CWE-552
AllowedFiles or Directories Accessible to External Parties
Abstraction: Base · Status: Draft
The product makes files or directories accessible to unauthorized actors, even though they should not be.
670 vulnerabilities reference this CWE, most recent first.
GHSA-38RQ-QMC9-CQ4F
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 could allow a privileged user to upload a malicious backup archive that could be restored and used to gain access to the underlying operating system.
{
"affected": [],
"aliases": [
"CVE-2024-56462"
],
"database_specific": {
"cwe_ids": [
"CWE-530",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:16:41Z",
"severity": "HIGH"
},
"details": "IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 could allow a privileged user to upload a malicious backup archive that could be restored and used to gain access to the underlying operating system.",
"id": "GHSA-38rq-qmc9-cq4f",
"modified": "2026-05-27T15:33:10Z",
"published": "2026-05-27T15:33:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56462"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7273957"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-395W-QHQR-9FR6
Vulnerability from github – Published: 2021-01-06 20:01 – Updated: 2025-10-22 17:58A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.flink:flink-runtime_2.11"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.flink:flink-runtime_2.12"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-17519"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2021-01-06T20:01:15Z",
"nvd_published_at": "2021-01-05T12:15:00Z",
"severity": "HIGH"
},
"details": "A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.",
"id": "GHSA-395w-qhqr-9fr6",
"modified": "2025-10-22T17:58:28Z",
"published": "2021-01-06T20:01:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17519"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17519"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f@%3Cdev.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d@%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d%40%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1@%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1%40%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cuser.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cdev.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cuser.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2@%3Cdev.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2%40%3Cdev.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398@%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398%40%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034@%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1@%3Cdev.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83@%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83%40%3Cissues.flink.apache.org%3E"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/flink"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/01/05/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H",
"type": "CVSS_V3"
}
],
"summary": "Path Traversal in Apache Flink"
}
GHSA-39XW-9QH5-7XJ4
Vulnerability from github – Published: 2026-03-12 21:34 – Updated: 2026-03-16 15:30Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via "path" parameter in the downloadAttachment and downloadAttachmentFromPath API calls.
{
"affected": [],
"aliases": [
"CVE-2025-66955"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-12T19:16:15Z",
"severity": "MODERATE"
},
"details": "Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via \"path\" parameter in the downloadAttachment and downloadAttachmentFromPath API calls.",
"id": "GHSA-39xw-9qh5-7xj4",
"modified": "2026-03-16T15:30:34Z",
"published": "2026-03-12T21:34:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66955"
},
{
"type": "WEB",
"url": "https://github.com/TheWoodenBench/CVE-2025-66955"
},
{
"type": "WEB",
"url": "https://live.asee.io"
},
{
"type": "WEB",
"url": "http://asseco.com"
},
{
"type": "WEB",
"url": "http://live.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3CP8-799V-MWXM
Vulnerability from github – Published: 2026-05-29 21:31 – Updated: 2026-05-29 21:31The administrator account for the
Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password.
{
"affected": [],
"aliases": [
"CVE-2026-40425"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-29T19:16:23Z",
"severity": "MODERATE"
},
"details": "The administrator account for the\n\nDanelec MacGregor Voyage Data Recorder\nweb interface can directly edit sensitive files related to authentication, potentially changing the root password.",
"id": "GHSA-3cp8-799v-mwxm",
"modified": "2026-05-29T21:31:21Z",
"published": "2026-05-29T21:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40425"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-01.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-01"
},
{
"type": "WEB",
"url": "https://www.danelec.com/contact"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3GXQ-M6PM-Q3FJ
Vulnerability from github – Published: 2025-02-03 21:31 – Updated: 2025-02-04 21:32ChestnutCMS <=1.5.0 has an arbitrary file deletion vulnerability in contentcore.controller.FileController, which allows attackers to delete any file and folder.
{
"affected": [],
"aliases": [
"CVE-2024-57452"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-03T20:15:34Z",
"severity": "HIGH"
},
"details": "ChestnutCMS \u003c=1.5.0 has an arbitrary file deletion vulnerability in contentcore.controller.FileController, which allows attackers to delete any file and folder.",
"id": "GHSA-3gxq-m6pm-q3fj",
"modified": "2025-02-04T21:32:28Z",
"published": "2025-02-03T21:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57452"
},
{
"type": "WEB",
"url": "https://locrian-lightning-dc7.notion.site/File-Delete-1628e5e2b1a280cfb497de7b8bcff128"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3P9P-59QF-MQWH
Vulnerability from github – Published: 2023-07-06 21:14 – Updated: 2023-07-06 23:27Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong. This issue affects Apache InLong from 1.2.0 through 1.6.0.The user in InLong could cancel an application that doesn't belong to it. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7799 to solve it.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.inlong:manager-workflow"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-31064"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-06T23:27:00Z",
"nvd_published_at": "2023-05-22T16:15:09Z",
"severity": "HIGH"
},
"details": "Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong. This issue affects Apache InLong from 1.2.0 through 1.6.0.The user in InLong could cancel an\u00a0application that doesn\u0027t belong to it.\u00a0Users are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7799 to solve it.\n\n\n",
"id": "GHSA-3p9p-59qf-mqwh",
"modified": "2023-07-06T23:27:00Z",
"published": "2023-07-06T21:14:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31064"
},
{
"type": "WEB",
"url": "https://github.com/apache/inlong/pull/7799"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/inlong"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/1osd2k3t3qol2wdsswqtr9gxdkf78n00"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache InLong has Files or Directories Accessible to External Parties"
}
GHSA-3PCR-4982-548M
Vulnerability from github – Published: 2021-04-13 15:13 – Updated: 2026-06-08 23:14Impact
The .env and other sensitive files can be leaked if the project root and not /public is configured as the web root.
Patches
We recommend to update to the current version 6.3.5.3. You can get the update to 6.3.5.3 regularly via the Auto-Updater or directly via the download overview.
https://www.shopware.com/en/download/#shopware-6
Workarounds
You should always use /public as the web root.
For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659
For more information
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2021
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.3.5.2"
},
"package": {
"ecosystem": "Packagist",
"name": "shopware/production"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.3.5.2"
},
"package": {
"ecosystem": "Packagist",
"name": "shopware/shopware"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-12T22:33:05Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nThe .env and other sensitive files can be leaked if the project root and not `/public` is configured as the web root.\n\n### Patches\nWe recommend to update to the current version 6.3.5.3. You can get the update to 6.3.5.3 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\n\nYou should always use `/public` as the web root.\n\nFor older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n### For more information\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2021",
"id": "GHSA-3pcr-4982-548m",
"modified": "2026-06-08T23:14:50Z",
"published": "2021-04-13T15:13:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/platform/security/advisories/GHSA-3pcr-4982-548m"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-3pcr-4982-548m"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/shopware"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Exposure of .env if project root is configured as web root in shopware/production"
}
GHSA-3W4V-RVC4-2XPW
Vulnerability from github – Published: 2022-08-27 00:00 – Updated: 2022-09-02 21:12ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "15.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3856"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-02T21:12:52Z",
"nvd_published_at": "2022-08-26T16:15:00Z",
"severity": "MODERATE"
},
"details": "ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.",
"id": "GHSA-3w4v-rvc4-2xpw",
"modified": "2022-09-02T21:12:52Z",
"published": "2022-08-27T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3856"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/pull/8588"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/73f0474008e1bebd0733e62a22aceda9e5de6743"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2021-3856"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010164"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/KEYCLOAK-19422"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak has Files or Directories Accessible to External Parties"
}
GHSA-3XQ5-WVJC-3JPX
Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2026-42063"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T16:16:46Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-3xq5-wvjc-3jpx",
"modified": "2026-05-13T18:30:56Z",
"published": "2026-05-13T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42063"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000160973"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-42H6-4VVM-4F49
Vulnerability from github – Published: 2025-02-07 18:31 – Updated: 2025-02-10 18:30Local File Inclusion vulnerability in dhtmlxFileExplorer v.8.4.6 allows a remote attacker to obtain sensitive information via the file download functionality.
{
"affected": [],
"aliases": [
"CVE-2024-55214"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-07T16:15:37Z",
"severity": "HIGH"
},
"details": "Local File Inclusion vulnerability in dhtmlxFileExplorer v.8.4.6 allows a remote attacker to obtain sensitive information via the file download functionality.",
"id": "GHSA-42h6-4vvm-4f49",
"modified": "2025-02-10T18:30:46Z",
"published": "2025-02-07T18:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55214"
},
{
"type": "WEB",
"url": "https://dhtmlx.com"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/189018"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-639: Probe System Files
An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.