WordPress plugin Error Log Viewer by BestWebSoft 路径遍历漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, with the ability to host personal blog sites on PHP and MySQL based servers.WordPress...

Flowise is vulnerable to arbitrary file exposure through its ReadFileTool

Summary The ReadFileTool in Flowise does not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read arbitrary files from the file system, potentially leading to remote command execution. Details Flowise supports providing ReadFileTool for large models to...

CVE-2025-35056

Newforma Info Exchange NIX '/UserWeb/Common/MarkupServices.ashx' 'StreamStampImage' accepts an encrypted file path and returns an image of the specified file. An authenticated attacker can read arbitrary files subject to the privileges of NIX, typically 'NT AUTHORITY\NetworkService', and the...

CVE-2025-35056

Affected product: Newforma Info Exchange (NIX).Vulnerability: The StreamStampImage endpoint (/UserWeb/Common/MarkupServices.ashx) accepts an encrypted file path and returns an image of the specified file. The path is generated with a shared, hard-coded key described in CVE-2025-35052, enabling an...

CVE-2025-35053 Newforma Info Exchange (NIX) arbitrary file read and delete

Newforma Info Exchange NIX accepts requests to '/UserWeb/Common/MarkupServices.ashx' specifying the 'DownloadExportedPDF' command that allow an authenticated user to read and delete arbitrary files with 'NT AUTHORITY\NetworkService' privileges. In Newforma before 2023.1, anonymous access is enabl...

CVE-2025-35053 Newforma Info Exchange (NIX) arbitrary file read and delete

Newforma Info Exchange NIX accepts requests to '/UserWeb/Common/MarkupServices.ashx' specifying the 'DownloadExportedPDF' command that allow an authenticated user to read and delete arbitrary files with 'NT AUTHORITY\NetworkService' privileges. In Newforma before 2023.1, anonymous access is enabl...

CVE-2025-35053

Summary of findings (CVE-2025-35053): Newforma Info Exchange (NIX) exposes a vulnerability in the endpoint "/UserWeb/Common/MarkupServices.ashx" where the command DownloadExportedPDF allows an authenticated user to read and delete arbitrary files with the NT AUTHORITY\NetworkService privileges. T...

CVE-2025-10249

Slider Revolution (WordPress) versions up to 6.7.37 are affected by a Missing Authorization to Authenticated (Contributor+) Arbitrary File Read vulnerability. The root cause is a missing capability check across several functions, enabling authenticated attackers with Contributor-level access and ...

CVE-2025-10249 Slider Revolution <= 6.7.37 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Read

The Slider Revolution plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions in all versions up to, and including, 6.7.37. This makes it possible for authenticated attackers, with Contributor-level access and above...

CVE-2025-10249 Slider Revolution <= 6.7.37 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Read

The Slider Revolution plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions in all versions up to, and including, 6.7.37. This makes it possible for authenticated attackers, with Contributor-level access and above...

PT-2025-41469

Name of the Vulnerable Software and Affected Versions Newforma Info Exchange NIX versions prior to 2023.1 Description Newforma Info Exchange NIX allows authenticated users to read and delete arbitrary files with 'NT AUTHORITYNetworkService' privileges through requests to the...

CVE-2025-61913 Flowise is vulnerable to arbitrary file read, arbitrary file write

Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any...

CVE-2025-61913

Summary: Flowise contains directory-traversal vulnerabilities via its ReadFileTool and WriteFileTool (and related components) that allow an authenticated attacker to read or write arbitrary files on the server, potentially enabling remote command execution. The root cause is lack of validation of...

CVE-2025-61913 Flowise is vulnerable to arbitrary file read, arbitrary file write

Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any...

Linux Distros Unpatched Vulnerability : CVE-2025-54287

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Template Injection in instance snapshot creation component in Canonical LXD = 4.0 allows an attacker with instance configuration permissions to read arbitrary...

Exploit for CVE-2025-7401

CVE-2025-7401 Premium Age Verification / Restriction for WordP...

CVE-2025-61784 LLaMA Factory's Chat API has Critical SSRF and LFI Vulnerabilities

LLaMA-Factory is a tuning library for large language models. Prior to version 0.9.4, a Server-Side Request Forgery SSRF vulnerability in the chat API allows any authenticated user to force the server to make arbitrary HTTP requests to internal and external networks. This can lead to the exposure ...

CVE-2025-10162

The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack...

CVE-2025-10162 OrderConvo < 14 - Unauthenticated Arbitrary File Read

The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack...

CVE-2025-10162 OrderConvo < 14 - Unauthenticated Arbitrary File Read

The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack...