Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the upload function configuration. An attacker can write arbitrary files with any extension to any location on the target server by uploading crafted files. Remediation There is no fixed version for...

GHSA-V22V-XWH7-2VRM UnoPim vulnerable to remote code execution through Arbitrary File upload

Summary: Affected Functionality: Image upload at User creation Endpoint: /admin/settings/users/create Details The image upload at the user creation feature performs only client side file type validation. A user can capture the request by uploading an image, capture the request through a Proxy lik...

CVE-2025-8141 Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated Arbitrary File Deletion

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteassociatedfiles function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary fil...

CVE-2025-50817

A vulnerability in the Python-Future 1.0.0 module allows for arbitrary code execution via the unintended import of a file named test.py. When the module is loaded, it automatically imports test.py, if present in the same directory or in the sys.path. This behavior can be exploited by an attacker...

TinyScientist has Path Traversal Vulnerability in PDF Review Function (CWE-22)

Description A critical path traversal vulnerability CWE-22 has been identified in the reviewpaper function in backend/app.py. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions. Impact...

GHSA-RRGF-HCR9-JQ6H TinyScientist has Path Traversal Vulnerability in PDF Review Function (CWE-22)

Description A critical path traversal vulnerability CWE-22 has been identified in the reviewpaper function in backend/app.py. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions. Impact...

Linux Distros Unpatched Vulnerability : CVE-2020-1934

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Apache HTTP Server 2.4.0 to 2.4.41, modproxyftp may use uninitialized memory when proxying to a malicious FTP server. CVE-2020-1934 Note that Nessus relies o...

Directory Traversal

Overview tiny-scientist is an A lightweight framework for building research agents Affected versions of this package are vulnerable to Directory Traversal via the reviewpaper function in the backend/app.py file. An attacker can access arbitrary PDF files on the server by supplying crafted file...

CVE-2025-54959

Powered BLUE Server versions 0.20130927 and prior contain a path traversal vulnerability. If this vulnerability is exploited, an arbitrary file in the affected product may be disclosed...

CVE-2013-10047

An unrestricted file upload vulnerability exists in MiniWeb HTTP Server = Build 300 that allows unauthenticated remote attackers to upload arbitrary files to the server’s filesystem. By abusing the upload handler and crafting a traversal path, an attacker can place a malicious .exe in system32,...

The vulnerability of D-Link DI-7300G+ microprogrammed software lies in the lack of measures taken to neutralize special elements during the processing of the ASP file httpd_debug.asp, allowing attackers to execute arbitrary commands.

The vulnerability of D-Link DI-7300G+ router microprogramming software is related to the lack of measures taken to neutralize special elements during the processing of the asp-file httpddebug.asp. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands...

CVE-2025-54440

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0...

WordPress plugin AI Engine 信息泄露漏洞

WordPress AI Engine is a plugin based on OpenAI technology, which is mainly used to integrate artificial intelligence features into WordPress websites to improve the efficiency of content generation, automated operations and so on. WordPress AI Engine suffers from an information disclosure...

CVE-2025-53622 DSpace has path traversal vulnerability in Simple Archive Format (SAF) package import via contents file

DSpace open source software is a repository application which provides durable access to digital resources. Prior to versions 7.6.4, 8.2, and 9.1, a path traversal vulnerability is possible during the import of an archive in Simple Archive Format, either from command-line ./dspace import command ...

The vulnerability of the graphical SFTP and SCP client for the Windows operating system, WinSCP, arises from incorrect path name restrictions for access-controlled directories. This allows attackers to create a special file and control its path on a remote server.

The vulnerability of the graphical SFTP and SCP client programs for the Windows operating system is related to incorrect path name restrictions for access to restricted directories. Exploiting this vulnerability allows an attacker to create a special file and control its path on a remote server...

CVE-2025-46704

A vulnerability exists in Advantech iView in NetworkServlet.processImportRequest that could allow for a directory traversal attack. This issue requires an authenticated attacker with at least user-level privileges. A specific parameter is not properly sanitized or normalized, potentially allowing...

CVE-2025-52904

CVE-2025-52904 affects Filebrowser (v2.32.0) where the Command Execution feature is not scoped per user, allowing shell commands to run with the server process UID and access files across all scopes, potentially exposing the password database and enabling unauthorized read/write access. The repor...

CVE-2025-3629 IBM InfoSphere Information Server file manipulation

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an authenticated user to delete another user's comments due to improper ownership management...

Lichess: Path Traversal Vulnerability in Lila Project

A path traversal vulnerability was discovered in the Lila project that allowed an attacker to access arbitrary files on the server by manipulating user-supplied input to traverse outside the intended directory structure...

GHSA-42HM-PQ2F-3R7M PHPOffice Math allows XXE when processing an XML file in the MathML format

Product: Math Version: 0.2.0 CWE-ID: CWE-611: Improper Restriction of XML External Entity Reference CVSS vector v.4.0: 8.7 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS vector v.3.1: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Description: An attacker can create a special XML file, duri...