CVEs classified under CWE-29, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (45)
CVE-2025-15036 — CVSS 10.0 (critical): A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file…
CVE-2024-2083 — CVSS 9.9 (critical): A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can…
CVE-2024-6396 — CVSS 9.8 (critical): A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host…
CVE-2024-5443 — CVSS 9.8 (critical): CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the `ExtensionBuilder().build_extension()`…
CVE-2024-2358 — CVSS 9.8 (critical): A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The…
CVE-2023-6975 — CVSS 9.8 (critical): A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.
CVE-2024-2356 — CVSS 9.6 (critical): A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application…
CVE-2024-2361 — CVSS 9.6 (critical): A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied…
CVE-2024-8537 — CVSS 9.1 (critical): A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. The vulnerability is present in the…
CVE-2024-7957 — CVSS 9.1 (critical): An arbitrary file overwrite vulnerability exists in the ZulipConnector of danswer-ai/danswer, affecting the latest version. The…
CVE-2024-5926 — CVSS 9.1 (critical): A path traversal vulnerability in the get-project-files functionality of stitionai/devika allows attackers to read arbitrary files from the…
CVE-2026-24217 — CVSS 8.8 (high): NVIDIA BioNeMo Core for Linux contains a vulnerability where a user could cause a path traversal by loading a malicious file. A successful…
CVE-2024-12389 — CVSS 8.8 (high): A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the extraction of…
CVE-2024-11170 — CVSS 8.8 (high): A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of file paths by the…
CVE-2023-6130 — CVSS 8.8 (high): Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVE-2024-21542 — CVSS 8.6 (high): Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper…
CVE-2024-34470 — CVSS 8.6 (high): An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An Unauthenticated Path Traversal vulnerability exists in the…
CVE-2024-3435 — CVSS 8.4 (high): A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions up to…
CVE-2024-10648 — CVSS 8.2 (high): A path traversal vulnerability exists in the Gradio Audio component of gradio-app/gradio, as of version git 98cbcae. This vulnerability…
CVE-2025-66608 — CVSS 7.5 (high): A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not properly validate URLs. An…
CVE-2025-6209 — CVSS 7.5 (high): A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image`…
CVE-2024-8859 — CVSS 7.5 (high): A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL…
CVE-2024-6394 — CVSS 7.5 (high): A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path…
CVE-2024-2178 — CVSS 7.5 (high): A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in the…
CVE-2024-4322 — CVSS 7.5 (high): A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `/list_personalities` endpoint. By…
CVE-2024-1561 — CVSS 7.5 (high): An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a…
CVE-2025-12790 — CVSS 7.4 (high): A flaw was found in Rubygem MQTT. By default, the package used to not have hostname validation, resulting in possible Man-in-the-Middle…
CVE-2024-6139 — CVSS 7.3 (high): A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker…
CVE-2026-5627 — CVSS 7.2 (high): A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component…
CVE-2024-8248 — CVSS 7.2 (high): A vulnerability in the normalizePath function in mintplex-labs/anything-llm version git 296f041 allows for path traversal, leading to…
CVE-2024-7033 — CVSS 7.2 (high): In version 0.3.8 of open-webui/open-webui, an arbitrary file write vulnerability exists in the download_model endpoint. When deployed on…
CVE-2024-5211 — CVSS 7.2 (high): A path traversal vulnerability in mintplex-labs/anything-llm allowed a manager to bypass the `normalizePath()` function, intended to defend…
CVE-2025-50184: DbGate is cross-platform database manager. In versions 6.4.3-premium-beta.5 and below, DbGate is vulnerable to a directory traversal flaw…
CVE-2025-50185: DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient…
CVE-2026-10732 — CVSS 6.4 (medium): All versions of the package decompress are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP…
CVE-2024-8982 — CVSS 6.2 (medium): A Local File Inclusion (LFI) vulnerability in OpenLLM version 0.6.10 allows attackers to include files from the local server through the…
CVE-2025-58291 — CVSS 3.3 (low): Denial of service (DoS) vulnerability in the office service. Successful exploitation of this vulnerability may affect availability.
CVE-2024-4841 — CVSS 3.3 (low): A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to…