Total
8337 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22894 | 2 Qnap, Qnap Systems | 2 File Station, File Station 5 | 2026-02-12 | 6.5 Medium |
| A path traversal vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later | ||||
| CVE-2025-69874 | 1 Unjs | 1 Nanotar | 2026-02-12 | 9.8 Critical |
| nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence. | ||||
| CVE-2025-58470 | 2 Qnap, Qnap Systems | 2 Qsync Central, Qsync Central | 2026-02-12 | 6.5 Medium |
| A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later | ||||
| CVE-2025-68406 | 2 Qnap, Qnap Systems | 2 Qsync Central, Qsync Central | 2026-02-12 | 6.5 Medium |
| A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later | ||||
| CVE-2026-25872 | 1 Albrecht Jung | 1 Jung Smart Panel 5.1 Knx | 2026-02-11 | 5.3 Medium |
| JUNG Smart Panel KNX firmware version L1.12.22 and prior contain an unauthenticated path traversal vulnerability in the embedded web interface. The application fails to properly validate file path input, allowing remote, unauthenticated attackers to access arbitrary files on the underlying filesystem within the context of the web server. This may result in disclosure of system configuration files and other sensitive information. | ||||
| CVE-2025-64075 | 1 Shenzhen Zhibotong Electronics | 1 Zbt We2001 | 2026-02-11 | 10 Critical |
| A path traversal vulnerability in the check_token function of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote attackers to bypass authentication and perform administrative actions by supplying a crafted session cookie value. | ||||
| CVE-2025-3722 | 1 Trellix | 1 System Information Reporter | 2026-02-11 | 4.4 Medium |
| A path traversal vulnerability in System Information Reporter (SIR) 1.0.3 and prior allowed an authenticated high privileged user to issue malicious ePO post requests to System Information Reporter, leading to creation of files anywhere on the filesystem and possibly overwriting existing files and exposing sensitive information disclosure. | ||||
| CVE-2025-27022 | 1 Nokia | 2 G42, G42 Firmware | 2026-02-11 | 7.5 High |
| A path traversal vulnerability of the WebGUI HTTP endpoint in Infinera G42 version R6.1.3 allows remote authenticated users to download all OS files via HTTP requests. Details: Lack or insufficient validation of user-supplied input allows authenticated users to access all files on the target machine file system that are readable to the user account used to run the httpd service. | ||||
| CVE-2025-63372 | 2 Articentgroup, Microsoft | 2 Zip Rar Extractor Tool, Windows | 2026-02-11 | 4.3 Medium |
| Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents. | ||||
| CVE-2026-25499 | 1 Bpg | 2 Terraform-provider-proxmox, Terraform Provider | 2026-02-11 | 7.5 High |
| Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1. | ||||
| CVE-2026-25539 | 2 B3log, Siyuan | 2 Siyuan, Siyuan | 2026-02-11 | 9.1 Critical |
| SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5. | ||||
| CVE-2026-25575 | 2 Tum, Tum-dev | 2 Navigatum, Navigatum | 2026-02-11 | 7.5 High |
| NavigaTUM is a website and API to search for rooms, buildings and other places. Prior to commit 86f34c7, there is a path traversal vulnerability in the propose_edits endpoint allows unauthenticated users to overwrite files in directories writable by the application user (e.g., /cdn). By supplying unsanitized file keys containing traversal sequences (e.g., ../../) in the JSON payload, an attacker can escape the intended temporary directory and replace public facing images or fill the server's storage. This issue has been patched via commit 86f34c7. | ||||
| CVE-2025-69619 | 1 Zipperapp | 2 My Teditor, My Text Editor | 2026-02-11 | 5 Medium |
| A path traversal in My Text Editor v1.6.2 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. | ||||
| CVE-2025-69620 | 2 Moo Chan Song, Ntoolslab | 2 Moo Chan Song, Office Reader | 2026-02-11 | 5 Medium |
| A path traversal in Moo Chan Song v4.5.7 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. | ||||
| CVE-2023-6190 | 1 Ikcu | 1 University Information Management System | 2026-02-11 | 9.8 Critical |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in İzmir Katip Çelebi University University Information Management System allows Absolute Path Traversal.This issue affects University Information Management System: before 30.11.2023. | ||||
| CVE-2025-22873 | 2 Go Standard Library, Golang | 2 Os, Go | 2026-02-10 | 3.8 Low |
| It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. | ||||
| CVE-2026-22905 | 1 Wago | 2 0852-1322, 0852-1328 | 2026-02-10 | 7.5 High |
| An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/../cgi-bin/post.cgi), gaining unauthorized access to protected CGI endpoints and configuration downloads. | ||||
| CVE-2025-69601 | 1 Altumcode | 1 66biolinks | 2026-02-09 | 6.5 Medium |
| A directory traversal (Zip Slip) vulnerability exists in the “Static Sites” feature of 66biolinks v44.0.0 by AltumCode. Uploaded ZIP archives are automatically extracted without validating or sanitizing file paths. An attacker can include traversal sequences (e.g., ../) in ZIP entries to write files outside the intended extraction directory. This allows static files (html, js, css, images) file write to unintended locations, or overwriting existing HTML files, potentially leading to content defacement and, in certain deployments, further impact if sensitive files are overwritten. | ||||
| CVE-2025-15491 | 1 Wordpress | 1 Wordpress | 2026-02-09 | 5.5 Medium |
| The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks | ||||
| CVE-2026-24897 | 2 Erugo, Erugooss | 2 Erugo, Erugo | 2026-02-09 | 10 Critical |
| Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue. | ||||