258 matches found
CVE-2026-48929
Rocket.Chat in versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket...
CVE-2026-48929
Rocket.Chat versions older than 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13 are vulnerable to unauthenticated file deletion through the deleteFileMessage Meteor method. When called over an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, bypassing the auth...
PT-2026-50131
Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 8.5.1 Rocket.Chat versions prior to 8.4.4 Rocket.Chat versions prior to 8.3.6 Rocket.Chat versions prior to 8.2.6 Rocket.Chat versions prior to 8.1.6 Rocket.Chat versions prior to 8.0.7 Rocket.Chat versions prior ...
CVE-2026-45230
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit th...
CVE-2026-35077
The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...
CVE-2026-35077 Arbitrary file delete vulnerability in method ugw-delete-file
The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...
CVE-2026-35077
The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...
CVE-2026-35077 Arbitrary file delete vulnerability in method ugw-delete-file
The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...
EUVD-2026-34073
The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...
CVE-2026-35077
Technical details such as affected product versions, root cause specifics, and remediation are not publicly available in the provided documents. Monitor for updates from CERT VDE and CVE listings.
PT-2026-45918
The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...
CVE-2026-10226 raisulislamg4 student_management_system_by_php delete.php sql injection
A flaw has been found in raisulislamg4 studentmanagementsystembyphp up to 310d950e09013d5133c6b9210aff9444382d16d1. Impacted is an unknown function of the file delete.php. Executing a manipulation of the argument userid/courseid/teacherid/studentid/applicationid can lead to sql injection. The...
EUVD-2026-32736
The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the processbulkaction function, the...
EUVD-2026-31361
Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protecti...
CVE-2026-7882
Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protecti...
PT-2026-42555
Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description An inverted CSRF token check in the DeleteFile controller allows unauthorized file deletion. The system incorrectly throws an error when the token is valid and proceeds with the deletion process...
CVE-2026-45230
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit th...
CVE-2026-45230
CVE-2026-45230 affects DumbAssets 1.0.11 and earlier. The issue is a path traversal vulnerability in POST /api/delete-file and the filesToDelete array, allowing unauthenticated attackers to supply ".." sequences to escape the application directory and delete arbitrary files (e.g., server.js, pack...
EUVD-2026-30790
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit th...
CVE-2026-45230 DumbAssets 1.0.11 Path Traversal File Deletion via /api/delete-file
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit th...