Management System
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-29478
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.67% / 74.21%
||
7 Day CHG~0.00%
Published-07 Apr, 2023 | 00:00
Updated-11 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BiblioCraft before 2.4.6 does not sanitize path-traversal characters in filenames, allowing restricted write access to almost anywhere on the filesystem. This includes the Minecraft mods folder, which results in code execution.

Action-Not Available
Vendor-bibliocraftmodn/a
Product-bibliocraftn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-30268
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.84% / 53.78%
||
7 Day CHG~0.00%
Published-04 May, 2023 | 00:00
Updated-29 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CLTPHP <=6.0 is vulnerable to Improper Input Validation.

Action-Not Available
Vendor-cltphpn/aMicrosoft Corporation
Product-windowscltphpn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-45427
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-19.04% / 96.99%
||
7 Day CHG~0.00%
Published-30 Dec, 2021 | 11:10
Updated-04 Aug, 2024 | 04:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Emerson XWEB 300D EVO 3.0.7--3ee403 is affected by: unauthenticated arbitrary file deletion due to path traversal. An attacker can browse and delete files without any authentication due to incorrect access control and directory traversal.

Action-Not Available
Vendor-emersonn/a
Product-xweb300d_evo_firmwarexweb300d_evon/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-29736
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.20% / 64.70%
||
7 Day CHG~0.00%
Published-01 Jun, 2023 | 00:00
Updated-09 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Keyboard Themes 1.275.1.164 for Android contains a dictionary traversal vulnerability that allows unauthorized apps to overwrite arbitrary files in its internal storage and achieve arbitrary code execution.

Action-Not Available
Vendor-timmystudiosn/a
Product-keyboard_themesn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2011-0751
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.66% / 88.40%
||
7 Day CHG~0.00%
Published-16 Mar, 2011 | 22:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in nhttpd (aka Nostromo webserver) before 1.9.4 allows remote attackers to execute arbitrary programs or read arbitrary files via a ..%2f (encoded dot dot slash) in a URI.

Action-Not Available
Vendor-nazguln/a
Product-nostromon/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 21
  • 22
  • Next
Details not found