CVE & Exploit Intelligence Database

CVE-2026-22860 7.5 HIGH 1 Writeup EPSS 0.00

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

CWE-548 Feb 18, 2026

CVE-2023-38265 5.3 MEDIUM EPSS 0.00

IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could disclose folder location information to an unauthenticated attacker that could aid in further attacks against the system.

CWE-548 Feb 17, 2026

CVE-2020-36921 7.5 HIGH EPSS 0.00

RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without authentication.

CWE-548 Jan 06, 2026

CVE-2022-50788 7.5 HIGH EPSS 0.01

SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive log files. Attackers can directly browse the /log directory to retrieve system and sensitive information without authentication.

CWE-548 Dec 30, 2025

CVE-2021-47718 7.5 HIGH 1 PoC Analysis EPSS 0.00

OpenBMCS 2.4 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive files by exploiting directory listing functionality. Attackers can browse directories like /debug/ and /php/ to discover configuration files, database credentials, and system information.

CWE-548 Dec 09, 2025

CVE-2024-56464 2.7 LOW EPSS 0.00

IBM QRadar SIEM 7.5 - 7.5.0 UP14 IF01 is affected by an information disclosure vulnerability involving exposure of directory information. IBM has addressed this vulnerability in the latest update.

CWE-548 Dec 09, 2025

CVE-2025-13200 5.3 MEDIUM EPSS 0.00

A vulnerability was determined in SourceCodester Farm Management System 1.0. Affected by this vulnerability is an unknown functionality. This manipulation causes exposure of information through directory listing. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

CWE-552 Nov 15, 2025

CVE-2025-62396 5.3 MEDIUM EPSS 0.00

An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.

CWE-548 Oct 23, 2025

CVE-2025-27906 5.3 MEDIUM EPSS 0.00

IBM Content Navigator 3.0.11, 3.0.15, 3.1.0, and 3.2.0 could expose the directory listing of the application upon using an application URL. Application files and folders are visible in the browser to a user; however, the contents of the files cannot be read obtained or modified.

CWE-548 Oct 14, 2025

CVE-2025-61685 6.5 MEDIUM 1 Writeup EPSS 0.00

Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for reading file contents, but this check is effectively bypassed by subsequent logic that attempts to find directory suggestions. An attacker can leverage this flaw to list the contents of arbitrary directories on the user's filesystem, including the user's home directory, exposing sensitive information about the file system's structure. This issue is fixed in version 0.13.20.

CWE-548 Oct 03, 2025

CVE-2025-28170 7.6 HIGH EPSS 0.00

Grandstream Networks GXP1628 <=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and files.

CWE-548 Jul 29, 2025

CVE-2025-2827 4.3 MEDIUM EPSS 0.00

IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 could disclose sensitive installation directory information to an authenticated user that could be used in further attacks against the system.

CWE-548 Jul 08, 2025

CVE-2025-27452 5.3 MEDIUM EPSS 0.00

The configuration of the Apache httpd webserver which serves the MEAC300-FNADE4 web application, is partly insecure. There are modules activated that are not required for the operation of the FNADE4 web application. The functionality of the some modules pose a risk to the webserver which enable dircetory listing.

CWE-548 Jul 03, 2025

CVE-2025-4909 7.3 HIGH EPSS 0.00

A vulnerability classified as critical was found in SourceCodester Client Database Management System 1.0. This vulnerability affects unknown code. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CWE-552 May 19, 2025

CVE-2025-4807 5.3 MEDIUM EPSS 0.01

A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. This affects an unknown part. The manipulation leads to exposure of information through directory listing. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CWE-552 May 16, 2025

CVE-2025-1138 4.3 MEDIUM EPSS 0.00

IBM InfoSphere Information Server 11.7 could disclose sensitive information to an authenticated user that could aid in further attacks against the system through a directory listing.

CWE-548 May 15, 2025

CVE-2025-45320 5.3 MEDIUM 1 Writeup EPSS 0.00

A Directory Listing Vulnerability was found in the /osms/Requester/ directory of the Kashipara Online Service Management Portal V1.0.

CWE-548 May 05, 2025

CVE-2025-23378 3.3 LOW EPSS 0.00

Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an exposure of information through directory listing vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure.

CWE-548 Apr 10, 2025

CVE-2025-2652 5.3 MEDIUM 1 Writeup EPSS 0.00

A vulnerability has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to exposure of information through directory listing. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected.

CWE-552 Mar 23, 2025

CVE-2025-2651 5.3 MEDIUM 1 Writeup EPSS 0.00

A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /oews/admin/. The manipulation leads to exposure of information through directory listing. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected.

CWE-552 Mar 23, 2025