CVE-2026-5337

CVE-2026-5337 affects the WordPress plugin “Frontend File Manager” (versions up to 23.6). The issue is an insecure direct object reference (IDOR) in the download endpoint that does not properly validate authorizations for requested uploaded files. A Subscriber-level or higher authenticated user c...

EUVD-2026-9146

IDExpert Windows Logon Agent developed by Changing has a Remote Code Execution vulnerability, allowing unauthenticated remote attackers to force the system to download arbitrary executable files from a remote source and execute them...

CVE-2025-64178

Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be...

CVE-2025-63686

There is an arbitrary file download vulnerability in GuoMinJim PersonManage thru commit 5a02b1ab208feacf3a34fc123c9381162afbaa95 2020-11-23 in the document query function under the Download Center menu in the PersonManage system...

CVE-2025-60242

CVE-2025-60242 affects WordPress Plugin Download Counter (versions

EUVD-2007-6371

Malware in sbrugna...

EUVD-2025-25703

Malicious code in bioql PyPI...

CVE-2025-55455

DooTask v1.0.51 was dicovered to contain an authenticated arbitrary download vulnerability via the component /msg/sendtext...

dootask 安全漏洞

dootask is an open source online project task management tool from dootask, Inc. A security vulnerability exists in dootask version 1.0.51, which stems from an authentication arbitrary download issue in the /msg/sendtext component...

CVE-2025-55455

DooTask v1.0.51 was dicovered to contain an authenticated arbitrary download vulnerability via the component /msg/sendtext...

CVE-2023-41566

OA EKP v16 was discovered to contain an arbitrary download vulnerability via the component /ui/sysuiextend/sysUiExtend.do. This vulnerability allows attackers to obtain the password of the background administrator and further obtain database permissions...

CVE-2023-41566

CVE-2023-41566 affects OA EKP v16. An arbitrary download vulnerability exists in the component /ui/sys_ui_extend/sysUiExtend.do that can enable attackers to obtain the background administrator password and subsequently gain database permissions. Reported CVSS v3.1 metrics indicate a network-adjac...

mccms 安全漏洞

mccms Man City CMS is a rapid website builder system by the individual developer of China Smokey River South chshcms. A security vulnerability exists in mccms version v2.7.0, which originates from the presence of an authenticated arbitrary file download in component /admin/Backups.php, which may...

CVE-2025-30793 WordPress Houzez Property Feed plugin <= 2.5.4 - Arbitrary File Download Vulnerability

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Property Hive Houzez Property Feed houzez-property-feed allows Path Traversal.This issue affects Houzez Property Feed: from n/a through = 2.5.4...

Eva4 安全漏洞

Eva4 is GoldPanKit open source set based on SpringBoot 2.x, Shiro, MyBatis Plus and knife4j technologies such as rights management infrastructure project , can be used in conjunction with any eva system front-end to complete the development of the rights system . Eva4 v4.1.0 version of a security...

CVE-2024-24025

An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload. An attacker can pass in specially crafted filename parameter to perform arbitrary File download...

PT-2024-20243 · Unknown · Novel-Plus

Name of the Vulnerable Software and Affected Versions: Novel-Plus versions 4.3.0-RC1 and prior Description: An arbitrary File upload vulnerability exists in the uploadImg function of SysUserController at com.java2nb.system.controller.SysUserController. This allows an attacker to pass in a special...

Information disclosure

Insecure permissions in Smart Soft advancedexport before v4.4.7 allow unauthenticated attackers to arbitrarily download user information from the pscustomer table...

CVE-2023-43984

Insecure permissions in Smart Soft advancedexport before v4.4.7 allow unauthenticated attackers to arbitrarily download user information from the pscustomer table...

CVE-2023-3512

Relative path traversal vulnerability in Setelsa Security's ConacWin CB, in its 3.8.2.2 version and earlier, the exploitation of which could allow an attacker to perform an arbitrary download of files from the system via the "Download file" parameter...