CVE-2025-6866

A vulnerability has been found in code-projects Simple Forum 1.0 and classified as critical. This vulnerability affects unknown code of the file /forumdownloadfile.php. The manipulation of the argument filename leads to path traversal. The attack can be initiated remotely. The exploit has been...

Code-Projects Simple Forum 路径遍历漏洞

Simple forum is a simple forum. Simple forum suffers from a path traversal vulnerability, which stems from the parameter filename in the file /forumdownloadfile.php failing to properly filter for special elements in the path of a resource or file. An attacker can exploit this vulnerability to cau...

sublinkX 路径遍历漏洞

sublinkX is an open source node subscription conversion and generation management system developed by Chen Hui. A path traversal vulnerability exists in sublinkX 1.8 and earlier versions, which stems from the incorrect operation of the parameter filename in the file api/template.go, resulting in...

TOTOLINK CA300-PoE 命令注入漏洞

TOTOLINK CA300-PoE is a wireless access point from China's Gion Electronics TOTOLINK. A command injection vulnerability exists in the TOTOLINK CA300-PoE upgrade.so file, which stems from the parameter FileName of the file upgrade.so failing to correctly filter construct command special characters...

Steel Browser 安全漏洞

Steel Browser is an open source browser API for an artificial intelligence agent open-sourced by Steel. A security vulnerability exists in Steel Browser version 0.1.3 and earlier, which stems from path traversal due to the filename parameter operation in the api/src/modules/files/files.routes.ts...

H3C SecCenter SMP-E1114P02 路径遍历漏洞

H3C SecCenter SMP-E1114P02 is a security management platform from China's Xinhua San H3C. A path traversal vulnerability exists in H3C SecCenter SMP-E1114P02 20250513 and earlier versions, which stems from path traversal due to incorrect operation of the parameter filename in the file...

H3C SecCenter SMP-E1114P02 路径遍历漏洞

H3C SecCenter SMP-E1114P02 is a security management platform from China's Xinhua San H3C. A path traversal vulnerability exists in H3C SecCenter SMP-E1114P02 20250513 and earlier versions, which stems from path traversal due to incorrect operation of the parameter filename in the file...

CVE-2024-7356

The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘filename’ parameter in all versions up to, and including, 3.3.100 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-30849

Arbitrary file upload vulnerability in Sourcecodester Complete E-Commerce Site v1.0, allows remote attackers to execute arbitrary code via filename parameter in admin/productsphoto.php...

CVE-2024-24025

An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload. An attacker can pass in specially crafted filename parameter to perform arbitrary File download...

CVE-2024-37673

Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the filename parameter...

CVE-2024-25525

RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the filename parameter at /WorkFlow/OfficeFileDownload.aspx...

CVE-2024-24026

An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg. An attacker can pass in specially crafted filename parameter to perform arbitrary File download...

CVE-2024-54919

A Stored Cross Site Scripting XSS was found in /teacheravatar.php of kashipara E-learning Management System v1.0. This vulnerability allows remote attackers to execute arbitrary java script via the filename parameter...

CVE-2024-27525

Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the home.php component...

CVE-2024-27524

Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the newticket.php component...

CVE-2023-26256

An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjFooterNavigationConfig endpoint, it is possible to traverse and read the file system...

CVE-2023-37149

TOTOLINK LR350 V9.3.5u.6369B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadSetting function...

CVE-2023-36348

POS Codekop v2.0 was discovered to contain an authenticated remote code execution RCE vulnerability via the filename parameter...

CVE-2023-24148

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadUserData function...