Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-12422

Summary
Assigner-azure-access
Assigner Org ID-a0340c66-c385-4f8b-991b-3d05f6fd5220
Published At-28 Oct, 2025 | 18:09
Updated At-28 Oct, 2025 | 19:09
Rejected At-
Credits

Vulnerable Upgrade Feature (Arbitrary File Write)

Vulnerable Upgrade Feature (Arbitrary File Write) may lead to obtaining super user permissions on board.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:azure-access
Assigner Org ID:a0340c66-c385-4f8b-991b-3d05f6fd5220
Published At:28 Oct, 2025 | 18:09
Updated At:28 Oct, 2025 | 19:09
Rejected At:
â–¼CVE Numbering Authority (CNA)
Vulnerable Upgrade Feature (Arbitrary File Write)

Vulnerable Upgrade Feature (Arbitrary File Write) may lead to obtaining super user permissions on board.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Affected Products
Vendor
Azure Access Technology
Product
BLU-IC2
Default Status
unaffected
Versions
Affected
  • From 0 through 1.19.5 (semver)
Vendor
Azure Access Technology
Product
BLU-IC4
Default Status
unaffected
Versions
Affected
  • From 0 through 1.19.5 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-22CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Type: CWE
CWE ID: CWE-22
Description: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Metrics
VersionBase scoreBase severityVector
4.010.0CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Version: 4.0
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-126CAPEC-126 Path Traversal
CAPEC ID: CAPEC-126
Description: CAPEC-126 Path Traversal
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Kevin Schaller
finder
Benjamin Lafois
finder
Alexi Bitsios
finder
Sebastian Toscano
finder
Dominik Schneider
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://azure-access.com/security-advisories
N/A
Hyperlink: https://azure-access.com/security-advisories
Resource: N/A
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:a0340c66-c385-4f8b-991b-3d05f6fd5220
Published At:28 Oct, 2025 | 18:15
Updated At:07 Nov, 2025 | 14:55

Vulnerable Upgrade Feature (Arbitrary File Write) may lead to obtaining super user permissions on board.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.010.0CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 4.0
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
azure-access
azure-access
>>blu-ic2_firmware>>Versions before 1.20(exclusive)
cpe:2.3:o:azure-access:blu-ic2_firmware:*:*:*:*:*:*:*:*
azure-access
azure-access
>>blu-ic2>>*
cpe:2.3:h:azure-access:blu-ic2:*:*:*:*:*:*:*:*
azure-access
azure-access
>>blu-ic4_firmware>>Versions before 1.20(exclusive)
cpe:2.3:o:azure-access:blu-ic4_firmware:*:*:*:*:*:*:*:*
azure-access
azure-access
>>blu-ic4>>*
cpe:2.3:h:azure-access:blu-ic4:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-22Secondarya0340c66-c385-4f8b-991b-3d05f6fd5220
CWE ID: CWE-22
Type: Secondary
Source: a0340c66-c385-4f8b-991b-3d05f6fd5220
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://azure-access.com/security-advisoriesa0340c66-c385-4f8b-991b-3d05f6fd5220
Vendor Advisory
Hyperlink: https://azure-access.com/security-advisories
Source: a0340c66-c385-4f8b-991b-3d05f6fd5220
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

608Records found
CVE-2025-12275
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.24% / 47.21%
||
7 Day CHG+0.05%
Published-26 Oct, 2025 | 16:15
Updated-07 Nov, 2025 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mail Configuration File Manipulation + Command Execution

Mail Configuration File Manipulation + Command Execution.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-20
Improper Input Validation
CVE-2025-12476
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.08% / 24.57%
||
7 Day CHG+0.02%
Published-29 Oct, 2025 | 16:31
Updated-07 Nov, 2025 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Resource Lacking AuthN

Resource Lacking AuthN.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-11832
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.09% / 25.00%
||
7 Day CHG~0.00%
Published-15 Oct, 2025 | 19:10
Updated-07 Nov, 2025 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
APIs Lack Rate Limiting

Allocation of Resources Without Limits or Throttling vulnerability in Azure Access Technology BLU-IC2, Azure Access Technology BLU-IC4 allows Flooding.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC4BLU-IC2
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-12218
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.06% / 17.91%
||
7 Day CHG+0.01%
Published-25 Oct, 2025 | 15:47
Updated-10 Nov, 2025 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weak Default Credentials

Weak Default Credentials.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-1392
Use of Default Credentials
CVE-2025-12001
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.11% / 29.56%
||
7 Day CHG~0.00%
Published-20 Oct, 2025 | 21:53
Updated-07 Nov, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Content-Type Header

Lack of application manifest sanitation could lead to potential stored XSS.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12478
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.04% / 10.70%
||
7 Day CHG+0.01%
Published-29 Oct, 2025 | 16:37
Updated-07 Nov, 2025 | 13:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Non-Compliant TLS Configuration

Non-Compliant TLS Configuration.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-326
Inadequate Encryption Strength
CVE-2025-12477
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.08% / 24.57%
||
7 Day CHG+0.02%
Published-29 Oct, 2025 | 16:33
Updated-07 Nov, 2025 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server Version Disclosure

Server Version Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-12515
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.07% / 20.77%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 15:38
Updated-10 Nov, 2025 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Systemic Internal Server Errors - HTTP 500 Response

Systemic Internal Server Errors - HTTP 500 ResponseThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-394
Unexpected Status Code or Return Value
CVE-2025-12176
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.08% / 24.57%
||
7 Day CHG+0.02%
Published-24 Oct, 2025 | 15:56
Updated-10 Nov, 2025 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Undocumented Administrative Accounts

Undocumented administrative accounts were getting created to facilitate access for applications running on board.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-1242
Inclusion of Undocumented Features or Chicken Bits
CVE-2025-12602
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-2.3||LOW
EPSS-0.07% / 20.64%
||
7 Day CHG~0.00%
Published-01 Nov, 2025 | 18:54
Updated-07 Nov, 2025 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
/etc/avahi/services/z9.service can be Arbitrarily Written

/etc/avahi/services/z9.service can be Arbitrarily Written.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-787
Out-of-bounds Write
CVE-2025-12603
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-2.3||LOW
EPSS-0.07% / 20.64%
||
7 Day CHG~0.00%
Published-01 Nov, 2025 | 18:56
Updated-07 Nov, 2025 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
/etc/timezone can be Arbitrarily Written

/etc/timezone can be Arbitrarily Written.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-787
Out-of-bounds Write
CVE-2025-12425
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.06% / 18.24%
||
7 Day CHG+0.01%
Published-28 Oct, 2025 | 18:21
Updated-07 Nov, 2025 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Local Privilege Escalation

Local Privilege Escalation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-269
Improper Privilege Management
CVE-2025-12552
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-6.9||MEDIUM
EPSS-0.07% / 20.23%
||
7 Day CHG~0.00%
Published-31 Oct, 2025 | 15:43
Updated-10 Nov, 2025 | 14:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient Password Policy

Insufficient Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-521
Weak Password Requirements
CVE-2025-12600
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.07% / 20.77%
||
7 Day CHG~0.00%
Published-01 Nov, 2025 | 18:48
Updated-10 Nov, 2025 | 14:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Web UI Malfunction

Web UI Malfunction when setting unexpected locale via API.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CVE-2025-12601
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.06% / 19.46%
||
7 Day CHG~0.00%
Published-01 Nov, 2025 | 18:49
Updated-10 Nov, 2025 | 15:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service Due to SlowLoris

Denial of Service Due to SlowLoris.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CVE-2025-12219
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.09% / 25.00%
||
7 Day CHG+0.02%
Published-25 Oct, 2025 | 15:51
Updated-10 Nov, 2025 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vulnerable Components in Azure Access OS

Vulnerable Components in Azure Access OS.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-1395
Dependency on Vulnerable Third-Party Component
CVE-2025-12516
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.07% / 20.77%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 15:42
Updated-10 Nov, 2025 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lack of Graceful Error Handling - HTTP 5xx Error

Lack of Graceful Error Handling - HTTP 5xx ErrorThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-394
Unexpected Status Code or Return Value
CVE-2025-12554
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-6.9||MEDIUM
EPSS-0.09% / 25.31%
||
7 Day CHG~0.00%
Published-31 Oct, 2025 | 15:52
Updated-10 Nov, 2025 | 14:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Security Headers

Missing Security Headers.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2025-11925
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.05% / 16.17%
||
7 Day CHG~0.00%
Published-17 Oct, 2025 | 19:56
Updated-07 Nov, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Content-Type Header

Incorrect Content-Type header in one of the APIs (`text/html` instead of `application/json`) replies may potentially allow injection of HTML/JavaScript into reply.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2025-12216
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.05% / 15.93%
||
7 Day CHG+0.01%
Published-25 Oct, 2025 | 15:33
Updated-10 Nov, 2025 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Malicious / Malformed App can be Installed but not Uninstalled

Malicious / Malformed App can be Installed but not Uninstalled/may lead to unavailability.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-1301
Insufficient or Incomplete Data Removal within Hardware Component
CVE-2025-12553
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.04% / 10.94%
||
7 Day CHG~0.00%
Published-31 Oct, 2025 | 15:48
Updated-10 Nov, 2025 | 14:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server Certificate Verification Disabled

Email Server Certificate Verification Disabled.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-599
Missing Validation of OpenSSL Certificate
CVE-2025-12423
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.14% / 34.46%
||
7 Day CHG+0.08%
Published-28 Oct, 2025 | 18:14
Updated-07 Nov, 2025 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service - Protocol Manipulation

Protocol manipulation might lead to denial of service.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-248
Uncaught Exception
CVE-2025-12220
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.09% / 25.00%
||
7 Day CHG+0.02%
Published-25 Oct, 2025 | 15:53
Updated-10 Nov, 2025 | 15:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Busybox 1.31.1 - Multiple Known Vulnerabilities

Busybox 1.31.1 - Multiple Known Vulnerabilities.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-1395
Dependency on Vulnerable Third-Party Component
CVE-2025-12364
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.08% / 24.57%
||
7 Day CHG+0.02%
Published-27 Oct, 2025 | 18:09
Updated-10 Nov, 2025 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weak Password Policy

Weak Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-521
Weak Password Requirements
CVE-2025-12363
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.06% / 18.49%
||
7 Day CHG+0.01%
Published-Not Available
Updated-10 Nov, 2025 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Email Password Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-access
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-12285
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.17% / 38.30%
||
7 Day CHG+0.04%
Published-26 Oct, 2025 | 16:24
Updated-10 Nov, 2025 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Initial Password Change

Missing Initial Password Change.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-521
Weak Password Requirements
CVE-2025-12479
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.04% / 10.39%
||
7 Day CHG+0.01%
Published-29 Oct, 2025 | 16:50
Updated-07 Nov, 2025 | 13:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Systemic Lack of Cross-Site Request Forgery (CSRF) Token Implementation

Systemic Lack of Cross-Site Request Forgery (CSRF) Token Implementation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-12599
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.07% / 20.23%
||
7 Day CHG~0.00%
Published-01 Nov, 2025 | 18:39
Updated-10 Nov, 2025 | 14:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple Devices are Sharing the Same Secrets for SDKSocket (TCP/5000)

Multiple Devices are Sharing the Same Secrets for SDKSocket (TCP/5000).This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-321
Use of Hard-coded Cryptographic Key
CVE-2025-12424
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.08% / 24.57%
||
7 Day CHG+0.02%
Published-28 Oct, 2025 | 18:18
Updated-07 Nov, 2025 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilege Escalation through SUID-bit Binary

Privilege Escalation through SUID-bit Binary.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-269
Improper Privilege Management
CVE-2025-12104
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-8
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.29% / 51.72%
||
7 Day CHG+0.07%
Published-23 Oct, 2025 | 03:56
Updated-07 Nov, 2025 | 20:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Content-Type Header

Outdated and Vulnerable UI Dependencies might potentially lead to exploitation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-1104
Use of Unmaintained Third Party Components
CVE-2024-41717
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.3||CRITICAL
EPSS-0.61% / 69.36%
||
7 Day CHG~0.00%
Published-22 Oct, 2024 | 21:13
Updated-23 Oct, 2024 | 15:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kieback&Peter DDC4000 Series Path Traversal

Kieback & Peter's DDC4000 series is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system.

Action-Not Available
Vendor-Kieback&PeterKieback & Peterkieback\&peter
Product-DDC4400eDDC4002DDC4100DDC4400DDC4200-LDDC4040eDDC4020eDDC4200eDDC4200DDC4002eddc4200e_firmwareddc4002e_firmwareddc4100_firmwareddc4400e_firmwareddc4200_firmwareddc4400_firmwareddc4040e_firmwareddc4002_firmwareddc4020e_firmwareddc4200-l_firmware
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-1000
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.8||HIGH
EPSS-0.35% / 57.29%
||
7 Day CHG~0.00%
Published-17 Mar, 2022 | 10:30
Updated-31 Dec, 2025 | 19:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Path Traversal in prasathmani/tinyfilemanager

Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7.

Action-Not Available
Vendor-prasathmaniprasathmani
Product-tiny_file_managerprasathmani/tinyfilemanager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-2731
Matching Score-4
Assigner-National Cyber Security Centre Finland (NCSC-FI)
ShareView Details
Matching Score-4
Assigner-National Cyber Security Centre Finland (NCSC-FI)
CVSS Score-10||CRITICAL
EPSS-0.21% / 43.66%
||
7 Day CHG+0.05%
Published-19 Feb, 2026 | 06:46
Updated-19 Feb, 2026 | 21:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8

Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests

Action-Not Available
Vendor-DynamicWeb
Product-DynamicWeb 9
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-1391
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-66.82% / 98.51%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 15:51
Updated-03 Aug, 2024 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cab fare calculator < 1.0.4 - Unauthenticated LFI

The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.

Action-Not Available
Vendor-kanevUnknown
Product-cab_fare_calculatorCab fare calculator
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-27641
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 27.00%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 03:54
Updated-27 Feb, 2026 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection

Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used.

Action-Not Available
Vendor-jugmac00jugmac00
Product-flask-reuploadedflask-reuploaded
CWE ID-CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-27699
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.06% / 17.41%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 14:58
Updated-27 Feb, 2026 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method

The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.

Action-Not Available
Vendor-patrickjuchlipatrickjuchli
Product-basic-ftpbasic-ftp
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-3247
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-46.07% / 97.56%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 20:10
Updated-15 Nov, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data

Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ucs_directorucs_director_express_for_big_dataCisco UCS Director
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-25895
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.5||CRITICAL
EPSS-0.05% / 14.14%
||
7 Day CHG~0.00%
Published-09 Feb, 2026 | 22:29
Updated-13 Feb, 2026 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.

Action-Not Available
Vendor-frangoteamfrangoteam
Product-fuxaFUXA
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-24770
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.68% / 71.21%
||
7 Day CHG+0.06%
Published-27 Jan, 2026 | 21:51
Updated-30 Jan, 2026 | 21:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RAGFlow Affected by Zip Slip Remote Code Execution (RCE) in MinerUParser

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a "Zip Slip" vulnerability, allowing an attacker to overwrite arbitrary files on the server (leading to Remote Code Execution) via a malicious ZIP archive. The MinerUParser class retrieves and extracts ZIP files from an external source (mineru_server_url). The extraction logic in `_extract_zip_no_root` fails to sanitize filenames within the ZIP archive. Commit 64c75d558e4a17a4a48953b4c201526431d8338f contains a patch for the issue.

Action-Not Available
Vendor-infiniflowinfiniflow
Product-ragflowragflow
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-3248
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-46.07% / 97.56%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 20:10
Updated-15 Nov, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data

Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ucs_directorucs_director_express_for_big_dataCisco UCS Director
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-1518
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-10||CRITICAL
EPSS-0.31% / 54.17%
||
7 Day CHG~0.00%
Published-24 Jun, 2022 | 15:00
Updated-16 Apr, 2025 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22

LRM contains a directory traversal vulnerability that can allow a malicious actor to upload outside the intended directory structure.

Action-Not Available
Vendor-illuminaIllumina
Product-nextseq_550dxmiseqiseq_100nextseq_500miniseqnextseq_550miseq_dxlocal_run_managerNextSeq 550DxNextSeq 550 InstrumentiSeq 100 InstrumentMiSeq InstrumentNextSeq 500 InstrumentMiniSeq InstrumentMiSeq Dx
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-1390
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-92.04% / 99.69%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 15:51
Updated-03 Aug, 2024 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Admin Word Count Column <= 2.2 - Unauthenticated Arbitrary File Read

The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique

Action-Not Available
Vendor-admin_word_count_column_projectUnknown
Product-admin_word_count_columnAdmin Word Count Column
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-29600
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.29% / 84.46%
||
7 Day CHG~0.00%
Published-07 Dec, 2020 | 19:52
Updated-04 Aug, 2024 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.

Action-Not Available
Vendor-awstatsn/aDebian GNU/LinuxFedora Project
Product-awstatsdebian_linuxfedoran/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-22249
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.03% / 7.43%
||
7 Day CHG~0.00%
Published-15 Jan, 2026 | 18:43
Updated-22 Jan, 2026 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Docmost affected by an Arbitrary File Write via Zip Import Feature (ZipSlip)

Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0.

Action-Not Available
Vendor-docmostdocmost
Product-docmostdocmost
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-22871
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.63% / 69.95%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 20:46
Updated-21 Jan, 2026 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GuardDog Path Traversal Vulnerability Leads to Arbitrary File Overwrite and RCE

GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, there is a path traversal vulnerability exists in GuardDog's safe_extract() function that allows malicious PyPI packages to write arbitrary files outside the intended extraction directory, leading to Arbitrary File Overwrite and Remote Code Execution on systems running GuardDog. This vulnerability is fixed in 2.7.1.

Action-Not Available
Vendor-datadoghqDataDog
Product-guarddogguarddog
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-2251
Matching Score-4
Assigner-Xerox Corporation
ShareView Details
Matching Score-4
Assigner-Xerox Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.05% / 16.82%
||
7 Day CHG~0.00%
Published-27 Feb, 2026 | 08:08
Updated-28 Feb, 2026 | 04:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Path Traversal leading to Remote Code Execution (RCE)

Improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability in Xerox FreeFlow Core allows unauthorized path traversal leading to RCE. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7. Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads https://www.support.xerox.com/en-us/product/core/downloads

Action-Not Available
Vendor-Xerox Corporation
Product-FreeFlow Core
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-25347
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.64% / 70.04%
||
7 Day CHG~0.00%
Published-29 Mar, 2022 | 16:37
Updated-16 Apr, 2025 | 16:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Delta Electronics DIAEnergie Path Traversal

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to path traversal attacks, which may allow an attacker to write arbitrary files to locations on the file system.

Action-Not Available
Vendor-Delta Electronics, Inc.
Product-diaenergieDIAEnergie
CWE ID-CWE-37
Path Traversal: '/absolute/pathname/here'
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2007-4559
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-90.58% / 99.60%
||
7 Day CHG~0.00%
Published-28 Aug, 2007 | 00:00
Updated-17 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Action-Not Available
Vendor-n/aPython Software Foundation
Product-pythonn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-21227
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.2||HIGH
EPSS-0.14% / 33.80%
||
7 Day CHG+0.01%
Published-22 Jan, 2026 | 22:47
Updated-22 Feb, 2026 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure Logic Apps Elevation of Privilege Vulnerability

Improper limitation of a pathname to a restricted directory ('path traversal') in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_logic_appsAzure Logic Apps
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-27606
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.47% / 64.38%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 02:08
Updated-25 Feb, 2026 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rollup 4 has Arbitrary File Write via Path Traversal

Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.

Action-Not Available
Vendor-rollupjsrollup
Product-rolluprollup
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 12
  • 13
  • Next
Details not found