CVE-2026-41302

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers can exploit unguarded fetch calls to access internal resources or interact with external...

CVE-2020-37071 CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution

CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download...

EUVD-2013-1672

Malware in sbrugna...

EUVD-2025-16560

Malicious code in bioql PyPI...

CVE-2025-2306

An Improper Access Control vulnerability was identified in the file download functionality. This vulnerability allows users to download sensitive documents without authentication, if the URL is known. The attack requires the attacker to know the documents UUIDv4...

CVE-2025-2306

CVE-2025-2306 concerns an Improper Access Control in LIVE CONTRACT’s file download feature. The vulnerability allows an unauthenticated attacker who knows a document UUIDv4 to download sensitive documents, with the attack vector described as network and requiring no privileges or user interaction...

CVE-2025-2305

CVE-2025-2305 is a local file inclusion/path-traversal vulnerability affecting LIVE CONTRACT. The files download function allows unauthenticated users to download arbitrary files from the Linux server. Documented details indicate no exploitation status and no confirmed fix across the sources; PT ...

Webmin < 2.100 Multiple Vulnerabilities

According to its self-reported version, the Webmin install hosted on the remote host is prior to 2.100. It is, therefore, affected by multiple vulnerabilities: - A Cross-Site Scripting XSS vulnerability exists in the Users Real name parameter. - A Cross-Site Scripting XSS vulnerability exists in...

CVE-2024-47579

An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows th...

CVE-2024-1303

Incorrectly limiting the path to a restricted directory vulnerability in Badger Meter Monitool that affects versions up to 4.6.3 and earlier. This vulnerability allows an authenticated attacker to retrieve any file from the device using the download-file functionality...

CVE-2024-25164

iA Path Traversal vulnerability exists in iDURAR v2.0.0, that allows unauthenticated attackers to expose sensitive files via the download functionality...

Path traversal

iA Path Traversal vulnerability exists in iDURAR v2.0.0, that allows unauthenticated attackers to expose sensitive files via the download functionality...

CVE-2024-25164

iA Path Traversal vulnerability exists in iDURAR v2.0.0, that allows unauthenticated attackers to expose sensitive files via the download functionality...

CVE-2024-25164

iA Path Traversal vulnerability exists in iDURAR v2.0.0, that allows unauthenticated attackers to expose sensitive files via the download functionality...

Cross site scripting

An issue was discovered in Webmin 2.021. The download functionality allows an attacker to exploit a Cross-Site Scripting XSS vulnerability. By providing a crafted download path containing a malicious payload, an attacker can inject arbitrary code, which is then executed within the context of the...

CVE-2023-38305

An issue was discovered in Webmin 2.021. The download functionality allows an attacker to exploit a Cross-Site Scripting XSS vulnerability. By providing a crafted download path containing a malicious payload, an attacker can inject arbitrary code, which is then executed within the context of the...

CVE-2023-38305

An issue was discovered in Webmin 2.021. The download functionality allows an attacker to exploit a Cross-Site Scripting XSS vulnerability. By providing a crafted download path containing a malicious payload, an attacker can inject arbitrary code, which is then executed within the context of the...

CVE-2023-36819 Knowage-Server vulnerable to Path traversal in download functionalities

Knowage is the professional open source suite for modern business analytics over traditional sources and big data systems. The endpoint /knowage/restful-services/dossier/importTemplateFile allows authenticated users to download template hosted on the server. However, starting in the 6.x.x branch...

CVE-2022-40289 Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via file upload and download functionality.

The application was vulnerable to an authenticated Stored Cross-Site Scripting XSS in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files...

PT-2022-25324 · Php Point Of Sale Llc +1 · Php Point Of Sale

Name of the Vulnerable Software and Affected Versions: No specific software or versions mentioned. Description: The application is affected by an authenticated Stored Cross-Site Scripting XSS issue in the upload and download functionality. This could allow attackers to escalate privileges or...