Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-39584

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-08 Sep, 2023 | 00:00
Updated At-26 Sep, 2024 | 18:04
Rejected At-
Credits

Hexo up to v7.0.0 (RC2) was discovered to contain an arbitrary file read vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:08 Sep, 2023 | 00:00
Updated At:26 Sep, 2024 | 18:04
Rejected At:
▼CVE Numbering Authority (CNA)

Hexo up to v7.0.0 (RC2) was discovered to contain an arbitrary file read vulnerability.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/hexojs/hexo/blob/a3e68e7576d279db22bd7481914286104e867834/lib/plugins/tag/include_code.js#L49
N/A
https://github.com/hexojs/hexo/issues/5250
N/A
https://www.gem-love.com/2023/07/25/hexo%E5%8D%9A%E5%AE%A2%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E5%92%8C%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/#undefined
N/A
Hyperlink: https://github.com/hexojs/hexo/blob/a3e68e7576d279db22bd7481914286104e867834/lib/plugins/tag/include_code.js#L49
Resource: N/A
Hyperlink: https://github.com/hexojs/hexo/issues/5250
Resource: N/A
Hyperlink: https://www.gem-love.com/2023/07/25/hexo%E5%8D%9A%E5%AE%A2%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E5%92%8C%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/#undefined
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/hexojs/hexo/blob/a3e68e7576d279db22bd7481914286104e867834/lib/plugins/tag/include_code.js#L49
x_transferred
https://github.com/hexojs/hexo/issues/5250
x_transferred
https://www.gem-love.com/2023/07/25/hexo%E5%8D%9A%E5%AE%A2%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E5%92%8C%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/#undefined
x_transferred
Hyperlink: https://github.com/hexojs/hexo/blob/a3e68e7576d279db22bd7481914286104e867834/lib/plugins/tag/include_code.js#L49
Resource:
x_transferred
Hyperlink: https://github.com/hexojs/hexo/issues/5250
Resource:
x_transferred
Hyperlink: https://www.gem-love.com/2023/07/25/hexo%E5%8D%9A%E5%AE%A2%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E5%92%8C%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/#undefined
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-22CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Type: CWE
CWE ID: CWE-22
Description: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:08 Sep, 2023 | 13:15
Updated At:26 Sep, 2024 | 18:35

Hexo up to v7.0.0 (RC2) was discovered to contain an arbitrary file read vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches

hexo
hexo
>>hexo>>Versions up to 6.3.0(inclusive)
cpe:2.3:a:hexo:hexo:*:*:*:*:*:node.js:*:*
hexo
hexo
>>hexo>>7.0.0
cpe:2.3:a:hexo:hexo:7.0.0:rc1:*:*:*:node.js:*:*
hexo
hexo
>>hexo>>7.0.0
cpe:2.3:a:hexo:hexo:7.0.0:rc2:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE-22Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-22
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/hexojs/hexo/blob/a3e68e7576d279db22bd7481914286104e867834/lib/plugins/tag/include_code.js#L49cve@mitre.org
Third Party Advisory
https://github.com/hexojs/hexo/issues/5250cve@mitre.org
Issue Tracking
Third Party Advisory
https://www.gem-love.com/2023/07/25/hexo%E5%8D%9A%E5%AE%A2%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E5%92%8C%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/#undefinedcve@mitre.org
Third Party Advisory
Hyperlink: https://github.com/hexojs/hexo/blob/a3e68e7576d279db22bd7481914286104e867834/lib/plugins/tag/include_code.js#L49
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: https://github.com/hexojs/hexo/issues/5250
Source: cve@mitre.org
Resource:
Issue Tracking
Third Party Advisory
Hyperlink: https://www.gem-love.com/2023/07/25/hexo%E5%8D%9A%E5%AE%A2%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E5%92%8C%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/#undefined
Source: cve@mitre.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1131Records found

CVE-2024-27821
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-7.5||HIGH
EPSS-0.92% / 56.01%
||
7 Day CHG~0.00%
Published-13 May, 2024 | 23:00
Updated-02 Apr, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A path handling issue was addressed with improved validation. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, watchOS 10.5. A shortcut may output sensitive user data without consent.

Action-Not Available
Vendor-Apple Inc.
Product-iphone_oswatchosipadosmacosmacOSwatchOSiOS and iPadOSioswatchosipad_osmacos
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-32527
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-7.5||HIGH
EPSS-1.74% / 75.01%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 14:12
Updated-16 Sep, 2024 | 19:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QSAN Storage Manager - Path Traversal-2

Path traversal vulnerability in QSAN Storage Manager allows remote unauthenticated attackers to download arbitrary files thru injecting file path in download function. Suggest contacting with QSAN and refer to recommendations in QSAN Document.

Action-Not Available
Vendor-qsanQSAN
Product-storage_managerStorage Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-6772
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.52% / 40.50%
||
7 Day CHG~0.00%
Published-27 Jun, 2025 | 18:31
Updated-15 Sep, 2025 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
eosphoros-ai db-gpt import import_flow path traversal

A vulnerability was found in eosphoros-ai db-gpt up to 0.7.2. It has been classified as critical. Affected is the function import_flow of the file /api/v2/serve/awel/flow/import. The manipulation of the argument File leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-dbgpteosphoros-ai
Product-db-gptdb-gpt
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-68155
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.55% / 42.05%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 18:20
Updated-18 Dec, 2025 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
@vitejs/plugin-rsc has Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint on Development

@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue.

Action-Not Available
Vendor-vitejs
Product-vite-plugin-react
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-73
External Control of File Name or Path
CVE-2025-6795
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-5.3||MEDIUM
EPSS-1.06% / 60.53%
||
7 Day CHG~0.00%
Published-07 Jul, 2025 | 14:51
Updated-14 Jul, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Marvell QConvergeConsole getFileUploadSize Directory Traversal Information Disclosure Vulnerability

Marvell QConvergeConsole getFileUploadSize Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getFileUploadSize method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24914.

Action-Not Available
Vendor-marvellMarvell
Product-qconvergeconsoleQConvergeConsole
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-27120
Matching Score-4
Assigner-Dutch Institute for Vulnerability Disclosure (DIVD)
ShareView Details
Matching Score-4
Assigner-Dutch Institute for Vulnerability Disclosure (DIVD)
CVSS Score-7.7||HIGH
EPSS-0.55% / 41.98%
||
7 Day CHG~0.00%
Published-14 Aug, 2024 | 19:56
Updated-11 Mar, 2025 | 13:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Local File Inclusion in ComfortKey before version 24.1.2

A Local File Inclusion vulnerability has been found in ComfortKey, a product of Celsius Benelux. Using this vulnerability, an unauthenticated attacker may retrieve sensitive information about the underlying system. The vulnerability has been remediated in version 24.1.2.

Action-Not Available
Vendor-celsiusbeneluxCelsius Beneluxcelsius_benelux
Product-comfortkeyComfortKeycomfortkey
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-6807
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-5.3||MEDIUM
EPSS-1.06% / 60.53%
||
7 Day CHG~0.00%
Published-07 Jul, 2025 | 14:51
Updated-14 Jul, 2025 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Marvell QConvergeConsole getDriverTmpPath Directory Traversal Information Disclosure Vulnerability

Marvell QConvergeConsole getDriverTmpPath Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getDriverTmpPath method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24980.

Action-Not Available
Vendor-marvellMarvell
Product-qconvergeconsoleQConvergeConsole
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2016-0752
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-95.54% / 99.86%
||
7 Day CHG~0.00%
Published-16 Feb, 2016 | 02:00
Updated-22 Apr, 2026 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-04-15||Apply updates per vendor instructions.

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.

Action-Not Available
Vendor-n/aopenSUSERed Hat, Inc.Ruby on RailsSUSEDebian GNU/Linux
Product-debian_linuxrailssoftware_collectionsleaplinux_enterprise_module_for_containersopensusen/aRuby on Rails
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2016-10183
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-5.60% / 91.96%
||
7 Day CHG~0.00%
Published-30 Jan, 2017 | 04:24
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on the D-Link DWR-932B router. qmiweb allows directory listing with ../ traversal.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dwr-932bdwr-932b_firmwaren/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-67171
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.69% / 48.16%
||
7 Day CHG~0.00%
Published-17 Dec, 2025 | 00:00
Updated-18 Dec, 2025 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in the /templates/ component of RiteCMS v3.1.0 allows attackers to access sensitive files via directory traversal.

Action-Not Available
Vendor-ritecmsn/a
Product-ritecmsn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2005-2349
Matching Score-4
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-4
Assigner-Debian GNU/Linux
CVSS Score-7.5||HIGH
EPSS-1.85% / 76.47%
||
7 Day CHG~0.00%
Published-28 Oct, 2019 | 13:24
Updated-07 Aug, 2024 | 22:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoo 2.10 has Directory traversal

Action-Not Available
Vendor-zoo_projectn/a
Product-zoon/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-65878
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.59% / 43.71%
||
7 Day CHG~0.00%
Published-05 Dec, 2025 | 00:00
Updated-12 Dec, 2025 | 12:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The warehouse management system version 1.2 contains an arbitrary file read vulnerability. The endpoint `/file/showImageByPath` does not sanitize user-controlled path parameters. An attacker could exploit directory traversal to read arbitrary files on the server's file system. This could lead to the leakage of sensitive system information.

Action-Not Available
Vendor-yeqifun/a
Product-warehouse_management_systemn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2015-9480
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-12.57% / 95.75%
||
7 Day CHG~0.00%
Published-10 Oct, 2019 | 16:22
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter.

Action-Not Available
Vendor-robot-cpan/a
Product-robotcpan/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2015-9464
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.72% / 88.47%
||
7 Day CHG~0.00%
Published-10 Oct, 2019 | 16:00
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The s3bubble-amazon-s3-html-5-video-with-adverts plugin 0.7 for WordPress has directory traversal via the adverts/assets/plugins/ultimate/content/downloader.php path parameter.

Action-Not Available
Vendor-s3bubblen/a
Product-s3bubble-amazon-s3-html-5-video-with-advertsn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-66744
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.45% / 70.08%
||
7 Day CHG~0.00%
Published-09 Jan, 2026 | 00:00
Updated-13 Jan, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Yonyou YonBIP v3 and before, the LoginWithV8 interface in the series data application service system is vulnerable to path traversal, allowing unauthorized access to sensitive information within the system

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-25183
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.62% / 45.48%
||
7 Day CHG~0.00%
Published-29 Dec, 2025 | 00:00
Updated-02 Jan, 2026 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

givanz VvvebJs 1.7.2 is vulnerable to Directory Traversal via scan.php.

Action-Not Available
Vendor-vvvebn/a
Product-vvvebjsn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2015-9406
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-55.01% / 98.90%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 19:26
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in the mTheme-Unus theme before 2.3 for WordPress allows an attacker to read arbitrary files via a .. (dot dot) in the files parameter to css/css.php.

Action-Not Available
Vendor-mtheme-unus_projectn/a
Product-mtheme-unusn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-15923
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.31% / 87.06%
||
7 Day CHG~0.00%
Published-24 Jul, 2020 | 00:58
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mida eFramework through 2.9.0 allows unauthenticated ../ directory traversal.

Action-Not Available
Vendor-midasolutionsn/a
Product-eframeworkn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2015-9463
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-4.13% / 89.58%
||
7 Day CHG~0.00%
Published-10 Oct, 2019 | 16:08
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The s3bubble-amazon-s3-audio-streaming plugin 2.0 for WordPress has directory traversal via the adverts/assets/plugins/ultimate/content/downloader.php path parameter.

Action-Not Available
Vendor-s3bubblen/a
Product-s3bubble-amazon-s3-audio-streamingn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-1142
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-1.09% / 61.32%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 14:48
Updated-16 Jan, 2025 | 21:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2023-1142

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.

Action-Not Available
Vendor-Delta Electronics, Inc.
Product-infrasuite_device_masterInfraSuite Device Master
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2015-9473
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.66% / 88.26%
||
7 Day CHG~0.00%
Published-10 Oct, 2019 | 16:14
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The estrutura-basica theme through 2015-09-13 for WordPress has directory traversal via the scripts/download.php arquivo parameter.

Action-Not Available
Vendor-estrutura-basica_projectn/a
Product-estrutura-basican/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-0956
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.79% / 51.86%
||
7 Day CHG~0.00%
Published-03 Aug, 2023 | 18:08
Updated-16 Jan, 2025 | 21:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TEL-STER TelWin SCADA WebInterface Path Traversal

External input could be used on TEL-STER TelWin SCADA WebInterface to construct paths to files and directories without properly neutralizing special elements within the pathname, which could allow an unauthenticated attacker to read files on the system.

Action-Not Available
Vendor-tel-sterTEL-STER
Product-telwin_scada_webinterfaceTelWin SCADA WebInterface
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-65287
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.72% / 49.46%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 00:00
Updated-15 Dec, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unauthenticated directory traversal vulnerability in cgi-bin/upload.cgi in SNMP Web Pro 1.1 allows a remote attacker to read arbitrary files. The CGI concatenates the user-supplied params directly onto the base path (/var/www/files/userScript/) using memcpy + strcat without validation or canonicalization, enabling ../ sequences to escape the intended directory. The download branch also echoes the unsanitized params into Content-Disposition, introducing header-injection risk.

Action-Not Available
Vendor-cdpenergyn/a
Product-snmp_web_prosnmp_web_pro_firmwaren/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-0126
Matching Score-4
Assigner-SonicWall, Inc.
ShareView Details
Matching Score-4
Assigner-SonicWall, Inc.
CVSS Score-7.5||HIGH
EPSS-72.70% / 99.38%
||
7 Day CHG~0.00%
Published-19 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pre-authentication path traversal vulnerability in SMA1000 firmware version 12.4.2, which allows an unauthenticated attacker to access arbitrary files and directories stored outside the web root directory.

Action-Not Available
Vendor-SonicWall Inc.
Product-sma1000sma1000_firmwareSonicWall SMA1000
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-50792
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-1.35% / 68.08%
||
7 Day CHG~0.00%
Published-30 Dec, 2025 | 22:41
Updated-04 Mar, 2026 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated File Disclosure Vulnerability

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive system files. Attackers can exploit the vulnerability by manipulating the 'file' GET parameter to disclose arbitrary files on the affected device.

Action-Not Available
Vendor-sound4SOUND4 Ltd.Kantar Media
Product-pulsebig_voice4_firmwarefirstpulse_firmwarewm2pulse_eco_firmwareimpact_ecoimpact_eco_firmwarebig_voice4stream_extensionwm2_firmwarefirst_firmwareimpactbig_voice2impact_firmwarepulse_ecobig_voice2_firmwareBigVoice4BigVoice2Impact/Pulse EcoWM2StreamImpact/Pulse/First
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-50890
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.93% / 56.33%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 22:51
Updated-07 Apr, 2026 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Owlfiles File Manager 12.0.1 - Path Traversal

Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its built-in HTTP server that allows attackers to access system directories. Attackers can exploit the vulnerability by crafting GET requests with directory traversal sequences to access restricted system directories on the device.

Action-Not Available
Vendor-skyjosSkyjosApple Inc.
Product-macosiphone_osvisionosipadosowlfilestvosOwlfiles File Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-50932
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-3.53% / 87.84%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 22:51
Updated-30 Jan, 2026 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)

Kyocera Command Center RX ECOSYS M2035dn contains a directory traversal vulnerability that allows unauthenticated attackers to read sensitive system files by manipulating file paths under the /js/ path. Attackers can exploit the issue by sending requests like /js/../../../../.../etc/passwd%00.jpg (null-byte appended traversal) to access critical files such as /etc/passwd and /etc/shadow.

Action-Not Available
Vendor-kyoceraKYOCERA Document Solutions
Product-command_center_rxKyocera Command Center RX
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-50992
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.70% / 48.83%
||
7 Day CHG~0.00%
Published-30 Apr, 2026 | 16:09
Updated-30 Apr, 2026 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weaver E-cology 9.5 Unauthenticated Arbitrary File Read via XmlRpcServlet

Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can exploit these methods without authentication to retrieve sensitive files including system configuration files and database credentials from the server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC).

Action-Not Available
Vendor-Weaver Network Co., Ltd.
Product-E-cology
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-63371
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.62% / 45.16%
||
7 Day CHG~0.00%
Published-19 Nov, 2025 | 00:00
Updated-11 Dec, 2025 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Milos Paripovic OneCommander 3.102.0.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents.

Action-Not Available
Vendor-onecommandern/a
Product-onecommandern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-32572
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.74% / 75.00%
||
7 Day CHG~0.00%
Published-12 May, 2021 | 15:59
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Speco Web Viewer through 2021-05-12 allows Directory Traversal via GET request for a URI with /.. at the beginning, as demonstrated by reading the /etc/passwd file.

Action-Not Available
Vendor-specotechn/a
Product-web_viewern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-32532
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-7.5||HIGH
EPSS-1.67% / 73.94%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 14:12
Updated-16 Sep, 2024 | 22:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QSAN XEVO - Path Traversal

Path traversal vulnerability in back-end analysis function in QSAN XEVO allows remote attackers to download arbitrary files without permissions. The referred vulnerability has been solved with the updated version of QSAN XEVO v2.1.0.

Action-Not Available
Vendor-qsanQSAN
Product-xevoXEVO
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-32769
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.73% / 74.85%
||
7 Day CHG~0.00%
Published-16 Jul, 2021 | 18:25
Updated-03 Aug, 2024 | 23:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in micronaut-core

Micronaut is a JVM-based, full stack Java framework designed for building JVM applications. A path traversal vulnerability exists in versions prior to 2.5.9. With a basic configuration, it is possible to access any file from a filesystem, using "/../../" in the URL. This occurs because Micronaut does not restrict file access to configured paths. The vulnerability is patched in version 2.5.9. As a workaround, do not use `**` in mapping, use only `*`, which exposes only flat structure of a directory not allowing traversal. If using Linux, another workaround is to run micronaut in chroot.

Action-Not Available
Vendor-objectcomputingmicronaut-projects
Product-micronautmicronaut-core
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-31156
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.95% / 57.02%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Allied Telesis AT-S115 1.2.0 devices before 1.00.024 with Boot Loader 1.00.006 allow Directory Traversal to achieve partial access to data.

Action-Not Available
Vendor-n/aallied_telesis_at
Product-n/as115_1.2.0
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-6283
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.60% / 44.32%
||
7 Day CHG~0.00%
Published-19 Jun, 2025 | 22:31
Updated-30 Sep, 2025 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
xataio Xata Agent route.ts GET path traversal

A vulnerability was found in xataio Xata Agent up to 0.3.0. It has been classified as problematic. This affects the function GET of the file apps/dbagent/src/app/api/evals/route.ts. The manipulation of the argument passed leads to path traversal. Upgrading to version 0.3.1 is able to address this issue. The patch is named 03f27055e0cf5d4fa7e874d34ce8c74c7b9086cc. It is recommended to upgrade the affected component.

Action-Not Available
Vendor-xataxataio
Product-agentXata Agent
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-27575
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.77% / 50.94%
||
7 Day CHG~0.00%
Published-04 Apr, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

INOTEC Sicherheitstechnik WebServer CPS220/64 3.3.19 allows a remote attacker to read arbitrary files via absolute path traversal, such as with the /cgi-bin/display?file=/etc/passwd URI.

Action-Not Available
Vendor-n/ainotec
Product-n/agmbh_webserver
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-31542
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-5.29% / 91.58%
||
7 Day CHG~0.00%
Published-05 May, 2021 | 00:00
Updated-03 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

Action-Not Available
Vendor-n/aDjangoFedora ProjectDebian GNU/Linux
Product-djangodebian_linuxfedoran/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-31538
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.49% / 70.89%
||
7 Day CHG~0.00%
Published-10 Jun, 2021 | 14:59
Updated-03 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LANCOM R&S Unified Firewall (UF) devices running LCOS FX 10.5 allow Relative Path Traversal.

Action-Not Available
Vendor-lancom-systemsn/a
Product-uf-60uf-260uf-160uf-500uf-910lcos_fxn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-61557
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.61% / 45.02%
||
7 Day CHG~0.00%
Published-30 Dec, 2025 | 00:00
Updated-14 Jan, 2026 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

nixseparatedebuginfod before v0.4.1 is vulnerable to Directory Traversal.

Action-Not Available
Vendor-symphorienn/a
Product-nixseparatedebuginfodn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-30497
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-96.58% / 99.87%
||
7 Day CHG~0.00%
Published-06 Apr, 2022 | 01:22
Updated-03 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can obtain sensitive information via the C:/Windows/system32/config/system.sav value.

Action-Not Available
Vendor-n/aIvanti Software
Product-avalanchen/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-3019
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-18.98% / 96.96%
||
7 Day CHG~0.00%
Published-05 Jan, 2021 | 04:35
Updated-03 Aug, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet.

Action-Not Available
Vendor-lanproxy_projectn/a
Product-lanproxyn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-29395
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.80% / 75.84%
||
7 Day CHG~0.00%
Published-04 Feb, 2022 | 18:48
Updated-03 Aug, 2024 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory travesal in /northstar/filemanager/download.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to download arbitrary files, including JSP source code, across the filesystem of the host of the web application.

Action-Not Available
Vendor-globalnorthstarn/a
Product-northstar_club_managementn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-28172
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-7.5||HIGH
EPSS-1.80% / 75.87%
||
7 Day CHG~0.00%
Published-06 Apr, 2021 | 11:20
Updated-17 Sep, 2024 | 03:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vangene deltaFlow E-platform - Path Traversal

There is a Path Traversal vulnerability in the file download function of Vangene deltaFlow E-platform. Remote attackers can access credential data with this leakage.

Action-Not Available
Vendor-deltaflow_projectVangene
Product-deltaflowdeltaFlow E-platform
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-27825
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-7.80% / 93.94%
||
7 Day CHG~0.00%
Published-29 May, 2023 | 00:00
Updated-14 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A directory traversal vulnerability on Mercury MAC1200R devices allows attackers to read arbitrary files via a web-static/ URL.

Action-Not Available
Vendor-mercurycomn/a
Product-mac1200r_firmwaremac1200rn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-27367
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.75% / 75.07%
||
7 Day CHG~0.00%
Published-17 Feb, 2021 | 20:47
Updated-03 Aug, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal.

Action-Not Available
Vendor-boltcmsn/a
Product-boltn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-26294
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-17.34% / 96.74%
||
7 Day CHG~0.00%
Published-07 Mar, 2021 | 03:42
Updated-03 Aug, 2024 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_user account (with caldav_public_user as its password).

Action-Not Available
Vendor-afterlogicn/a
Product-aurorawebmail_pron/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-26504
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.41% / 69.31%
||
7 Day CHG~0.00%
Published-11 Aug, 2023 | 00:00
Updated-09 Oct, 2024 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory Traversal vulnerability in Foddy node-red-contrib-huemagic version 3.0.0, allows remote attackers to gain sensitive information via crafted request in res.sendFile API in hue-magic.js.

Action-Not Available
Vendor-dgtln/a
Product-huemagicn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-27461
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-1.40% / 69.12%
||
7 Day CHG~0.00%
Published-20 May, 2021 | 11:51
Updated-03 Aug, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The affected webserver applications allow access to stored data that can be obtained by using specially crafted URLs.

Action-Not Available
Vendor-emersonn/a
Product-x-stream_enhanced_xegp_firmwarex-stream_enhanced_xegpx-stream_enhanced_xegk_firmwarex-stream_enhanced_xefdx-stream_enhanced_xefd_firmwarex-stream_enhanced_xegkx-stream_enhanced_xexfx-stream_enhanced_xexf_firmwareEmerson Rosemount X-STREAM Gas Analyzer
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-25864
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-9.33% / 94.77%
||
7 Day CHG~0.00%
Published-26 Jan, 2021 | 07:09
Updated-03 Aug, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file.

Action-Not Available
Vendor-dgtln/a
Product-huemagicn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-25685
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.47% / 37.50%
||
7 Day CHG~0.00%
Published-17 Mar, 2025 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GL-INet Beryl AX GL-MT3000 v4.7.0. Attackers are able to download arbitrary files from the device's file system via adding symbolic links on an external drive used as a samba share.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-60242
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.40% / 31.59%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 15:55
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Download Counter plugin <= 1.4 - Arbitrary File Download vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Anatoly Download Counter download-counter allows Path Traversal.This issue affects Download Counter: from n/a through <= 1.4.

Action-Not Available
Vendor-Anatoly
Product-Download Counter
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 22
  • 23
  • Next
Details not found