716 matches found
CVE-2024-54909
A vulnerability has been identified in GoldPanKit eva-server v4.1.0. It affects the path parameter of the /api/resource/local/download endpoint, where manipulation of this parameter can lead to arbitrary file download...
CVE-2024-54909
A vulnerability has been identified in GoldPanKit eva-server v4.1.0. It affects the path parameter of the /api/resource/local/download endpoint, where manipulation of this parameter can lead to arbitrary file download...
CVE-2024-54909
GoldPanKit eva-server v4.1.0 is affected by a vulnerability in the path parameter of the /api/resource/local/download endpoint, where manipulation of this parameter can lead to arbitrary file download. The root cause is a flaw in handling the path input for that endpoint, enabling access to files...
PT-2025-5875 · Unknown · Goldpankit Eva-Server
Name of the Vulnerable Software and Affected Versions: GoldPanKit eva-server version 4.1.0 Description: A vulnerability has been identified that affects the path parameter of the "/api/resource/local/download" endpoint. Manipulation of this path parameter can lead to arbitrary file download...
PT-2025-2212 · WordPress · Bootstrap Ultimate
Name of the Vulnerable Software and Affected Versions: Bootstrap Ultimate theme for WordPress versions up to and including 1.4.9 Description: The issue allows unauthenticated attackers to include PHP files on the server via the path parameter, enabling the execution of any PHP code in those files...
PT-2025-2201 · WordPress · The Image Source Control Lite
Name of the Vulnerable Software and Affected Versions: The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress versions up to, and including, 2.28.0 Description: The plugin is vulnerable to Reflected Cross-Site Scripting via the path parameter due to insufficient inpu...
CVE-2025-22152 Improper Path Validation Enables Path Traversal in Multiple Components in Atheos
Atheos is a self-hosted browser-based cloud IDE. Prior to v600, the $path and $target parameters are not properly validated across multiple components, allowing an attacker to read, modify, or execute arbitrary files on the server. These vulnerabilities can be exploited through various attack...
PT-2025-3775 · Tata Consultancy Services · Tcs Bancs
Name of the Vulnerable Software and Affected Versions: TCS BaNCS version 10 Description: A vulnerability was found in TCS BaNCS, affecting an unknown part of the file /REPORTS/REPORTS SHOW FILE.jsp. The manipulation of the FilePath argument leads to file inclusion. The real existence of this...
PT-2024-17899 · Tsinghua Unigroup · Tsinghua Unigroup Electronic Archives Management System
Name of the Vulnerable Software and Affected Versions: Tsinghua Unigroup Electronic Archives Management System version 3.2.21080262532 Description: A vulnerability was found in the Tsinghua Unigroup Electronic Archives Management System. It has been classified as problematic and affects the...
CVE-2024-55657
CVE-2024-55657 affects Siyuan prior to version 3.1.16, where an arbitrary file read vulnerability exists in the /api/template/render endpoint due to insufficient path validation. The issue allows reading sensitive host files and is mitigated by upgrading to version 3.1.16, which includes a patch....
CVE-2024-55657 SiYuan has an arbitrary file read via /api/template/render
SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Version 3.1.16...
GHSA-XX68-37V4-4596 SiYuan has an arbitrary file read via /api/template/render
Summary An arbitrary file read vulnerability exists in Siyuan's /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Impact Arbitrary file read on the host...
SiYuan has an arbitrary file read via /api/template/render
Summary An arbitrary file read vulnerability exists in Siyuan's /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Impact Arbitrary file read on the host...
PT-2024-36571 · Siyuan · Siyuan
Name of the Vulnerable Software and Affected Versions: SiYuan versions prior to 3.1.16 Description: An arbitrary file read issue exists due to the absence of proper validation on the path parameter in the "/api/template/render" endpoint. This allows attackers to access sensitive files on the host...
D-Link DI-8003 命令注入漏洞
The D-Link DI-8003 is a wireless router from China-based AUO D-Link. A command injection vulnerability exists in the D-Link DI-8003 version 16.07.16A1, which stems from the parameter path in the file /upgradefilter.asp failing to correctly filter construct command special characters, commands, et...
PT-2024-34882 · Gradio · Gradio
Name of the Vulnerable Software and Affected Versions: Gradio versions prior to 5.5.0 Description: The issue allows an attacker with access to the application to abuse File or UploadButton components and read arbitrary files from the application server. This is possible because the client utils.i...
CVE-2024-49359
CVE-2024-49359 affects ZimaOS (fork of CasaOS) prior to or including version 1.2.4. The vulnerability is a directory traversal in the API endpoint /v2_1/file, exploitable by an authenticated user who can manipulate the path parameter to list arbitrary directories (e.g., /etc) on the server. The r...
CVE-2024-44413
A vulnerability was discovered in DI8200-16.07.26A1, which has been classified as critical. This issue affects the upgradefilterasp function in the upgradefilter.asp file. Manipulation of the path parameter can lead to command injection...
PT-2024-31147 · Di 8200 · Di 8200
Name of the Vulnerable Software and Affected Versions: DI 8200 version 16.07.26A1 Description: A critical issue has been discovered, affecting the upgrade filter asp function in the upgrade filter.asp file. Manipulation of the path parameter can lead to command injection. Recommendations: For DI...
CVE-2024-44413
CVE-2024-44413 describes a critical command-injection flaw in the D-Link DI_8200 family (example: DI_8200-16.07.26A1). The issue arises in the upgrade_filter_asp function inside upgrade_filter.asp where manipulating the path parameter can lead to arbitrary command execution. Connected sources con...