CVE-2026-21857

REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the EXPDIR POST parameter agains...

CVE-2025-68645

A Local File Inclusion LFI vulnerability exists in the Webmail Classic UI of Zimbra Collaboration ZCS 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influenc...

CVE-2025-68645

A Local File Inclusion LFI vulnerability exists in the Webmail Classic UI of Zimbra Collaboration ZCS 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influenc...

EUVD-2025-37210

Nagios XI versions prior to 2024R1.4.2 contain a remote code execution vulnerability in the Business Process Intelligence BPI component. Insufficient validation and sanitization of administrator-controlled BPI configuration parameters notably bpilogfile and bpiconfigfile allow an authenticated...

CVE-2025-34134

Nagios XI versions prior to 2024R1.4.2 contain a remote code execution vulnerability in the Business Process Intelligence BPI component. Insufficient validation and sanitization of administrator-controlled BPI configuration parameters notably bpilogfile and bpiconfigfile allow an authenticated...

CVE-2025-34134 Nagios XI < 2024R1.4.2 RCE via Business Process Intelligence (BPI)

Nagios XI versions prior to 2024R1.4.2 contain a remote code execution vulnerability in the Business Process Intelligence BPI component. Insufficient validation and sanitization of administrator-controlled BPI configuration parameters notably bpilogfile and bpiconfigfile allow an authenticated...

CVE-2025-34134

CVE-2025-34134 – Nagios XI BPI RCE in pre-2024R1.4.2 . An authenticated administrator can abuse insufficient validation/sanitization of BPI configuration parameters (notably bpi_logfile and bpi_configfile) to create/overwrite files in the webroot and edit them via the BPI editor. If such files ha...

PT-2025-44510

Name of the Vulnerable Software and Affected Versions Nagios XI versions prior to 2024R1.4.2 Description Nagios XI versions prior to 2024R1.4.2 have a remote code execution issue in the Business Process Intelligence BPI component. The issue is due to inadequate validation and sanitization of...

CVE-2020-3794

ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a file inclusion vulnerability. Successful exploitation could lead to arbitrary code execution of files located in the webroot or its subdirectory...

PT-2024-36398 · Zimbra · Zimbra Collaboration

Name of the Vulnerable Software and Affected Versions: Zimbra Collaboration ZCS versions 9.0 through 10.1 Description: A Local File Inclusion LFI vulnerability exists in the "/h/rest" endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory...

CVE-2024-34470

An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An Unauthenticated Path Traversal vulnerability exists in the /public/loader.php file. The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read...

Vulnerability fixed in Apache Tomcat

A malicious party can exploit the vulnerability to obtain information from the system. The vulnerability was caused because the AJP protocol was incorrectly was implemented incorrectly. A malicious party could possibly read files a malicious request to read files from the webroot directory. The A...

CVE-2020-8803

SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via addtoprospectlist...

Lax path access check allowing access to webroot files in the META-INF directory in the CachingResourceDownloadRewriteRule class - CVE-2019-8442

The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check...