PT-2025-2264 · WordPress · Live2Dwebcanvas

Name of the Vulnerable Software and Affected Versions: Live2DWebCanvas plugin for WordPress versions up to, and including, 1.9.11 Description: The issue is related to insufficient file path validation in the ClearFiles function, allowing authenticated attackers with Subscriber-level access and...

WordPress plugin Contact Form 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exist...

CVE-2024-13720

CVE-2024-13720 concerns the WordPress plugin WP Image Uploader, affected versions up to and including 1.0.1. The issue is an insufficient file path validation in gky_image_uploader_main_function(), enabling unauthenticated attackers to delete arbitrary files on the server (potential path traversa...

Relative Path Traversal

github.com/hashicorp/go-slug is vulnerable to Relative Path Traversal. The vulnerability is due to improper path validation when extracting user-provided paths from tar entries, allowing for directory traversal and potential overwriting of arbitrary files...

PT-2025-47805

Name of the Vulnerable Software and Affected Versions macOS versions prior to Ventura 13.7.3 macOS versions prior to Sonoma 14.7.3 macOS versions prior to Sequoia 15.5 Description A flaw exists in how the operating system parses directory paths. This can lead to an application gaining access to...

CVE-2024-12885

The Connections Business Directory plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation when deleting a connections image directory in all versions up to, and including, 10.4.66. This makes it possible for authenticated attackers, with...

CVE-2024-12885

The CVE-2024-12885 entry concerns the WordPress plugin Connections Business Directory. Affected versions: all up to 10.4.66. Root cause: insufficient file path validation when deleting the Connections Images directory, enabling an authenticated attacker with Administrator+ privileges to delete ar...

CVE-2024-12885 Connections Business Directory <= 10.4.66 - Authenticated (Admin+) Arbitrary Directory Deletion

The Connections Business Directory plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation when deleting a connections image directory in all versions up to, and including, 10.4.66. This makes it possible for authenticated attackers, with...

PT-2025-1976 · WordPress · Connections Business Directory

Name of the Vulnerable Software and Affected Versions: Connections Business Directory plugin for WordPress versions up to, and including, 10.4.66 Description: The issue is related to insufficient file path validation when deleting a connections image directory, allowing authenticated attackers wi...

Access Control List (ACL) Bypass

gradio is vulnerable to an Access Control List ACL Bypass. The vulnerability is due to improper case normalization in the file path validation logic through the blockedpaths parameter of the isallowedfile function, allows an attacker can gain unauthorized access to sensitive files by altering the...

CVE-2025-23042

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List ACL for file paths can be bypassed by altering the letter case of a blocked file or directory path. This...

Improper Handling of Case Sensitivity

Overview gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to improper case normalization in the file path validation logic through the blockedpaths parameter of the...

CVE-2024-37372

The CVE-2024-37372 entry concerns Node.js and the experimental permission model. The root cause is a faulty assumption in UNC path handling: the model treats paths starting with two backslashes as having a four-character prefix that can be ignored, which is not universally true. This leads to vul...

Arbitrary File Write

Luigi is vulnerable to Arbitrary File Write. The vulnerability is due to improper destination file path validation in the extractpackagesarchive function, which allows attackers to craft malicious archive files with paths that traverse outside the intended extraction directory...

Path Traversal

pghoard is vulnerable to Path Traversal. The vulnerability is due to improper validation of file paths, which allows an attacker to traverse directories and access unauthorized files with the same privileges as the pghoard process...

CVE-2024-12066

The SMSA Shippingofficial plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the smsadeletelabel function in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, t...

CVE-2024-12066

The CVE-2024-12066 entry concerns the SMSA Shipping (official) WordPress plugin. Affected versions up to 2.2 are vulnerable due to insufficient file path validation in the smsa_delete_label() function, enabling authenticated users with Subscriber+ privileges to delete arbitrary files on the serve...

WordPress plugin SMSA Shipping(official) 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPress...

PT-2024-17426 · WordPress · Smsa Shipping

Name of the Vulnerable Software and Affected Versions: SMSA Shipping plugin for WordPress versions up to, and including, 2.2 Description: The SMSA Shipping plugin for WordPress has a flaw in the smsa delete label function due to insufficient file path validation. This issue allows authenticated...

SUSE CVE-2024-55657

SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Version 3.1.16...