Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the put function. An attacker can overwrite or create arbitrary files in the webroot by enticing a user to visit a malicious website, which then issues crafted PUT requests through the victim's browse...

Zimbra Collaboration Server 10.0.x < 10.0.18, 10.1.x < 10.1.13 Local File Inclusion

A Local File Inclusion LFI vulnerability exists in the Webmail Classic UI of Zimbra Collaboration ZCS 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influenc...

CVE-2025-66051

Vivotek IP7137 camera with firmware version 0200a is vulnerable to path traversal. It is possible for an authenticated attacker to access resources beyond webroot directory using a direct HTTP request. Due to CVE-2025-66050, a password for administration panel is not set by default. The vendor ha...

CVE-2025-66051 Path traversal in Vivotek IP7137 cameras

Vivotek IP7137 camera with firmware version 0200a is vulnerable to path traversal. It is possible for an authenticated attacker to access resources beyond webroot directory using a direct HTTP request. Due to CVE-2025-66050, a password for administration panel is not set by default. The vendor ha...

CVE-2025-66051

CVE-2025-66051 affects the Vivotek IP7137 camera running firmware 0200a. A path traversal flaw allows an authenticated attacker to access resources outside the webroot via a direct HTTP request. The issue is linked to end-of-life status of the product and there is no expected fix. The vulnerabili...

PT-2026-1855

Name of the Vulnerable Software and Affected Versions Vivotek IP7137 camera versions prior to firmware version 0200a Description The Vivotek IP7137 camera is susceptible to a path traversal issue. An authenticated attacker can potentially access resources outside the intended webroot directory by...

REDAXO 安全漏洞

REDAXO is a content management system of REDAXO open source. A security vulnerability exists in REDAXO versions prior to 5.20.2, which stems from a path traversal in the file export function of the Backup add-on, which could cause a user with backup privileges to read arbitrary files in the webro...

CVE-2025-14388

The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in getExtensionForURL which operates on URL-decoded paths, and appendNormalized...

CVE-2025-14388 PhastPress <= 3.7 - Unauthenticated Arbitrary File Read via Null Byte Injection

The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in getExtensionForURL which operates on URL-decoded paths, and appendNormalized...

Path Traversal

getgrav/grav is vulnerable to path traversal. The vulnerability is due to insufficient input sanitization in the backup tool, which allows an authenticated attacker with administrative privileges to exploit user-supplied paths and access arbitrary files outside the intended webroot directory...

CVE-2020-36863

CVE-2020-36863 affects Nagios XI versions prior to 5.7.2. The issue is an unrestricted PHP file upload via the Audio Import directory, where the upload handler does not properly restrict file types or store outside the webroot, allowing execution in the upload directory. An authenticated attacker...

EUVD-2014-5281

Malware in sbrugna...

EUVD-2025-17647

Malicious code in bioql PyPI...

CVE-2025-40662

DM Corporative CMS suffers an absolute path disclosure vulnerability: an attacker can view the contents of webroot/file by navigating to a non-existent file. The CVE is documented with CVSS metrics (NVD/3.1: HIGH, base 7.5; CISA/4.0: MEDIUM, base 6.9) and multiple national/international feeds con...

CVE-2023-45880

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname and extension. This allows creation of PHP files outside of the uploads...

UBUNTU-CVE-2024-34005

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include...

PT-2023-6939 · Moodle +1 · Moodle +1

Name of the Vulnerable Software and Affected Versions: Moodle affected versions not specified Description: The issue is related to a misconfigured shared hosting environment, allowing access to other users' content. A Moodle user with direct access to the web server outside of the Moodle webroot...

Samba Security Vulnerabilities

Samba is the standard Windows interoperability program suite for Linux and Unix. A security vulnerability exists in Samba. An attacker could exploit this vulnerability to access files and directories stored outside of the web root folder...

Tiny File Manager路径遍历漏洞

Tiny File Manager is a web-based open source file manager. A path traversal vulnerability in the tinyfilemanager.php file upload function in Tiny File Manager 2.4.1 allows remote attackers to upload malicious PHP files to the webroot using a valid user account and achieve code execution on the...

CVE-2013-7390

Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to execute arbitrary code by uploading a file with a jsp extension, then accessing it via a direct request to the file in the webroot...