CWE-22 <span class="text-2xl md:text-3xl font-bold ml-2" style="color:var(--text-secondary)">— Path Traversal

CVE-2025-25652HIGHCVSS 7.5EG 7.5

NASA cFS (Core Flight System) Aquila is vulnerable to path traversal in the OSAL module, allowing the override of any arbitrary file on the system.

2026-01-13

In Eptura Archibus 2024.03.01.109, the "Run script" and "Server File" components of the "Database Update Wizard" are vulnerable to directory traversal.

CVE-2025-25684HIGHCVSS 7.5EG 7.5

2025-03-17

A lack of validation in the path parameter (/download) of GL-INet Beryl AX GL-MT3000 v4.7.0 allows attackers to download arbitrary files from the device's file system via a crafted POST request.

CVE-2025-25685HIGHCVSS 7.5EG 7.5

2025-03-17

An issue was discovered in GL-INet Beryl AX GL-MT3000 v4.7.0. Attackers are able to download arbitrary files from the device's file system via adding symbolic links on an external drive used as a samba share.

CVE-2025-25759HIGHCVSS 7.5EG 7.5

2025-02-27

An issue in the component admin_template.php of SUCMS v1.0 allows attackers to execute a directory traversal and arbitrary file deletion via a crafted GET request.

CVE-2025-25800MEDIUMCVSS 5.3EG 5.3

2025-02-26

SeaCMS 13.3 was discovered to contain an arbitrary file read vulnerability in the file_get_contents function at admin_safe_file.php.

CVE-2025-25997HIGHCVSS 7.5EG 7.3

2025-02-14

Directory Traversal vulnerability in FeMiner wms v.1.0 allows a remote attacker to obtain sensitive information via the databak.php component.

CVE-2025-26240HIGHCVSS 8.4EG 8.4

2026-06-17

In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.

CVE-2025-2636HIGHCVSS 8.1EG 9.8

2025-04-11

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unaut…

CVE-2025-26534HIGHCVSS 8.6EG 8.6

CVE-2025-26540HIGHCVSS 7.7EG 7.7

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in helloprint Helloprint helloprint allows Path Traversal.This issue affects Helloprint: from n/a through <= 2.0.7.

CVE-2025-26615CRITICALCVSS 10.0EG 10.0

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in helloprint Helloprint helloprint allows Path Traversal.This issue affects Helloprint: from n/a through <= 2.0.7.

2025-02-18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Path Traversal vulnerability was discovered in the WeGIA application, `examples.php` endpoint. This vulnerability could allow an attacker to …

CVE-2025-26616HIGHCVSS 7.5EG 7.5

2025-02-18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Path Traversal vulnerability was discovered in the WeGIA application, `exportar_dump.php` endpoint. This vulnerability could allow an attacke…

CVE-2025-26692HIGHCVSS 8.1EG 8.1

2025-04-28

Quick Agent V3 and Quick Agent V2 contain an issue with improper limitation of a pathname to a restricted directory ('Path Traversal'). If exploited, arbitrary code may be executed by a remote unauthenticated attacker with the Windows syst…

CVE-2025-26752HIGHCVSS 8.6EG 8.6

CVE-2025-26753HIGHCVSS 7.5EG 7.5

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper Broadcast Live Video videowhisper-live-streaming-integration allows Path Traversal.This issue affects Broadcast Live Video: from n…

CVE-2025-26779MEDIUMCVSS 4.9EG 4.9

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper Broadcast Live Video videowhisper-live-streaming-integration allows Path Traversal.This issue affects Broadcast Live Video: from n…

2025-02-16

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fahad Mahmood Keep Backup Daily keep-backup-daily allows Path Traversal.This issue affects Keep Backup Daily: from n/a through <= 2.1.0.

CVE-2025-26905HIGHCVSS 7.5EG 7.5

CVE-2025-26935HIGHCVSS 7.5EG 7.5

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Estatik Estatik estatik allows PHP Local File Inclusion.This issue affects Estatik: from n/a through <= 4.3.0.

CVE-2025-27022HIGHCVSS 7.5EG 7.5

Path Traversal: '.../...//' vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.This issue affects WP Job Portal: from n/a through <= 2.2.8.

2025-07-02

A path traversal vulnerability of the WebGUI HTTP endpoint in Infinera G42 version R6.1.3 allows remote authenticated users to download all OS files via HTTP requests. Details: Lack or insufficient validation of user-supplied input a…

CVE-2025-2707MEDIUMCVSS 5.4EG 5.4

CVE-2025-2708MEDIUMCVSS 5.4EG 5.4

A vulnerability, which was classified as critical, has been found in zhijiantianya ruoyi-vue-pro 2.4.1. Affected by this issue is some unknown functionality of the file /app-api/infra/file/upload of the component Front-End Store Interface.…

CVE-2025-27085MEDIUMCVSS 4.9EG 4.9

A vulnerability, which was classified as critical, was found in zhijiantianya ruoyi-vue-pro 2.4.1. This affects an unknown part of the file /admin-api/infra/file/upload of the component Backend File Upload Interface. The manipulation of th…

2025-04-08

Multiple vulnerabilities exist in the web-based management interface of AOS-10 GW and AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated, remote attacker to download arbitrary…

CVE-2025-27092HIGHCVSS 7.5EG 7.5

2025-02-19

GHOSTS is an open source user simulation framework for cyber experimentation, simulation, training, and exercise. A path traversal vulnerability was discovered in GHOSTS version 8.0.0.0 that allows an attacker to access files outside of th…

CVE-2025-27098MEDIUMCVSS 5.8EG 5.8

2025-02-20

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. Missing ch…

CVE-2025-27101HIGHCVSS 7.3EG 7.3

2025-03-11

Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, when copying any parent directory to a folder in the /temp/ directory, all files in that parent directory are copied, including fi…

CVE-2025-27142HIGHCVSS 8.8EG 8.8

CVE-2025-27147HIGHCVSS 8.2EG 8.2

LocalSend is a free, open-source app that allows users to securely share files and messages with nearby devices over their local network without needing an internet connection. Prior to version 1.17.0, due to the missing sanitization of th…

CVE-2025-2716LOWCVSS 2.7EG 2.7

The GLPI Inventory Plugin handles various types of tasks for GLPI agents, including network discovery and inventory (SNMP), software deployment, VMWare ESX host remote inventory, and data collection (files, Windows registry, WMI). Versions…

CVE-2025-27210HIGHCVSS 7.5EG 7.5

A vulnerability classified as problematic was found in China Mobile P22g-CIac 1.0.00.488. This vulnerability affects unknown code of the component Samba Path Handler. The manipulation leads to path traversal. The attack can be initiated re…

2025-07-18

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.

CVE-2025-27222HIGHCVSS 8.6EG 8.6

2025-10-27

TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/getCobrandingData endpoint to retrieve files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be…

CVE-2025-27274MEDIUMCVSS 4.9EG 4.9

CVE-2025-27283MEDIUMCVSS 6.5EG 6.5

Path Traversal: '.../...//' vulnerability in axelkeller GPX Viewer gpx-viewer allows Path Traversal.This issue affects GPX Viewer: from n/a through <= 2.2.11.

2025-04-17

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in rockgod100 Theme File Duplicator theme-file-duplicator allows Path Traversal.This issue affects Theme File Duplicator: from n/a through <= 1.3.

CVE-2025-27299MEDIUMCVSS 5.3EG 5.3

2025-04-17

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Asia MyTicket Events myticket-events allows Path Traversal.This issue affects MyTicket Events: from n/a through <= 1.2.4.

CVE-2025-27395HIGHCVSS 7.2EG 7.2

2025-03-11

A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). Affected devices do not properly limit the scope of files accessible through and the privileges of the SFTP functionality. This could allo…

CVE-2025-27397LOWCVSS 3.8EG 3.8

2025-03-11

A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). Affected devices do not properly limit user controlled paths to which logs are written and from where they are read. This could allow an a…

CVE-2025-27409HIGHCVSS 7.5EG 7.5

2025-04-30

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pl…

CVE-2025-27410MEDIUMCVSS 6.5EG 6.5

2025-02-28

PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is vulnerable to path traversal in the TAR entry's name, allowing an attacker to overwrite any file on the system with their conte…

CVE-2025-27413MEDIUMCVSS 6.5EG 6.5

2025-02-28

PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality allows an administrator to import raw data into the database, including Path Traversal (`../`) sequences. This is problematic for …

CVE-2025-2742MEDIUMCVSS 5.4EG 5.4

CVE-2025-2743MEDIUMCVSS 4.3EG 4.3

A vulnerability classified as critical was found in zhijiantianya ruoyi-vue-pro 2.4.1. This vulnerability affects unknown code of the file /admin-api/mp/material/upload-permanent of the component Material Upload Interface. The manipulation…

CVE-2025-2744MEDIUMCVSS 5.4EG 5.4

A vulnerability, which was classified as problematic, has been found in zhijiantianya ruoyi-vue-pro 2.4.1. This issue affects some unknown processing of the file /admin-api/mp/material/upload-temporary of the component Material Upload Inte…

CVE-2025-2749HIGHCVSS 7.2EG 9.0⚠ KEV

A vulnerability, which was classified as critical, was found in zhijiantianya ruoyi-vue-pro 2.4.1. Affected is an unknown function of the file /admin-api/mp/material/upload-news-image of the component Material Upload Interface. The manipul…

CVE-2025-27519CRITICALCVSS 9.3EG 9.3

An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content tha…

2025-03-07

Cognita is a RAG (Retrieval Augmented Generation) Framework for building modular, open source applications for production by TrueFoundry. A path traversal issue exists at /v1/internal/upload-to-local-directory which is enabled when the Loc…

CVE-2025-27566LOWCVSS 3.8EG 3.8

2025-05-19

Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privil…

CVE-2025-27590CRITICALCVSS 9.0EG 9.0