Search Results (9603 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-37728 1 Officeweb365 1 Officeweb365 2026-04-15 7.5 High
Arbitrary File Read vulnerability in Xi'an Daxi Information Technology Co., Ltd OfficeWeb365 v.7.18.23.0 and v8.6.1.0 allows a remote attacker to obtain sensitive information via the "Pic/Indexes" interface
CVE-2024-37169 2026-04-15 5.3 Medium
@jmondi/url-to-png is a self-hosted URL to PNG utility. Versions prior to 2.0.3 are vulnerable to arbitrary file read if a threat actor uses the Playright's screenshot feature to exploit the file wrapper. Version 2.0.3 mitigates this issue by requiring input URLs to be of protocol `http` or `https`. No known workarounds are available aside from upgrading.
CVE-2024-36527 1 Zenato 1 Puppeteer Renderer 2026-04-15 6.5 Medium
puppeteer-renderer v.3.2.0 and before is vulnerable to Directory Traversal. Attackers can exploit the URL parameter using the file protocol to read sensitive information from the server.
CVE-2024-47071 1 Freepbx 1 Endpoint Manager 2026-04-15 6.8 Medium
OSS Endpoint Manager is an endpoint manager module for FreePBX. OSS Endpoint Manager module activation can allow authenticated web users unauthorized access to read system files with the permissions of the webserver process. This vulnerability is fixed in 14.0.4.
CVE-2024-34808 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samuel Marshall JCH Optimize.This issue affects JCH Optimize: from n/a through 4.2.0.
CVE-2025-62356 1 Qodo 1 Gen Ide 2026-04-15 7.5 High
A path traversal vulnerability in all versions of the Qodo Qodo Gen IDE enables a threat actor to read arbitrary local files in and outside of current projects on an end user’s system. The vulnerability can be reached directly and through indirect prompt injection.
CVE-2024-41717 1 Kieback\&peter 10 Ddc4002 Firmware, Ddc4002e Firmware, Ddc4020e Firmware and 7 more 2026-04-15 9.8 Critical
Kieback & Peter's DDC4000 series is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system.
CVE-2024-3318 2026-04-15 4.2 Medium
A file path traversal vulnerability was identified in the DelimitedFileConnector Cloud Connector that allowed an authenticated administrator to set arbitrary connector attributes, including the “file“ attribute, which in turn allowed the user to access files uploaded for other sources.
CVE-2024-32982 1 Litestar-org 1 Litestar 2026-04-15 8.2 High
Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server. The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at `litestar/static_files/base.py`. This vulnerability is fixed in versions 2.8.3, 2.7.2, and 2.6.4.
CVE-2024-32399 1 Raidenmaild 1 Raidenmaild 2026-04-15 7.6 High
Directory Traversal vulnerability in RaidenMAILD Mail Server v.4.9.4 and before allows a remote attacker to obtain sensitive information via the /webeditor/ component.
CVE-2024-32258 1 Tasemulators 1 Fceux 2026-04-15 8.8 High
The network server of fceux 2.7.0 has a path traversal vulnerability, allowing attackers to overwrite any files on the server without authentication by fake ROM.
CVE-2024-31451 1 Arc53 1 Docsgpt 2026-04-15 5.3 Medium
DocsGPT is a GPT-powered chat for documentation. DocsGPT is vulnerable to unauthenticated limited file write in routes.py. This vulnerability is fixed in 0.8.1.
CVE-2024-29672 2026-04-15 8.8 High
Directory Traversal vulnerability in zly2006 Reden before v.0.2.514 allows a remote attacker to execute arbitrary code via the DEBUG_RTC_REQUEST_SYNC_DATA in KeyCallbacks.kt.
CVE-2024-28698 2026-04-15 9.8 Critical
Directory Traversal vulnerability in Marimer LLC CSLA .Net before 8.0 allows a remote attacker to execute arbitrary code via a crafted script to the MobileFormatter component.
CVE-2024-34060 1 Dfir-iris 1 Iris 2026-04-15 8.8 High
IrisEVTXModule is an interface module for Evtx2Splunk and Iris in order to ingest Microsoft EVTX log files. The `iris-evtx-module` is a pipeline plugin of `iris-web` that processes EVTX files through IRIS web application. During the upload of an EVTX through this pipeline, the filename is not safely handled and may cause an Arbitrary File Write. This can lead to a remote code execution (RCE) when combined with a Server Side Template Injection (SSTI). This vulnerability has been patched in version 1.0.0.
CVE-2013-10063 1 Netgear 1 Sph200d 2026-04-15 N/A
A path traversal vulnerability exists in the Netgear SPH200D Skype phone firmware versions <= 1.0.4.80 in its embedded web server. Authenticated attackers can exploit crafted GET requests to access arbitrary files outside the web root by injecting traversal sequences. This can expose sensitive system files and configuration data.
CVE-2024-13897 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
The Moving Media Library plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the generate_json_page function in all versions up to, and including, 1.22. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVE-2024-26292 2026-04-15 N/A
An authenticated Arbitrary File Deletion vulnerability enables an attacker to delete critical files. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.
CVE-2024-54909 2026-04-15 8.1 High
A vulnerability has been identified in GoldPanKit eva-server v4.1.0. It affects the path parameter of the /api/resource/local/download endpoint, where manipulation of this parameter can lead to arbitrary file download.
CVE-2024-21850 1 Intel 1 Tdx Module Software 2026-04-15 6 Medium
Sensitive information in resource not removed before reuse in some Intel(R) TDX Seamldr module software before version 1.5.02.00 may allow a privileged user to potentially enable escalation of privilege via local access.