Search Results (521 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-29778 2 Pyload, Pyload-ng Project 2 Pyload, Pyload-ng 2026-04-17 7.1 High
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.
CVE-2026-1762 1 Ge Vernova 1 Enervista 2026-04-16 2.9 Low
A vulnerability in GE Vernova Enervista UR Setup on Windows allows File Manipulation.This issue affects Enervista: 8.6 and prior versions.
CVE-2026-21620 1 Erlang 3 Erlang/otp, Erlang\/otp, Otp 2026-04-16 4.2 Medium
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl. This issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.
CVE-2026-1461 2 Wordpress, Wpinsider-1 2 Wordpress, Simple Membership 2026-04-15 6.5 Medium
The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.
CVE-2024-6433 1 Stitionai 1 Devika 2026-04-15 N/A
The application zips all the files in the folder specified by the user, which allows an attacker to read arbitrary files on the system by providing a crafted path. This vulnerability can be exploited by sending a request to the application with a malicious snapshot_path parameter.
CVE-2021-4459 1 Sma 8 Sunny Boy, Sunny Boy 1.5, Sunny Boy 2.5 and 5 more 2026-04-15 6.5 Medium
An authorized remote attacker can access files and directories outside the intended web root, potentially exposing sensitive system information of the affected Sunny Boy devices.
CVE-2025-7619 1 Wellchoose 1 Batchsigncs 2026-04-15 8.8 High
BatchSignCS, a background Windows application developed by WellChoose, has an Arbitrary File Write vulnerability. If a user visits a malicious website while the application is running, remote attackers can write arbitrary files to any path and potentially lead to arbitrary code execution.
CVE-2025-62498 1 Automationdirect 8 P1-540, P1-550, P2-550 and 5 more 2026-04-15 8.8 High
A relative path traversal (ZipSlip) vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an attacker who can tamper with a productivity project to execute arbitrary code on the machine where the project is opened.
CVE-2025-59341 1 Esm-dev 1 Esmsh 2026-04-15 N/A
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).
CVE-2025-59336 1 Lumen 1 Luanox 2026-04-15 N/A
Luanox is a module host for Lua packages. Prior to 0.1.1, a file traversal vulnerability can cause potential denial of service by overwriting Phoenix runtime files. Package names like ../../package are not properly filtered and pass the validity check of the rockspec verification system. This causes the uploaded file to be stored at the relative path location. If planned carefully, this could overwrite a runtime file and cause the website to crash. This vulnerability is fixed by 0.1.1.
CVE-2025-58078 1 Automationdirect 8 P1-540, P1-550, P2-550 and 5 more 2026-04-15 7.5 High
A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine.
CVE-2025-27791 2026-04-15 N/A
Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a file to be written anywhere the uid running Collabora Online can write, if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, it is possible to present such a response to be processed by a Collabora Online instance. This issue has been patched in versions 24.04.13.1, 23.05.19, and 22.05.25.
CVE-2025-24350 2026-04-15 7.1 High
A vulnerability in the “Certificates and Keys” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary certificates in arbitrary file system paths via a crafted HTTP request.
CVE-2025-24343 2026-04-15 5.4 Medium
A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary files in arbitrary file system paths via a crafted HTTP request.
CVE-2025-24336 2026-04-15 N/A
SXF Common Library handles input data improperly. If a product using the library reads a crafted file, the product may be crashed.
CVE-2025-20192 1 Cisco 1 Ios Xe Software 2026-04-15 7.7 High
A vulnerability in the Internet Key Exchange version 1 (IKEv1) implementation of Cisco IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The attacker must have valid IKEv1 VPN credentials to exploit this vulnerability. This vulnerability is due to improper validation of IKEv1 phase 2 parameters before the IPsec security association creation request is handed off to the hardware cryptographic accelerator of an affected device. An attacker could exploit this vulnerability by sending crafted IKEv1 messages to the affected device. A successful exploit could allow the attacker to cause the device to reload.
CVE-2025-0225 2026-04-15 4.3 Medium
A vulnerability classified as problematic was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this vulnerability is an unknown functionality of the file /setting/ClassFy/exampleDownload.html. The manipulation of the argument name leads to path traversal: '/../filedir'. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2023-3940 2026-04-15 7.5 High
Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to access any file on the system. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others.
CVE-2023-3941 2026-04-15 10 Critical
Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to write any file on the system with root privileges. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others.
CVE-2024-33615 1 Cyberpower 1 Powerpanel Business 2026-04-15 8.8 High
A specially crafted Zip file containing path traversal characters can be imported to the CyberPower PowerPanel server, which allows file writing to the server outside the intended scope, and could allow an attacker to achieve remote code execution.