Metasploit Exploits
3,295 exploits tracked across all sources.
Xorcom CompletePBX <= 5.2.35 - Authenticated Path Traversal via Backup and Restore Functionality
Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue affects CompletePBX: through 5.2.35.
by Valentin Lobstein
CVSS 6.5
A10 Networks AX Loadbalancer <2.7.0 - Path Traversal
A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downloads endpoint, which fails to properly sanitize user input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests containing directory traversal sequences to read arbitrary files outside the intended directory. The files returned by the vulnerable endpoint are deleted from the system after retrieval. This can lead to unauthorized disclosure of sensitive information such as SSL certificates and private keys, as well as unintended file deletion.
by xistence
Internet Information Services 5.1 and 6.0 - Authentication Bypass via Unicode %c0%af URI Obfuscation
The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122.
by aushack
NetAlertX 24.7.18-24.10.12 - Unauthenticated Path Traversal and Arbitrary File Read via logs.php
NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redirect, and because of factors related to strpos and directory traversal, as exploited in the wild in May 2025. This is related to components/logs.php.
by chebuya, msutovsky-r7
CVSS 8.6
Apache Axis2 - Remote Code Execution via Default Admin Credentials
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
CP Multi View Event Calendar 1.01 - SQL Injection via calid Parameter
SQL injection vulnerability in the CP Multi View Event Calendar plugin 1.01 for WordPress allows remote attackers to execute arbitrary SQL commands via the calid parameter.
by Joaquin Ramirez Martinez, bperry
Atlassian Bamboo < 3.3.4 - XML External Entity Injection
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
by Will Caput, Trevor Hartman, Thaddeus Bogner, juan vazquez
CVSS 9.1
cgit < 1.2.1 - Path Traversal via git/objects/?path=../ Request
cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
by Google Project Zero, Dhiraj Mishra
CVSS 7.5
Elasticsearch <1.6.1 - Path Traversal
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
by Benjamin Smith
Microsoft Exchange Server - Remote Code Execution via ProxyLogon
Microsoft Exchange Server Remote Code Execution Vulnerability
by Orange Tsai, mekhalleh (RAMELLA Sébastien)
CVSS 7.8
sonalsinha21 Recover abandoned cart for WooCommerce <2.5 - SQL Injection
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in sonalsinha21 Recover abandoned cart for WooCommerce recover-wc-abandoned-cart allows SQL Injection.This issue affects Recover abandoned cart for WooCommerce: from n/a through <= 2.5.
by h00die, WPDeeply
CVSS 9.3
Email Subscribers & Newsletters < 4.3.1 - SQL Injection via Hash Parameter
There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability).
by h00die, red0xff, Wordfence
CVSS 9.8
sws_simple_web_server 0.0.4-0.1.0 - Unauthenticated Directory Traversal via Dot-Dot Sequence
Directory traversal vulnerability in Simple Web Server (SWS) 0.0.4 through 0.1.0 allows remote attackers to read arbitrary files via a ".." (dot dot) in an HTTP request.
by CwG GeNiuS, sinn3r
IBM WebSphere Application Server 5.0.x < 5.02.15 - Exposure of Sensitive Information via Session Trace Logs
IBM WebSphere Application Server 5.0.x before 5.02.15, 5.1.x before 5.1.1.8, and 6.x before fixpack V6.0.2.5, when session trace is enabled, records a full URL including the queryString in the trace logs when an application encodes a URL, which could allow attackers to obtain sensitive information.
by CG
Total.js prior to 3.2.4 Directory Traversal
index.js in Total.js Platform before 3.2.3 allows path traversal.
by Riccardo Krauter, Fabio Cogno
CVSS 7.5
WordPress 4.7.x < 4.7.2 - Unauthenticated Arbitrary Page Modification via REST API Endpoint
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.
by Marc Montpas, wvu
CVSS 7.5
BMC Track-It! 11.3 - Privilege Escalation via Account Name Collision
BMC Track-It! 11.3 allows remote attackers to gain privileges and execute arbitrary code by creating an account whose name matches that of a local system account, then performing a password reset.
by bperry, jhart
HP Intelligent Management Center Exposure of Sensitive Information
Unspecified vulnerability in HP Intelligent Management Center (iMC) and HP IMC Service Operation Management Software Module allows remote attackers to obtain sensitive information via unknown vectors, aka ZDI-CAN-1647.
Elasticsearch 7.10.0-7.13.3 - Memory Disclosure via Malformed Query Error Message
A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.
by h00die, Eric Howard, R0NY
CVSS 6.5
Allegro Software RomPager
AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the "Misfortune Cookie" vulnerability.
nginx 0.7.52-0.7.65 and 0.8-0.8.39 on Windows - Unauthenticated Arbitrary File Read via ::$DATA URI Suffix
nginx 0.8 before 0.8.40 and 0.7 before 0.7.66, when running on Windows, allows remote attackers to obtain source code or unparsed content of arbitrary files under the web document root by appending ::$DATA to the URI.
Carlo Gavazzi VMU-C <A11_U05/A17 - Info Disclosure
An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Sensitive information is stored in clear-text.
CVSS 7.5
Citrix ADC (NetScaler) Directory Traversal Scanner
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
by Mikhail Klyuchnikov, Erik Wynter, altonjx
CVSS 9.8
Microsoft Exchange Privilege Escalation Exploit
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0686.
by _dirkjan, Petros Koutroumpis
CVSS 8.1
Simple Backup <2.7.10 - Arbitrary File Download
The Simple Backup plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 2.7.10. via the download_backup_file function. This is due to a lack of capability checks and file type validation. This makes it possible for attackers to download sensitive files such as the wp-config.php file from the affected site.
by Mahdi.Hidden
CVSS 7.5
By Source