CVE-2025-15035

Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 vpn modules allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functionality.This issue affects Archer AXE75 v1.6: ≤...

CVE-2025-15035

Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 vpn modules allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functionality.This issue affects Archer AXE75 v1.6: ≤...

Improper Access Control

n8n is vulnerable to Improper Access Control. The vulnerability is due to insecure handling of form-based workflows, which allows an unauthenticated attacker to access files on the underlying server and expose sensitive system information...

CVE-2023-49234

An XML external entity XXE vulnerability was found in Stilog Visual Planning 8. It allows an authenticated attacker to access local server files and exfiltrate data to an external server...

CVE-2020-7953

An issue was discovered in OpServices OpMon 9.3.2. Without authentication, it is possible to read server files e.g., /etc/passwd due to the use of the nmap -iL aka input file option...

CVE-2024-34684

On Unix, SAP BusinessObjects Business Intelligence Platform Scheduling allows an authenticated attacker with administrator access on the local server to access the password of a local account. As a result, an attacker can obtain non-administrative user credentials, which will allow them to read o...

CVE-2025-14867

The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to read the contents of arbitrary file...

CVE-2023-4550

Improper Input Validation, Files or Directories Accessible to External Parties vulnerability in OpenText AppBuilder on Windows, Linux allows Probe System Files. An unauthenticated or authenticated user can abuse a page of AppBuilder to read arbitrary files on the server on which it is hosted. Thi...

TP-LINK Archer AXE75 安全漏洞

The TP-LINK Archer AXE75 is a wireless router from China P&L TP-LINK. A security vulnerability exists in the TP-LINK Archer AXE75 v1.6, which stems from improper input validation, and could lead to the deletion of arbitrary server files by an authenticated, neighboring attacker, resulting in the...

Vulnerability fixed in n8n

N8n has fixed a vulnerability in versions below 1.121.0. The vulnerability in allows unauthorized external malicious parties to access files on the underlying server via specific, form-based workflows. This could expose sensitive information stored on the system and, depending on the configuratio...

CVE-2025-14867

The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to read the contents of arbitrary file...

PT-2026-1562

Name of the Vulnerable Software and Affected Versions Frontend File Manager Plugin versions prior to 23.5 Description The Frontend File Manager Plugin for WordPress did not properly check a file path and who owned the file. This allowed any logged-in user, even those with limited permissions like...

📄 Limesurvey 2.0 Arbitrary File Download

Limesurvey version 2.0 unauthenticated arbitrary file download proof of concept exploit. ============================================================================================================================================= | Title : Limesurvey 2.0 unauthenticated file download vulnerabili...

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the fspath parameter in the request body. An attacker can overwrite or create arbitrary files within the server's file system by specifying absolute or relative paths, potentially leading to...

PT-2025-52374

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.15.1 Description Weblate is a web-based localization tool. Versions prior to 5.15.1 contain a flaw that allows reading arbitrary files from the server file system. This is possible through the use of specially craft...

CVE-2025-65076

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete any file on the server using path traversal in the ilog script. This script is being run with root...

EUVD-2025-203626

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete any file on the server using path traversal in the ilog script. This script is being run with root...

CVE-2025-65075

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete files, with the permissions of dvr user, on the server using path traversal in the alog script. This iss...

CVE-2025-65075

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete files, with the permissions of dvr user, on the server using path traversal in the alog script. This iss...

PT-2025-51559

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete files, with the permissions of dvr user, on the server using path traversal in the alog script. This iss...