84 matches found
CVE-2018-25325
Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the deleteexportfile AJAX action. Attackers can craft POST requests with directory traversal sequences in the filename paramet...
CVE-2018-25325 Woocommerce CSV Importer 3.3.6 Path Traversal File Deletion
Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the deleteexportfile AJAX action. Attackers can craft POST requests with directory traversal sequences in the filename paramet...
CVE-2018-25325
Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the deleteexportfile AJAX action. Attackers can craft POST requests with directory traversal sequences in the filename paramet...
CVE-2018-25325 Woocommerce CSV Importer 3.3.6 Path Traversal File Deletion
Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the deleteexportfile AJAX action. Attackers can craft POST requests with directory traversal sequences in the filename paramet...
PT-2026-41551
Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the delete export file AJAX action. Attackers can craft POST requests with directory traversal sequences in the filename...
WooCommerce 路径遍历漏洞
WooCommerce is an open-source e-commerce platform built on WordPress by WooCommerce Inc. Version 3.3.6 of WooCommerce has a path traversal vulnerability. This vulnerability allows any registered user to submit unescaped file names through the deleteexportfile AJAX operation, potentially leading t...
CVE-2026-27693
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...
CVE-2023-54348
ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to inject spreadsheet formulas into vendor name fields that execute on the workstation of users who open the exported CSV in a spreadsheet application. Attackers can add malicious formulas like =10+20+cmd|' ...
CVE-2026-27897
Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the exportfile route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI...
CVE-2026-27897 Vociferous Unauthenticated Remote Path Traversal (RCE via CSRF)
Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the exportfile route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI...
CVE-2026-27897
Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the exportfile route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI...
CVE-2026-27897 Vociferous Unauthenticated Remote Path Traversal (RCE via CSRF)
Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the exportfile route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI...
EUVD-2026-11194
Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the exportfile route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI...
Vociferous 访问控制错误漏洞
Vociferous is a cross-platform offline voice-to-text tool developed by Andrew Brown. Versions prior to 4.4.2 of Vociferous contained an access control vulnerability. This vulnerability stemmed from the lack of filename validation in the exportfile route in src/api/system.py, along with unvalidate...
CVE-2026-2216
A flaw has been found in rachelos WeRSS we-mp-rss up to 1.4.8. Impacted is the function downloadexportfile of the file apis/tools.py. Executing a manipulation of the argument filename can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used...
CVE-2026-2216 rachelos WeRSS we-mp-rss tools.py download_export_file path traversal
A flaw has been found in rachelos WeRSS we-mp-rss up to 1.4.8. Impacted is the function downloadexportfile of the file apis/tools.py. Executing a manipulation of the argument filename can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used...
CVE-2026-2216
A flaw has been found in rachelos WeRSS we-mp-rss up to 1.4.8. Impacted is the function downloadexportfile of the file apis/tools.py. Executing a manipulation of the argument filename can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used...
CVE-2026-2216 rachelos WeRSS we-mp-rss tools.py download_export_file path traversal
A flaw has been found in rachelos WeRSS we-mp-rss up to 1.4.8. Impacted is the function downloadexportfile of the file apis/tools.py. Executing a manipulation of the argument filename can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used...
CVE-2026-2216
CVE-2026-2216 affects rachelos WeRSS we-mp-rss (≤1.4.8). The vulnerability is in the function download_export_file within apis/tools.py and arises from filename manipulation enabling path traversal. The issue can be exploited remotely; exploitation has been published and may be used. CVSS metrics...
WeRSS 路径遍历漏洞
WeRSS is a WeChat official account system developed by Rachel. Versions of WeRSS 1.4.8 and earlier contained a path traversal vulnerability. This vulnerability stemmed from incorrect handling of the parameter filename in the downloadexportfile function within the files apis/tools.py, which could...