CWE-548
Exposure of Information Through Directory Listing
The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.
CVE-2025-27452 (GCVE-0-2025-27452)
Vulnerability from cvelistv5 – Published: 2025-07-03 11:29 – Updated: 2025-07-03 13:16
VLAI
Title
CVE-2025-27452
Summary
The configuration of the Apache httpd webserver which serves the MEAC300-FNADE4 web application, is partly insecure. There are modules activated that are not required for the operation of the FNADE4 web application. The functionality of the some modules
pose a risk to the webserver which enable dircetory listing.
Severity
5.3 (Medium)
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://www.endress.com | x_Endress+Hauser |
| https://sick.com/psirt | x_SICK PSIRT Security Advisories |
| https://www.cisa.gov/resources-tools/resources/ic… | x_ICS-CERT recommended practices on Industrial Security |
| https://www.first.org/cvss/calculator/3.1 | x_CVSS v3.1 Calculator |
| https://www.sick.com/.well-known/csaf/white/2025/… | x_The canonical URL. |
| https://sick.com/psirt | vendor-advisory |
| https://www.sick.com/.well-known/csaf/white/2025/… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Endress+Hauser | Endress+Hauser MEAC300-FNADE4 |
Affected:
0 , ≤ <=0.16.0
(custom)
|
|
| Endress+Hauser | Endress+Hauser MEAC300-FNADE4 |
Unaffected:
>=0.17.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27452",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-03T13:05:15.511084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T13:16:16.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Endress+Hauser MEAC300-FNADE4",
"vendor": "Endress+Hauser",
"versions": [
{
"lessThanOrEqual": "\u003c=0.16.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Endress+Hauser MEAC300-FNADE4",
"vendor": "Endress+Hauser",
"versions": [
{
"status": "unaffected",
"version": "\u003e=0.17.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe configuration of the Apache httpd webserver which serves the MEAC300-FNADE4 web application, is partly insecure. There are modules activated that are not required for the operation of the FNADE4 web application. The functionality of the some modules \u003c/p\u003e\u003cp\u003epose a risk to the webserver which enable dircetory listing. \u003c/p\u003e"
}
],
"value": "The configuration of the Apache httpd webserver which serves the MEAC300-FNADE4 web application, is partly insecure. There are modules activated that are not required for the operation of the FNADE4 web application. The functionality of the some modules \n\npose a risk to the webserver which enable dircetory listing."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 5.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548 Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T11:29:04.003Z",
"orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
"shortName": "SICK AG"
},
"references": [
{
"tags": [
"x_Endress+Hauser"
],
"url": "https://www.endress.com"
},
{
"tags": [
"x_SICK PSIRT Security Advisories"
],
"url": "https://sick.com/psirt"
},
{
"tags": [
"x_ICS-CERT recommended practices on Industrial Security"
],
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"tags": [
"x_CVSS v3.1 Calculator"
],
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"tags": [
"x_The canonical URL."
],
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://sick.com/psirt"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCustomers are strongly advised to update to the newest version.\u003c/p\u003e"
}
],
"value": "Customers are strongly advised to update to the newest version."
}
],
"source": {
"advisory": "SCA-2025-0008",
"discovery": "INTERNAL"
},
"title": "CVE-2025-27452",
"x_generator": {
"engine": "csaf2cve 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
"assignerShortName": "SICK AG",
"cveId": "CVE-2025-27452",
"datePublished": "2025-07-03T11:29:04.003Z",
"dateReserved": "2025-02-26T08:39:58.980Z",
"dateUpdated": "2025-07-03T13:16:16.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27906 (GCVE-0-2025-27906)
Vulnerability from cvelistv5 – Published: 2025-10-14 14:08 – Updated: 2025-10-14 19:09
VLAI
Title
IBM Content Navigator information disclosure
Summary
IBM Content Navigator 3.0.11, 3.0.15, 3.1.0, and 3.2.0 could expose the directory listing of the application upon using an application URL. Application files and folders are visible in the browser to a user; however, the contents of the files cannot be read obtained or modified.
Severity
5.3 (Medium)
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7247854 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Content Navigator |
Affected:
3.0.11
Affected: 3.0.15 Affected: 3.1.0 Affected: 3.2.0 cpe:2.3:a:ibm:content_navigator:3.0.11:*:*:*:*:*:*:* cpe:2.3:a:ibm:content_navigator:3.0.15:*:*:*:*:*:*:* cpe:2.3:a:ibm:content_navigator:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:content_navigator:3.2.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27906",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T19:09:46.865547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T19:09:55.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:content_navigator:3.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:content_navigator:3.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:content_navigator:3.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:content_navigator:3.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Content Navigator",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "3.0.11"
},
{
"status": "affected",
"version": "3.0.15"
},
{
"status": "affected",
"version": "3.1.0"
},
{
"status": "affected",
"version": "3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Content Navigator 3.0.11, 3.0.15, 3.1.0, and 3.2.0 could expose the directory listing of the application upon using an application URL. Application files and folders are visible in the browser to a user; however, the contents of the files cannot be read obtained or modified."
}
],
"value": "IBM Content Navigator 3.0.11, 3.0.15, 3.1.0, and 3.2.0 could expose the directory listing of the application upon using an application URL. Application files and folders are visible in the browser to a user; however, the contents of the files cannot be read obtained or modified."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548 Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T14:08:42.994Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7247854"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch2\u003eRemediation/Fixes\u003c/h2\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected Product(s)\u003c/td\u003e\u003ctd\u003eVersion(s)\u003c/td\u003e\u003ctd\u003eFix\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Content Navigator\u003c/td\u003e\u003ctd\u003e3.0.11\u003c/td\u003e\u003ctd\u003eICN 3.0.11-IF021\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Content Navigator\u003c/td\u003e\u003ctd\u003e3.0.15\u003c/td\u003e\u003ctd\u003eICN 3.0.15-IF007\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Content Navigator\u003c/td\u003e\u003ctd\u003e3.1.0\u003c/td\u003e\u003ctd\u003eICN 3.1.0-IF6\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Content Navigator\u003c/td\u003e\u003ctd\u003e3.2.0\u003c/td\u003e\u003ctd\u003eICN 3.2.0-IF1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\n\n\u003cbr\u003e"
}
],
"value": "Remediation/Fixes\n\nAffected Product(s)Version(s)FixIBM Content Navigator3.0.11ICN 3.0.11-IF021IBM Content Navigator3.0.15ICN 3.0.15-IF007IBM Content Navigator3.1.0ICN 3.1.0-IF6IBM Content Navigator3.2.0ICN 3.2.0-IF1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Content Navigator information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-27906",
"datePublished": "2025-10-14T14:08:42.994Z",
"dateReserved": "2025-03-10T17:14:11.135Z",
"dateUpdated": "2025-10-14T19:09:55.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2827 (GCVE-0-2025-2827)
Vulnerability from cvelistv5 – Published: 2025-07-08 15:01 – Updated: 2025-08-24 11:22
VLAI
Title
IBM Sterling File Gateway information disclosure
Summary
IBM Sterling File Gateway
6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4
could disclose sensitive installation directory information to an authenticated user that could be used in further attacks against the system.
Severity
4.3 (Medium)
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7239094 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Sterling File Gateway |
Affected:
6.0.0.0 , ≤ 6.1.2.6
(semver)
Affected: 6.2.0.0 , ≤ 6.2.0.4 (semver) cpe:2.3:a:ibm:sterling_file_gateway:6.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:sterling_file_gateway:6.1.2.6:*:*:*:*:*:*:* cpe:2.3:a:ibm:sterling_file_gateway:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:sterling_file_gateway:6.2.0.4:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2827",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T20:43:11.022036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T20:43:18.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_file_gateway:6.0.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_file_gateway:6.1.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_file_gateway:6.2.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_file_gateway:6.2.0.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Sterling File Gateway",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "6.1.2.6",
"status": "affected",
"version": "6.0.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.0.4",
"status": "affected",
"version": "6.2.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Sterling File Gateway \n\n6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould disclose sensitive installation directory information to an authenticated user that could be used in further attacks against the system.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "IBM Sterling File Gateway \n\n6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4\n\n\n\n\n\ncould disclose sensitive installation directory information to an authenticated user that could be used in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548 Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-24T11:22:04.961Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7239094"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Sterling File Gateway 6.0.0.0 - 6.1.2.6 IT47924 Apply B2Bi 6.1.2.7_1. 6.2.0.5 or 6.2.1.0\u003cbr\u003eIBM Sterling File Gateway 6.2.0.0 - 6.2.0.4 IT47924 Apply B2Bi 6.2.0.5 or 6.2.1.0\u003cbr\u003e"
}
],
"value": "IBM Sterling File Gateway 6.0.0.0 - 6.1.2.6 IT47924 Apply B2Bi 6.1.2.7_1. 6.2.0.5 or 6.2.1.0\nIBM Sterling File Gateway 6.2.0.0 - 6.2.0.4 IT47924 Apply B2Bi 6.2.0.5 or 6.2.1.0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Sterling File Gateway information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-2827",
"datePublished": "2025-07-08T15:01:52.545Z",
"dateReserved": "2025-03-26T16:16:44.836Z",
"dateUpdated": "2025-08-24T11:22:04.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32750 (GCVE-0-2025-32750)
Vulnerability from cvelistv5 – Published: 2026-05-20 14:30 – Updated: 2026-05-20 15:34
VLAI
Summary
Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.
Severity
7.5 (High)
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00039156… | vendor-advisory |
| https://www.dell.com/support/kbdoc/en-us/00039139… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | PowerFlex Manager (Appliance) |
Affected:
0 , < IC 48.378.00
(semver)
Affected: 0 , < IC 48.383.00 (semver) |
|
| Dell | PowerFlex Manager (Rack) |
Affected:
0 , < 3.7.8.0
(semver)
Affected: 0 , < 3.8.3.0 (semver) |
|
| Dell | PowerFlex Manager |
Affected:
0 , ≤ 4.6.2
(semver)
|
Date Public
2025-11-12 18:30
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:34:02.843562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T15:34:20.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerFlex Manager (Appliance)",
"vendor": "Dell",
"versions": [
{
"lessThan": "IC 48.378.00",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "IC 48.383.00",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PowerFlex Manager (Rack)",
"vendor": "Dell",
"versions": [
{
"lessThan": "3.7.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "3.8.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PowerFlex Manager",
"vendor": "Dell",
"versions": [
{
"lessThanOrEqual": "4.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-11-12T18:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell PowerFlex Manager, version(s) \u0026lt;=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure."
}
],
"value": "Dell PowerFlex Manager, version(s) \u003c=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548: Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:30:23.869Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2025-32750",
"datePublished": "2026-05-20T14:30:23.869Z",
"dateReserved": "2025-04-10T05:03:51.740Z",
"dateUpdated": "2026-05-20T15:34:20.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-4807 (GCVE-0-2025-4807)
Vulnerability from cvelistv5 – Published: 2025-05-16 19:31 – Updated: 2025-05-17 02:35
VLAI
Title
SourceCodester Online Student Clearance System exposure of information through directory listing
Summary
A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. This affects an unknown part. The manipulation leads to exposure of information through directory listing. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity
5.3 (Medium)
5.3 (Medium)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.309261 | vdb-entry |
| https://vuldb.com/?ctiid.309261 | signaturepermissions-required |
| https://vuldb.com/?submit.572238 | third-party-advisory |
| https://github.com/laifeng-boy/cve/issues/2 | exploitissue-tracking |
| https://www.sourcecodester.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Online Student Clearance System |
Affected:
1.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4807",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-17T02:34:35.365348Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-17T02:35:32.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Online Student Clearance System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "laifeng-boy (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. This affects an unknown part. The manipulation leads to exposure of information through directory listing. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in SourceCodester Online Student Clearance System 1.0 gefunden. Hiervon betroffen ist ein unbekannter Codeblock. Durch das Manipulieren mit unbekannten Daten kann eine exposure of information through directory listing-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "Files or Directories Accessible",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T19:31:05.433Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-309261 | SourceCodester Online Student Clearance System exposure of information through directory listing",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.309261"
},
{
"name": "VDB-309261 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.309261"
},
{
"name": "Submit #572238 | SourceCodester Online Student Clearance System v1.0 Directory traversal",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.572238"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/laifeng-boy/cve/issues/2"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-16T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-16T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-16T09:12:12.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Online Student Clearance System exposure of information through directory listing"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4807",
"datePublished": "2025-05-16T19:31:05.433Z",
"dateReserved": "2025-05-16T07:07:09.591Z",
"dateUpdated": "2025-05-17T02:35:32.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4909 (GCVE-0-2025-4909)
Vulnerability from cvelistv5 – Published: 2025-05-19 03:31 – Updated: 2025-05-19 13:47
VLAI
Title
SourceCodester Client Database Management System exposure of information through directory listing
Summary
A vulnerability classified as critical was found in SourceCodester Client Database Management System 1.0. This vulnerability affects unknown code. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.309466 | vdb-entry |
| https://vuldb.com/?ctiid.309466 | signaturepermissions-required |
| https://vuldb.com/?submit.578723 | third-party-advisory |
| https://github.com/dengxun628/cve/issues/3 | exploitissue-tracking |
| https://www.sourcecodester.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Client Database Management System |
Affected:
1.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4909",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T13:47:22.893085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T13:47:28.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/dengxun628/cve/issues/3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Client Database Management System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "xxhacker (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical was found in SourceCodester Client Database Management System 1.0. This vulnerability affects unknown code. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "In SourceCodester Client Database Management System 1.0 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Das betrifft eine unbekannte Funktionalit\u00e4t. Durch die Manipulation mit unbekannten Daten kann eine exposure of information through directory listing-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "Files or Directories Accessible",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T03:31:04.997Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-309466 | SourceCodester Client Database Management System exposure of information through directory listing",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.309466"
},
{
"name": "VDB-309466 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.309466"
},
{
"name": "Submit #578723 | sourcecodester Client Database Management System v1.0 Directory traversal",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.578723"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/dengxun628/cve/issues/3"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-17T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-17T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-17T16:45:43.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Client Database Management System exposure of information through directory listing"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4909",
"datePublished": "2025-05-19T03:31:04.997Z",
"dateReserved": "2025-05-17T14:40:36.104Z",
"dateUpdated": "2025-05-19T13:47:28.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61685 (GCVE-0-2025-61685)
Vulnerability from cvelistv5 – Published: 2025-10-03 22:37 – Updated: 2025-10-06 15:52
VLAI
Title
Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure
Summary
Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for reading file contents, but this check is effectively bypassed by subsequent logic that attempts to find directory suggestions. An attacker can leverage this flaw to list the contents of arbitrary directories on the user's filesystem, including the user's home directory, exposing sensitive information about the file system's structure. This issue is fixed in version 0.13.20.
Severity
6.5 (Medium)
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mastra-ai/mastra/security/advi… | x_refsource_CONFIRM |
| https://github.com/mastra-ai/mastra/commit/7f2b52… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61685",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T15:51:52.343087Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T15:52:03.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastra",
"vendor": "mastra-ai",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.13.8, \u003c 0.13.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for reading file contents, but this check is effectively bypassed by subsequent logic that attempts to find directory suggestions. An attacker can leverage this flaw to list the contents of arbitrary directories on the user\u0027s filesystem, including the user\u0027s home directory, exposing sensitive information about the file system\u0027s structure. This issue is fixed in version 0.13.20."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548: Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-03T22:37:09.027Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastra-ai/mastra/security/advisories/GHSA-xh92-rqrq-227v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastra-ai/mastra/security/advisories/GHSA-xh92-rqrq-227v"
},
{
"name": "https://github.com/mastra-ai/mastra/commit/7f2b528ba82db512d68832d2f8ad6cbc8bb46cd4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastra-ai/mastra/commit/7f2b528ba82db512d68832d2f8ad6cbc8bb46cd4"
}
],
"source": {
"advisory": "GHSA-xh92-rqrq-227v",
"discovery": "UNKNOWN"
},
"title": "Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61685",
"datePublished": "2025-10-03T22:37:09.027Z",
"dateReserved": "2025-09-29T20:25:16.182Z",
"dateUpdated": "2025-10-06T15:52:03.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62396 (GCVE-0-2025-62396)
Vulnerability from cvelistv5 – Published: 2025-10-23 11:28 – Updated: 2025-10-23 14:13
VLAI
Title
Moodle: router (r.php) could expose application directories
Summary
An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.
Severity
5.3 (Medium)
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2025-62396 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2404429 | issue-trackingx_refsource_REDHAT |
Impacted products
Date Public
2025-10-14 04:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T14:12:55.991738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T14:13:02.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://git.moodle.org",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "5.0.3",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
},
{
"lessThan": "4.5.7",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Yedidia Klein for reporting this issue."
}
],
"datePublic": "2025-10-14T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T11:28:31.054Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-62396"
},
{
"name": "RHBZ#2404429",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404429"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-16T14:25:44.556Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-10-14T04:00:00.000Z",
"value": "Made public."
}
],
"title": "Moodle: router (r.php) could expose application directories",
"x_redhatCweChain": "CWE-548: Exposure of Information Through Directory Listing"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2025-62396",
"datePublished": "2025-10-23T11:28:31.054Z",
"dateReserved": "2025-10-13T10:12:30.925Z",
"dateUpdated": "2025-10-23T14:13:02.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-22860 (GCVE-0-2026-22860)
Vulnerability from cvelistv5 – Published: 2026-02-18 18:45 – Updated: 2026-02-18 19:28
VLAI
Title
Rack has a Directory Traversal via Rack:Directory
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Severity
7.5 (High)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/rack/rack/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/rack/rack/commit/75c5745c28663… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T19:27:31.243687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T19:28:38.445Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.22"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`\u2019s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548: Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T18:45:02.095Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh"
},
{
"name": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7"
}
],
"source": {
"advisory": "GHSA-mxw3-3hh2-x2mh",
"discovery": "UNKNOWN"
},
"title": "Rack has a Directory Traversal via Rack:Directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22860",
"datePublished": "2026-02-18T18:45:02.095Z",
"dateReserved": "2026-01-12T16:20:16.746Z",
"dateUpdated": "2026-02-18T19:28:38.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41933 (GCVE-0-2026-41933)
Vulnerability from cvelistv5 – Published: 2026-05-14 14:23 – Updated: 2026-05-14 15:59 X_Open Source
VLAI
Title
Vvveb < 1.0.8.3 Directory Listing Information Disclosure
Summary
Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps.
Severity
5.3 (Medium)
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.3 | release-notes |
| https://github.com/givanz/Vvveb/commit/96ae04c5e4… | patch |
| https://www.vulncheck.com/advisories/vvveb-direct… | third-party-advisory |
Impacted products
Date Public
2026-05-13 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41933",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:58:49.831049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:58:59.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vvveb",
"repo": "https://github.com/givanz/Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "96ae04c5e4a295e281adc1d02d77444173653deb",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basant Kumar (@CyberWarrior9)"
},
{
"lang": "en",
"type": "finder",
"value": "VulnCheck"
}
],
"datePublic": "2026-05-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:59:01.429Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.3"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/96ae04c5e4a295e281adc1d02d77444173653deb"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-directory-listing-information-disclosure"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.3 Directory Listing Information Disclosure",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41933",
"datePublished": "2026-05-14T14:23:59.237Z",
"dateReserved": "2026-04-22T18:50:43.620Z",
"dateUpdated": "2026-05-14T15:59:01.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phases: Architecture and Design, System Configuration
Description:
- Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.
No CAPEC attack patterns related to this CWE.