Lucene search
K

180 matches found

Positive Technologies
Positive Technologies
added 2026/02/03 12:0 a.m.5 views

PT-2026-5829

i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from...

8.8CVSS5.7AI score0.00325EPSS
Exploits0References5
OSV
OSV
added 2026/01/21 1:2 a.m.9 views

GHSA-PJ88-9XWW-GXMH Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user

Summary Swing Music's listfolders function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user including non-admin can browse arbitrary directories on the server filesystem. Details The @api.post"/dir-browser" endpoint lacks proper path...

5.3CVSS5.9AI score0.00511EPSS
Exploits1References4
EUVD
EUVD
added 2026/01/21 1:2 a.m.5 views

EUVD-2026-3284

Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user...

5.3CVSS5.3AI score0.00511EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/01/21 1:2 a.m.12 views

Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user

Summary Swing Music's listfolders function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user including non-admin can browse arbitrary directories on the server filesystem. Details The @api.post"/dir-browser" endpoint lacks proper path...

5.3CVSS5.8AI score0.00511EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/01/21 1:1 a.m.11 views

SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality

Summary The SiYuan Note application v3.5.3 contains a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation Details The...

8.3CVSS5.9AI score0.00436EPSS
Exploits1References6Affected Software1
Cvelist
Cvelist
added 2026/01/19 8:52 p.m.21 views

CVE-2026-23877 Directory Traversal & Filesystem can be accessed by a non-admin user

Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's listfolders function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user including non-admin can browse arbitrary directories on the server...

5.3CVSS0.00511EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/01/19 8:52 p.m.2 views

CVE-2026-23877

Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's listfolders function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user including non-admin can browse arbitrary directories on the server...

5.3CVSS5.5AI score0.00511EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/01/19 8:52 p.m.29 views

CVE-2026-23877

Swing Music (self-hosted) exposes a directory traversal flaw in the /folder/dir-browser/list_folders pathway. The github-advisory and CVE notes show that the list_folders() function accepts crafted paths and lacks proper authorization, allowing any authenticated user, including non-admins, to bro...

5.3CVSS5.7AI score0.00511EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/01/12 5:15 p.m.11 views

PYSEC-2026-90

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PU...

9.1CVSS5.9AI score0.19213EPSS
Exploits2References2
RedhatCVE
RedhatCVE
added 2026/01/10 5:41 a.m.20 views

CVE-2025-67810

In Area9 Rhapsode 1.47.3, an authenticated attacker can exploit the operation, url, and filename parameters via POST request to read arbitrary files from the server filesystem. Fixed in 1.47.4 7254 and further versions...

6.5CVSS6.8AI score0.0033EPSS
Exploits0References1
NVD
NVD
added 2025/12/17 8:15 p.m.6 views

CVE-2025-34442

AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains...

7.5CVSS0.00731EPSS
Exploits2References4
EUVD
EUVD
added 2025/12/17 7:48 p.m.5 views

EUVD-2025-203948

AVideo versions prior to 20.0 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains...

6.9CVSS6.4AI score0.00731EPSS
Exploits2References4
OSV
OSV
added 2025/12/09 2:25 p.m.6 views

GHSA-HXP3-63HC-5366 NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read

Summary A directory traversal vulnerability in NiceGUI's App.addmediafiles allows a remote attacker to read arbitrary files on the server filesystem. Details Hello, I am Seungbin Yang, a university student studying cybersecurity. While reviewing the source code of the repository, I discovered a...

7.5CVSS6.9AI score0.0098EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2025/12/01 9:33 p.m.4 views

CVE-2025-66302 Grav vulnerable to Path Traversal allowing server files backup

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient inp...

6.8CVSS6.3AI score0.0042EPSS
Exploits1References2
OSV
OSV
added 2025/12/01 9:33 p.m.6 views

CVE-2025-66302 Grav vulnerable to Path Traversal allowing server files backup

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient inp...

6.8CVSS6.6AI score0.0042EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2025/11/28 12:0 a.m.5 views

PT-2025-48312

Name of the Vulnerable Software and Affected Versions Kivitendo versions prior to 3.9.2 Description Kivitendo is susceptible to an XML External Entity XXE injection. An attacker can exploit this by uploading an electronic invoice in the ZUGFeRD format, potentially allowing them to read and...

5CVSS7.6AI score0.00286EPSS
Exploits0References9
Github Security Blog
Github Security Blog
added 2025/10/20 7:54 p.m.9 views

vite allows server.fs.deny bypass via backslash on Windows

Summary Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - running the de...

6CVSS7AI score0.01031EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2020-0975

Malware in sbrugna...

7.5CVSS7.6AI score0.02005EPSS
Exploits1References5
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2018-0231

Malware in sbrugna...

7.5CVSS7.6AI score0.02005EPSS
Exploits1References6
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2018-1939

Malware in sbrugna...

9.8CVSS9.2AI score0.02576EPSS
Exploits0References6
Rows per page
Query Builder