CVE-2026-41948

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencod...

Command Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Command Injection via unsanitized input to the wget function. An attacker can execute arbitrary system commands by supplying crafted input containing shell...

PT-2026-25719

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users'...

EUVD-2019-9230

Malware in sbrugna...

📄 ABB Cylon FLXeon 9.3.5 siteGuide.js Authenticated Root Remote Code Execution

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/siteGuide endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the filename and/or originalname parameters. The issue arises due to improper...

CVE-2021-35358

A stored cross site scripting XSS vulnerability in dotAdmin//c/cImages of dotCMS 21.05.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' and 'Filename' parameters...

Rockwell Automation ISaGRAF 路径遍历漏洞

Rockwell Automation ISaGRAF is an automation software technology for creating integrated automation solutions from Rockwell Automation. It is designed to be scalable and portable and is suitable for developing small controllers and large distributed automation systems. A security vulnerability...

CVE-2019-15266

A vulnerability in the CLI of Cisco Wireless LAN Controller WLC Software could allow an authenticated, local attacker to view system files that should be restricted. This vulnerability is due to improper sanitization of user-supplied input in command-line parameters that describe filenames. An...

CVE-2019-1818

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network EPN Manager software could allow an authenticated, remote attacker to download and view files within the application that should be restricted. This vulnerability is due to...

PT-2019-2412 · Cisco · Cisco Prime Infrastructure +1

Name of the Vulnerable Software and Affected Versions: Cisco Prime Infrastructure versions affected versions not specified Cisco Evolved Programmable Network EPN Manager versions affected versions not specified Description: The issue is related to errors in processing HTTP requests in the web-bas...

PT-2018-2128 · Cisco · Cisco Wireless Lan Controller +1

Name of the Vulnerable Software and Affected Versions: Cisco Wireless LAN Controller Software affected versions not specified Description: The issue is due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames and pathnames, allowing an authenticated,...

CVE-2018-15810

Visiology Flipbox Software Suite before 2.7.0 allows directory traversal via %5c%2e%2e%2f because it does not sanitize filename parameters...

Cisco Unified Communications Manager Java Interface SQL Injection Vulnerability

A vulnerability in BulkViewFileContentsAction.java of Cisco Unified Communications Manager Cisco Unified CM could allow an authenticated, remote attacker to access sensitive information. The vulnerability is due to improper filename parameters. An attacker could exploit this vulnerability by...

CVE-2012-0791

Multiple cross-site scripting XSS vulnerabilities in Horde IMP before 5.0.18 and Horde Groupware Webmail Edition before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via the 1 composeCache, 2 rtemode, or 3 filename parameters to the compose page; 4 formname parameter to the...

Directory traversal

Multiple directory traversal vulnerabilities in download.php in ISPworker 1.21 allow remote attackers to read arbitrary files via a .. dot dot in the 1 ticketid and 2 filename parameters...