CVE-2026-35080 Arbitrary file delete vulnerability in method ugw-restoreinfo

The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

CVE-2026-35079 Arbitrary file delete vulnerability in method ugw-restore

The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

CVE-2026-35079

The CVE-2026-35079 entry describes an issue in the ugw-restore method where a remote attacker with user privileges can delete arbitrary local files due to insufficient validation of user-controlled input. The vulnerability is assessed with high severity (CVSS 4.0: base 7.2; CVSS 3.1: base 8.1), r...

CVE-2026-35078 Arbitrary file delete vulnerability in method ugw-logstop

The ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

OpenAPI Generator <= 7.5.0 - Arbitrary File Read/Delete

OpenAPI Generator versions 7.5.0 and below are prone to an Arbitrary File Read/Delete vulnerability. Attackers can exploit this vulnerability to read and delete files and folders from an arbitrary, writable directory. id: CVE-2024-35219 info: name: OpenAPI Generator = 7.5.0 - Arbitrary File...

GHSA-QC4C-HRMC-4F78 Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges

Summary An authenticated Admidio member with upload rights on any one folder can permanently delete files from folders where they have only view access. The authorization check at the top of modules/documents-files.php evaluates upload rights against the attacker-supplied folderuuid URL parameter...

Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Delete

Telesquare TLR-2005KSH 1.0.0 is affected by an arbitrary file deletion vulnerability that allows a remote attacker to delete any file, even system internal files, via a DELETE request. id: CVE-2021-46424 info: name: Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Delete author: gy741 severity:...

PT-2026-40910

The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check combined with a user-controlled backup...

CVE-2026-0259 WildFire WF-500 and WF-500-B: Arbitrary File Read and Delete Vulnerability in WildFire Appliance (WF-500, WF-500-B)

An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode. The...

CVE-2026-0259 WildFire WF-500 and WF-500-B: Arbitrary File Read and Delete Vulnerability in WildFire Appliance (WF-500, WF-500-B)

An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode. The...

CVE-2026-0259

CVE-2026-0259 affects Palo Alto Networks WildFire Appliance WF-500 and WF-500-B operating in the default non-FIPS configuration. It enables an arbitrary File Read and Delete vulnerability over the network, allowing access to sensitive information and deletion of arbitrary files. Impact is describ...

CVE-2026-44243 GitPython: Path traversal in GitPython reference APIs allows arbitrary file write and delete outside the repository

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory...

GHSA-7545-FCXQ-7J24 GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository

🧾 Summary A vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and...

CVE-2026-40611

A flaw was found in lego, the Let's Encrypt client and ACME library written in Go. A malicious ACME Automated Certificate Management Environment server can exploit a path traversal vulnerability in the webroot HTTP-01 challenge provider. By supplying a specially crafted challenge token containing...

CVE-2026-33733

CVE-2026-33733 affects EspoCRM prior to version 9.3.4, where admin TemplateManager endpoints incorrectly handle attacker-controlled name and scope values. This allows an authenticated admin to use directory traversal (../) to escape the intended template directory and read, create, overwrite, or ...

CVE-2026-33733 EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled name and scope values and pass them into template path construction without normalization or traversal filtering. As a result, an...

CVE-2026-3464

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajaxattachfile' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers with a role that an administrator...

PT-2026-33465

Name of the Vulnerable Software and Affected Versions WP Customer Area versions prior to 8.3.5 Description Insufficient file path validation in the ajax attach file function allows authenticated attackers with roles granted by an administrator, such as Subscriber, to read or delete arbitrary file...

ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider

Summary The webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego...

CVE-2025-61624

An Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' CWE-22 vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiPAM 1.7.0, FortiPAM 1.6 all versions,...