CVE-2021-31731

A directory traversal issue in KiteCMS 1.1.1 allows remote administrators to overwrite arbitrary files via ../ in the path parameter to index.php/admin/Template/fileedit, with PHP code in the html parameter...

CVE-2021-43459

A Cross Site Scripting XSS vulnerability exists in Rumble Mail Server 0.51.3135 via the 1 domain and 2 path parameters...

CVE-2020-35437

Subrion CMS 4.2.1 is affected by: Cross Site Scripting XSS through the avatarpath parameter in a POST request to the /core/profile/ URI...

CVE-2020-36486

Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting XSS vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling...

CVE-2020-21525

Halo V1.1.3 is affected by: Arbitrary File reading. In an interface that reads files in halo v1.1.3, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it...

CVE-2020-26707

An issue was discovered in the add function in Shenzhim AAPTJS 1.3.1 which allows attackers to execute arbitrary code via the filePath parameter...

CVE-2020-23038

Swift File Transfer Mobile v1.1.2 and below was discovered to contain an information disclosure vulnerability in the path parameter. This vulnerability is exploited via an error caused by including non-existent path environment variables...

CVE-2020-23061

Dropouts Technologies LLP Super Backup v2.0.5 was discovered to contain an issue in the path parameter of the list and download module which allows attackers to perform a directory traversal via a change to the path variable to request the local list command...

CVE-2020-21526

An Arbitrary file writing vulnerability in halo v1.1.3. In an interface to write files in the background, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it...

CVE-2019-10717

BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via the path parameter...

Kingdee Cloud Galaxy Private Cloud BBC System 路径遍历漏洞

Kingdee Cloud Galaxy Private Cloud BBC System is an all-inclusive cloud ERP system from China's Kingdee Kingdee. A path traversal vulnerability exists in Kingdee Cloud Galaxy Private Cloud BBC System versions V6.2 to V9.0, which stems from improper operation of the filePath parameter in the...

PT-2025-23172 · Freescout · Freescout

Name of the Vulnerable Software and Affected Versions: FreeScout versions prior to 1.8.178 Description: The issue is related to insufficient validation of user input in the php path parameter, allowing code injection. This occurs because backticks characters and tabulation are not removed from us...

VulnCheck KEV: CVE-2021-41714

In Tipask 3.5.9, path parameters entered by the user are not validated when downloading attachments, a registered user can download arbitrary files on the Tipask server such as .env, /etc/passwd, laravel.log, causing infomation leakage...

opencms 路径遍历漏洞

opencms is a CMS system by the individual developer fumiao. A path traversal vulnerability exists in opencms, which stems from an incorrect operation of the path parameter that can lead to path traversal...

Directory Traversal

Overview agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform. Affected versions of this package are vulnerable to Directory Traversal through the path parameter due to improper input sanitization. An attacker can read arbitrary files on the server by manipulating the input to...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS via the /3/ImportFiles endpoint. An attacker can cause the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests by recursively...

CVE-2024-7768

A vulnerability in the /3/ImportFiles endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, path, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually...

CVE-2024-11603

A Server-Side Request Forgery SSRF vulnerability exists in lm-sys/fastchat version 0.2.36. The vulnerability is present in the /queue/join? endpoint, where insufficient validation of the path parameter allows an attacker to send crafted requests. This can lead to unauthorized access to internal...

FastChat 代码问题漏洞

FastChat is an open platform from LMSYS for training, deploying and evaluating chatbots based on large-scale language models. A code issue vulnerability exists in FastChat version 0.2.36, which stems from insufficient validation of path parameters and could lead to a server-side request forgery...

LLaVA 代码问题漏洞

LLaVA is an application by the individual developer Haotian Liu. A code issue vulnerability exists in LLaVA version 1.2.0, which stems from insufficient validation of path parameters and could lead to a server-side request forgery attack...