Total
8350 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28800 | 1 Natroteam | 1 Natromacro | 2026-03-09 | 6.4 Medium |
| Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, anyone with Discord Remote Control set up in a non-private channel gives access to any user with the permission to send message in said channel access to do anything on their computer. This includes keyboard and mouse inputs and full file access. This issue has been patched in version 1.1.0. | ||||
| CVE-2026-29059 | 1 Windmill-labs | 1 Windmill | 2026-03-09 | N/A |
| Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})". The filename parameter is concatenated into a file path without sanitization, allowing an attacker to read arbitrary files on the server using ../ sequences. This issue has been patched in version 1.603.3. | ||||
| CVE-2018-25178 | 1 Sourceforge | 1 Easyndexer | 2026-03-09 | 7.5 High |
| Easyndexer 1.0 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the file parameter. Attackers can send POST requests to showtif.php with arbitrary file paths in the file parameter to retrieve system files like configuration and initialization files. | ||||
| CVE-2018-25181 | 1 Musicco | 1 Musicco | 2026-03-09 | 7.5 High |
| Musicco 2.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary directories by manipulating the parent parameter. Attackers can supply directory traversal sequences in the parent parameter of the getAlbum endpoint to access sensitive system directories and download them as ZIP files. | ||||
| CVE-2018-25184 | 1 Getsurreal | 1 Surreal Todo | 2026-03-09 | 6.2 Medium |
| Surreal ToDo 0.6.1.2 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the content parameter. Attackers can supply directory traversal sequences through the content parameter in index.php to access sensitive system files like configuration and initialization files. | ||||
| CVE-2018-25194 | 1 Arixolab | 1 Nominas | 2026-03-09 | 8.2 High |
| Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username parameter. Attackers can send POST requests to the login/checklogin.php endpoint with crafted UNION-based SQL injection payloads to extract database information including usernames, database names, and version details. | ||||
| CVE-2026-29064 | 1 Zarf-dev | 1 Zarf | 2026-03-09 | 8.2 High |
| Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package. This issue has been patched in version 0.73.1. | ||||
| CVE-2026-29790 | 1 Dbt-labs | 1 Dbt-common | 2026-03-09 | N/A |
| dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3. | ||||
| CVE-2026-30828 | 1 Ellite | 1 Wallos | 2026-03-09 | N/A |
| Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2. | ||||
| CVE-2025-14675 | 2 Metabox, Wordpress | 2 Meta Box, Wordpress | 2026-03-09 | 7.2 High |
| The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2026-29185 | 1 Backstage | 1 Backstage | 2026-03-09 | 2.7 Low |
| Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that construct API URLs, the traversal segments could redirect requests to unintended SCM provider API endpoints using the configured server-side integration credentials. This issue has been patched in version 1.20.1. | ||||
| CVE-2026-29190 | 1 Aiven | 1 Karapace | 2026-03-09 | 4.1 Medium |
| Karapace is an open-source implementation of Kafka REST and Schema Registry. Prior to version 6.0.0, there is a Path Traversal vulnerability in the backup reader (backup/backends/v3/backend.py). If a malicious backup file is provided to Karapace, an attacker may exploit insufficient path validation to perform arbitrary file read on the system where Karapace is running. The issue affects deployments that use the backup/restore functionality and process backups from untrusted sources. The impact depends on the file system permissions of the Karapace process. This issue has been patched in version 6.0.0. | ||||
| CVE-2026-29780 | 1 Govcert-lu | 1 Eml Parser | 2026-03-09 | 5.5 Medium |
| eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory. This issue has been patched in version 2.0.1. | ||||
| CVE-2026-29786 | 1 Isaacs | 1 Tar | 2026-03-09 | N/A |
| node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10. | ||||
| CVE-2026-30848 | 1 Parse Community | 1 Parse Server | 2026-03-09 | N/A |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8. | ||||
| CVE-2026-3695 | 1 Sourcecodester | 1 Modern Image Gallery App | 2026-03-09 | 6.5 Medium |
| A vulnerability has been found in SourceCodester Modern Image Gallery App 1.0. Impacted is an unknown function of the file /delete.php. Such manipulation of the argument filename leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-3719 | 1 Tsinghua Unigroup | 1 Electronic Archives System | 2026-03-09 | 5.3 Medium |
| A vulnerability was identified in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). This issue affects some unknown processing of the file /System/Cms/downLoad. The manipulation of the argument path leads to path traversal. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-3795 | 1 Doramart | 1 Doracms | 2026-03-09 | 6.3 Medium |
| A security flaw has been discovered in doramart DoraCMS 3.0.x. Impacted is the function createFileBypath of the file /DoraCMS/server/app/router/api/v1.js. Performing a manipulation results in path traversal. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-41758 | 2026-03-09 | 8.8 High | ||
| A low-privileged remote attacker can exploit an arbitrary file write vulnerability in the wwupload.cgi endpoint. Due to path traversal this can lead to overwriting arbitrary files on the device and achieving a full system compromise. | ||||
| CVE-2025-41757 | 2026-03-09 | 8.8 High | ||
| A low-privileged remote attacker can abuse the backup restore functionality of UBR (ubr-restore) which runs with elevated privileges and does not validate the contents of the backup archive to create or overwrite arbitrary files anywhere on the system. | ||||