Total
8534 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13158 | 1 Ivanti | 1 Endpoint Manager | 2026-02-26 | 7.2 High |
| An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | ||||
| CVE-2024-57727 | 1 Simple-help | 1 Simplehelp | 2026-02-26 | 9.1 Critical |
| SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files include server configuration files containing various secrets and hashed user passwords. | ||||
| CVE-2025-25254 | 1 Fortinet | 1 Fortiweb | 2026-02-26 | 6.8 Medium |
| An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, 7.2 all versions, 7.0 all versions endpoint may allow an authenticated admin to access and modify the filesystem via crafted requests. | ||||
| CVE-2025-4632 | 1 Samsung | 1 Magicinfo 9 Server | 2026-02-26 | 9.8 Critical |
| Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority. | ||||
| CVE-2025-23250 | 4 Apple, Linux, Microsoft and 1 more | 4 Macos, Linux Kernel, Windows and 1 more | 2026-02-26 | 7.6 High |
| NVIDIA NeMo Framework contains a vulnerability where an attacker could cause an improper limitation of a pathname to a restricted directory by an arbitrary file write. A successful exploit of this vulnerability might lead to code execution and data tampering. | ||||
| CVE-2025-2817 | 2 Mozilla, Redhat | 8 Firefox, Thunderbird, Enterprise Linux and 5 more | 2026-02-26 | 8.8 High |
| Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird < 128.10. | ||||
| CVE-2025-4517 | 2 Python, Redhat | 7 Cpython, Enterprise Linux, Rhel Aus and 4 more | 2026-02-26 | 9.4 Critical |
| Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links. | ||||
| CVE-2025-20277 | 1 Cisco | 1 Unified Contact Center Express | 2026-02-26 | 3.4 Low |
| A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, local attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to improper limitation of a pathname to a restricted directory (path traversal). An attacker could exploit this vulnerability by sending a crafted web request to an affected device, followed by a specific command through an SSH session. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of an affected device as a low-privilege user. A successful exploit could also allow the attacker to undertake further actions to elevate their privileges to root. | ||||
| CVE-2026-25603 | 1 Linksys | 4 Mr9600, Mr9600 Firmware, Mx4200 and 1 more | 2026-02-26 | 6.6 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Linksys MR9600, Linksys MX4200 allows that contents of a USB drive partition can be mounted in an arbitrary location of the file system. This may result in the execution of shell scripts in the context of a root user.This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200. | ||||
| CVE-2025-47176 | 1 Microsoft | 5 365 Apps, Office, Office 2024 and 2 more | 2026-02-26 | 7.8 High |
| '.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally. | ||||
| CVE-2025-6265 | 1 Zyxel | 48 Nwa110ax, Nwa110ax Firmware, Nwa1123ac Pro and 45 more | 2026-02-26 | 7.2 High |
| A path traversal vulnerability in the file_upload-cgi CGI program of Zyxel NWA50AX PRO firmware version 7.10(ACGE.2) and earlier could allow an authenticated attacker with administrator privileges to access specific directories and delete files, such as the configuration file, on the affected device. | ||||
| CVE-2025-4613 | 2 Google, Microsoft | 2 Web Designer, Windows | 2026-02-26 | 8.8 High |
| Path traversal in Google Web Designer's template handling versions prior to 16.3.0.0407 on Windows allows attacker to achieve remote code execution by tricking users into downloading a malicious ad template | ||||
| CVE-2024-38824 | 1 Saltstack | 1 Salt | 2026-02-26 | 9.6 Critical |
| Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory. | ||||
| CVE-2025-3594 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2026-02-26 | 9.8 Critical |
| Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 34, and older unsupported versions allows remote attackers to (1) add files to arbitrary locations on the server and (2) download and execute arbitrary files from the download server via the `_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName` parameter. | ||||
| CVE-2025-6218 | 2 Microsoft, Rarlab | 2 Windows, Winrar | 2026-02-26 | N/A |
| RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198. | ||||
| CVE-2025-54450 | 2 Samsung, Samsung Electronics | 2 Magicinfo 9 Server, Magicinfo 9 Server | 2026-02-26 | 7.2 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. | ||||
| CVE-2025-54453 | 2 Samsung, Samsung Electronics | 2 Magicinfo 9 Server, Magicinfo 9 Server | 2026-02-26 | 8.8 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. | ||||
| CVE-2025-54446 | 2 Samsung, Samsung Electronics | 2 Magicinfo 9 Server, Magicinfo 9 Server | 2026-02-26 | 9.8 Critical |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0 | ||||
| CVE-2025-54443 | 2 Samsung, Samsung Electronics | 2 Magicinfo 9 Server, Magicinfo 9 Server | 2026-02-26 | 9.8 Critical |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0 | ||||
| CVE-2025-54438 | 2 Samsung, Samsung Electronics | 2 Magicinfo 9 Server, Magicinfo 9 Server | 2026-02-26 | 9.8 Critical |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0 | ||||