Top File Reading reports from HackerOne:
- HTML-injection in PDF-export leads to LFI to Visma Public - 330 upvotes, $500
- Full read SSRF in www.evernote.com that can leak aws metadata and local file inclusion to Evernote - 246 upvotes, $0
- Misuse of an authentication cookie combined with a path traversal on app.starbucks.com permitted access to restricted data to Starbucks - 227 upvotes, $0
- Keybase client (Windows 10): Write files anywhere in userland using relative path in "download attachement" feature to Keybase - 196 upvotes, $5000
- Worker container escape lead to arbitrary file reading in host machine [again] to Semmle - 175 upvotes, $2000
- Path traversal in filename in LINE Mac client to LY Corporation - 168 upvotes, $0
- Path traversal, SSTI and RCE on a MailRu acquisition to Mail.ru - 152 upvotes, $2000
- XSS Reflected on reddit.com via url path to Reddit - 144 upvotes, $0
- Path traversal, to RCE to GitLab - 136 upvotes, $12000
- Directory Traversal in uftpd 2.6-2.10 to ██████ - 136 upvotes, $0
- [portswigger.net] Path Traversal al /cms/audioitems to PortSwigger Web Security - 126 upvotes, $0
- Unauthenticated LFI revealing log information to Slack - 119 upvotes, $0
- Wordpress unzip_file path traversal to WordPress - 114 upvotes, $0
- Worker container escape lead to arbitrary file reading in host machine to Semmle - 110 upvotes, $2000
- Zero day path traversal vulnerability in Grafana 8.x allows unauthenticated arbitrary local file read to Aiven Ltd - 103 upvotes, $1000
- Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 to Internet Bug Bounty - 93 upvotes, $4000
- Vanilla Forums AddonManager getSingleIndex Directory Traversal File Inclusion Remote Code Execution Vulnerability to Vanilla - 84 upvotes, $900
- Path traversal in Nuget Package Registry to GitLab - 83 upvotes, $12000
- Cache Poisoning via uppercase letters in invalid path to InnoGames - 82 upvotes, $550
- File writing by Directory traversal at actionpack-page_caching and RCE by it to Ruby on Rails - 79 upvotes, $1000
- Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/ to Starbucks - 78 upvotes, $0
- SSRF and LFI in site-audit tool to Semrush - 77 upvotes, $0
- Path traversal lead to LFR via [CVE-2019-3394] to Mail.ru - 74 upvotes, $0
- Any one can view collaborater email address via path /reports/<id>/participants to HackerOne - 73 upvotes, $0
- LFI and SSRF via XXE in emblem editor to Rockstar Games - 72 upvotes, $1500
- Grafana LFI on https://grafana.mariadb.org to MariaDB - 70 upvotes, $0
- LFI to steal /etc/passwd - Bypass filter in the <meta property="og:image"> tag via redirect and much more to BugPoC - 69 upvotes, $100
- Lynxview JS interfaces Takeover via deeplink traversal to TikTok - 67 upvotes, $0
- Authenticated path traversal to Stored XSS and Denial-of-Service to phpBB - 66 upvotes, $0
- Unquoted Service Path in "Rockstar Game Library Service" to Rockstar Games - 60 upvotes, $0
- [Source Engine] Material path truncation leads to Remote Code Execution to Valve - 59 upvotes, $2500
- Path Traversal in dict-fs and no-check Escape Character in oauth2-jwt to Open-Xchange - 57 upvotes, $982
- Privilege Escalation by abusing non-existent path. (Windows) to PortSwigger Web Security - 57 upvotes, $0
- Path Traversal в iOS приложении to VK.com - 55 upvotes, $0
- Path traversal in Tempfile on windows OS due to unsanitized backslashes to Ruby - 53 upvotes, $500
- LFI with potential to RCE on ██████ using CVE-2019-3396 to U.S. Dept Of Defense - 53 upvotes, $0
- Uncontrolled Search Path Element allows DLL hijacking for priv esc to SYSTEM to GlassWire - 50 upvotes, $250
- Directory Traversal + HTTP Paramater Pollution leaking SQL/LDAP credentials to Soleo - 48 upvotes, $0
- Limited LFI to GSA Bounty - 47 upvotes, $300
- full path disclosure on www.rockstargames.com via apache filename brute forcing to Rockstar Games - 47 upvotes, $0
- LFI through the MySQL connection to Infogram - 47 upvotes, $0
- [Android] Directory traversal leading to disclosure of auth tokens to Slack - 46 upvotes, $3500
- Local File Inclusion vulnerability on an Army system allows downloading local files to U.S. Dept Of Defense - 45 upvotes, $0
- Path traversal through path stored in Uint8Array in Node.js 20 to Internet Bug Bounty - 42 upvotes, $3495
- Multiple SQL Injections and constrained LFI in esk-static.3igames.mail.ru to Mail.ru - 41 upvotes, $1500
- Permission model improperly protects against path traversal in Node.js 20 to Internet Bug Bounty - 39 upvotes, $2330
- Path Traversal on Default Installed Rails Application (Asset Pipeline) to Ruby on Rails - 38 upvotes, $1500
- Path traversal leading to limited CSRF on GET requests on two endpoints to HackerOne - 38 upvotes, $0
- Remote code execution via path traversal in Zip extraction in the Extract app to Nextcloud - 38 upvotes, $0
- Path Traversal issue at https://████/blaze/ to Sony - 38 upvotes, $0
- Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████ to U.S. Dept Of Defense - 36 upvotes, $5000
- Path traversal allows tricking the Talk Android app into writing files into it's root directory to Nextcloud - 36 upvotes, $0
- Stored XSS in galleries - https://www.redtube.com/gallery/[id] path to Pornhub - 35 upvotes, $0
- Arbitrary File Reading on Uber SSL VPN to Uber - 34 upvotes, $6500
- [p2p.qiwi.com] nginx alias traversal to QIWI - 34 upvotes, $0
- internal path disclosure via register error to Tennessee Valley Authority - 34 upvotes, $0
- Path traversal by monkey-patching Buffer internals to Node.js - 34 upvotes, $0
- Reflected XSS at https://www.glassdoor.co.in/FAQ/Microsoft-Question-FAQ200086-E1651.htm?countryRedirect=true via PATH to Glassdoor - 33 upvotes, $0
- Path traversal in ZIP extract routine on LINE Android to LY Corporation - 32 upvotes, $475
- Full Path and internal information disclosure+ SQLNet.log file disclose internal network information to Uber - 32 upvotes, $0
- LFI at http://www.████ to Sony - 32 upvotes, $0
- Path traversal in a Tomcat server to LY Corporation - 32 upvotes, $0
- [o2.mail.ru] nginx alias traversal to Mail.ru - 31 upvotes, $150
- [dev-nightly.ubnt.com] Local File Reading to Ubiquiti Inc. - 31 upvotes, $0
- SQL injection in URL path processing on www.ibm.com to IBM - 31 upvotes, $0
- Directory traversal at https://msg.algolia.com to Algolia - 30 upvotes, $0
- Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013) to Internet Bug Bounty - 29 upvotes, $1000
- LFI in beta.mail.ru to Mail.ru - 28 upvotes, $150
- LFI in pChart php library to Valve - 28 upvotes, $0
- [porcupiney.hairs]: [Python] Add Flask Path injection sinks to GitHub Security Lab - 28 upvotes, $0
- Path Traversal in App Proxy to Shopify - 27 upvotes, $500
- SQL Injection on
/cs/Satellite
path to LocalTapiola - 27 upvotes, $0 - [geekbrains.ru] Node modules path disclosure due to lack of error handling to Mail.ru - 26 upvotes, $0
- CVE-2022-21371: Oracle WebLogic Server Local File Inclusion to Mars - 26 upvotes, $0
- Escaping images directory in S3 bucket when saving new avatar, using Path Traversal in filename to Unikrn - 25 upvotes, $50
- Directory traversal at https://nightly.ubnt.com to Ubiquiti Inc. - 24 upvotes, $0
- SQL Injection on https://soa-accp.glbx.tva.gov/ via "/api/" path - VI-21-015 to Tennessee Valley Authority - 24 upvotes, $0
- Internal machine learning API endpoint for CWE classification is vulnerable to path traversal to HackerOne - 24 upvotes, $0
- CSS Injection via Client Side Path Traversal + Open Redirect leads to personal data exfiltration on Acronis Cloud to Acronis - 23 upvotes, $250
- Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.50 to Internet Bug Bounty - 22 upvotes, $1000
- Potential IP revealing using UNC Path in Windows File Picker to Tor - 22 upvotes, $0
- [lk.contact-sys.com] LKlang Path Traversal to QIWI - 21 upvotes, $0
- Error in Booking an appointment reveals the full path of the website to Nextcloud - 21 upvotes, $0
- LFI on Accounting server and RCE on FliteThermostat admin server to 50m-ctf - 20 upvotes, $0
- Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███ to U.S. Dept Of Defense - 20 upvotes, $0
- Path traversal on https://███ allows arbitrary file read (CVE-2020-3452) to U.S. Dept Of Defense - 20 upvotes, $0
- Path traversal on bank.mail.ru ( CVE-2013-3827 ) to Mail.ru - 20 upvotes, $0
- [webvpn.city-srv.ru] Path traversal via CVE-2020-3452 to Mail.ru - 20 upvotes, $0
- path traversal vulnerability in Grafana 8.x allows " local file read " to MTN Group - 20 upvotes, $0
- Path traversal by monkey-patching Buffer internals to Internet Bug Bounty - 19 upvotes, $2430
- [id.rapida.ru] Full Path Disclosure to QIWI - 19 upvotes, $0
- Blind SQL Injection on █████ via URI Path to Mars - 19 upvotes, $0
- [mobs.mail.ru] nginx path traversal via misconfigured alias to Mail.ru - 18 upvotes, $0
- reflected xss on the path m.tiktok.com to TikTok - 18 upvotes, $0
- LFI via Jolokia at https://█.█.█.█:1293 to 8x8 - 18 upvotes, $0
- Ingress-nginx path allows retrieval of ingress-nginx serviceaccount token to Kubernetes - 17 upvotes, $2500
- Persistent XSS found on bin.pinion.gg due to outdated FlowPlayer SWF file with Remote File Inclusion vulnerability. to Unikrn - 17 upvotes, $30
- ███ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability to U.S. Dept Of Defense - 17 upvotes, $0
- [doc.rt.informaticacloud.com] Arbitrary File Reading via Double URL Encode to Informatica - 17 upvotes, $0
- Unix domain socket and a path containing a null character to Ruby - 16 upvotes, $500
- [Total.js] Path traversal vulnerability allows to read files outside public directory to Node.js third-party modules - 16 upvotes, $0
- Authenticated path traversal to RCE to Concrete CMS - 16 upvotes, $0
- Full Path Disclosure in Wordpress Rest API Response to Showmax - 15 upvotes, $50
- Node modules path disclosure due to lack of error handling to Mapbox - 15 upvotes, $0
- List any file in the folder by using path traversal to Node.js third-party modules - 15 upvotes, $0
- Ad Builder Display Ads Path Traversal to Semrush - 15 upvotes, $0
- Korea - LFI Server directory traversal at starbucks.co.kr to Starbucks - 15 upvotes, $0
- 2x Remote file inclusion within your VMware Instances to MTN Group - 15 upvotes, $0
- CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability - https://esccvc.de.ibm.com to IBM - 15 upvotes, $0
- Multiple permission model bypasses due to improper path traversal sequence sanitization to Node.js - 15 upvotes, $0
- Non-authenticated path traversal leading to arbitrary file read to ExpressionEngine - 15 upvotes, $0
- Unintentional file creation caused at Tempfile with directory traversal to Ruby - 14 upvotes, $500
- Windows builds with insecure path defaults (CVE-2019-1552) to Internet Bug Bounty - 13 upvotes, $500
- Linux client is vulnerable to directory traversal when downloading files to Nextcloud - 13 upvotes, $250
- Path Traversal When Sharing with Cloud Mail.Ru App via a file with Crated Name to Mail.ru - 13 upvotes, $150
- Local File Inclusion path bypass to Concrete CMS - 13 upvotes, $0
- Full path Disclosure in Rockstargames.com██████████ to Rockstar Games - 13 upvotes, $0
- Full directory path listing to Paragon Initiative Enterprises - 13 upvotes, $0
- [Critical] Full local fylesystem access (LFI/LFD) as admin via Path Traversal in the misconfigured Java servlet on the https://███/ to U.S. Dept Of Defense - 13 upvotes, $0
- Exposed Log File Lead to Full Internal path disclosure at [https://nextcloud.com/wp-content/debug.log] to Nextcloud - 13 upvotes, $0
- XSS on ( █████████.gov ) Via URL path to U.S. Dept Of Defense - 13 upvotes, $0
- XSS @ store.steampowered.com via agecheck path name to Valve - 12 upvotes, $750
- GitHub Security Lab (GHSL) Vulnerability Report: Insufficient path validation in ReceiveExternalFilesActivity.java (GHSL-2022-060) to ownCloud - 12 upvotes, $50
- REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*.geo.sp1.yahoo.com/, 4/6/14, #SpringClean to Yahoo! - 12 upvotes, $0
- Unrestricted File Download / Path Traversal to U.S. Dept Of Defense - 12 upvotes, $0
- Existence of Folder path by guessing the path through response to Files.com - 12 upvotes, $0
- [hekto] Path Traversal vulnerability allows to read content of arbitrary files to Node.js third-party modules - 12 upvotes, $0
- [rm.mail.ru] Request-Path XSS to Mail.ru - 12 upvotes, $0
- [vitrina.contact-sys.com] Full Path Disclosure to QIWI - 12 upvotes, $0
- Path Disclosure Vulnerability http://crm.******.com to Unikrn - 12 upvotes, $0
- Full Path Disclosure to Mail.ru - 12 upvotes, $0
- Exposing debug.log file leads to server full path disclosure to Nextcloud - 12 upvotes, $0
- [m-server] XSS reflected because path does not escapeHtml to Node.js third-party modules - 12 upvotes, $0
- Forbidden access to https://apps-staging.pingone.com but "/packages.json" visible and full path disclosure to Ping Identity - 11 upvotes, $100
- Local File Inclusion Vulnerability in Concrete5 version 5.7.3.1 to Concrete CMS - 11 upvotes, $0
- Local file inclusion vulnerability on a DoD website to U.S. Dept Of Defense - 11 upvotes, $0
- [html-pages] Path Traversal in html-pages module allows to read any file from the server with curl to Node.js third-party modules - 11 upvotes, $0
- [buttle] Path traversal in mid-buttle module allows to read any file in the server. to Node.js third-party modules - 11 upvotes, $0
- [simplehttpserver] List any file in the folder by using path traversal. to Node.js third-party modules - 11 upvotes, $0
- Path traversal on ████████ to U.S. Dept Of Defense - 11 upvotes, $0
- Full Path disclosure on 500 error to Liberapay - 11 upvotes, $0
- Path Traversal - [ CVE-2020-3452 ] to U.S. Dept Of Defense - 11 upvotes, $0
- Full Path Disclosure / Info Disclosure in Creating New Group to Localize - 10 upvotes, $0
- Arbitrary File Reading to OLX - 10 upvotes, $0
- [Debug.log file Exposed to Public \Full Path Disclosure](https://hackerone.com/reports/202939) to Pornhub - 10 upvotes, $0
- Local File Inclusion In Registration Page to U.S. Dept Of Defense - 10 upvotes, $0
- [city-mobil.ru/taxiserv/] SQLi at /taxiserv/requests path at driver_company param to Mail.ru - 10 upvotes, $0
- [samokat.ru] PHP modules path disclosure due to lack of error handling to Mail.ru - 10 upvotes, $0
- Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation to Slack - 9 upvotes, $750
- Explicit, dynamic render path: Dir. Trav + RCE to Ruby on Rails - 9 upvotes, $500
- Full path disclosure on track.uber.com to Uber - 9 upvotes, $100
- Multiple Path Disclosure to Ian Dunn - 9 upvotes, $0
- [localhost-now] Path Traversal allows to read content of arbitrary file to Node.js third-party modules - 9 upvotes, $0
- [general-file-server] Path Traversal vulnerability allows to read content on arbitrary file on the server to Node.js third-party modules - 9 upvotes, $0
- UniFi Video Server web interface Configuration Restore path traversal leading to local system compromise to Ubiquiti Inc. - 9 upvotes, $0
- Remote file inclusion using "/cdn-cgi/pe/bag2?r[]=" to Cloudflare Vulnerability Disclosure - 9 upvotes, $0
- Cisco ASA Denial of Service & Path Traversal (CVE-2018-0296) to ok.ru - 9 upvotes, $0
- Linux kernel: CVE-2017-1000112: a memory corruption due to UFO to non-UFO path switch to Internet Bug Bounty - 9 upvotes, $0
- Open Redirect in the Path of vendhq.com to Vend VDP - 9 upvotes, $0
- [CVE-2019-11510 ] Path Traversal on ████████ leads to leaked passwords, RCE, etc to U.S. Dept Of Defense - 9 upvotes, $0
- UniFi Video Server web interface admin user Firmware Update path traversal leading to local system compromise to Ubiquiti Inc. - 9 upvotes, $0
- Path Traversal on meetcqpub1.gsa.gov allows attackers to see arbitrary file listings. to U.S. General Services Administration - 9 upvotes, $0
- Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows to Elastic - 9 upvotes, $0
- Directory Traversal to Yahoo! - 8 upvotes, $0
- [bot.brew.sh] Full Path Disclosure to Homebrew - 8 upvotes, $0
- XML Member Proccessing - Local File inclusion Vulnerability to ExpressionEngine - 8 upvotes, $0
- [markdown-pdf] Local file reading to Node.js third-party modules - 8 upvotes, $0
- h1-5411-CTF report: LFI / Deserialization / XXE vulnerability, to h1-5411-CTF - 8 upvotes, $0
- [knightjs] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 8 upvotes, $0
- [serve-here.js] List any file in the folder by using path traversal. to Node.js third-party modules - 8 upvotes, $0
- Path traversal using symlink to Node.js third-party modules - 8 upvotes, $0
- Directory listing is enabled that exposes non public data through multiple path to Nextcloud - 8 upvotes, $0
- [min-http-server] List any file in the folder by using path traversal. to Node.js third-party modules - 8 upvotes, $0
- internal path disclosure via error message to Mail.ru - 8 upvotes, $0
- CVE-2022-27780: percent-encoded path separator in URL host to Internet Bug Bounty - 8 upvotes, $0
- Multiple Path Transversal Vulnerabilites to Tor - 8 upvotes, $0
- Download attachments with traversal path into any sdcard directory (incomplete fix 106097) to Mail.ru - 7 upvotes, $200
- (FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io' to Shopify - 7 upvotes, $0
- [Airship CMS] Local File Inclusion - RST Parser to Paragon Initiative Enterprises - 7 upvotes, $0
- [otus.p.mail.ru] Full Path Disclosure to Mail.ru - 7 upvotes, $0
- Path Traversal on Resolve-Path to Node.js third-party modules - 7 upvotes, $0
- [angular-http-server] Path Traversal in angular-http-server.js allows to read arbitrary file from the remote server to Node.js third-party modules - 7 upvotes, $0
- [glance] Path Traversal in glance static file server allows to read content of arbitrary file to Node.js third-party modules - 7 upvotes, $0
- [stattic] Inproper path validation leads to Path Traversal and allows to read arbitrary files with any extension(s) to Node.js third-party modules - 7 upvotes, $0
- [crud-file-server] Path Traversal allows to read arbitrary file from the server to Node.js third-party modules - 7 upvotes, $0
- [http-file-server] List any files and sub folders in the folder by using path traversal. to Node.js third-party modules - 7 upvotes, $0
- [https://youdrive.today/] Nginx directory traversal to Mail.ru - 7 upvotes, $0
- Path Transversal inside saveContracts.js to Sifchain - 7 upvotes, $0
- lfi in filePathDownload parameter via ███████ to U.S. Dept Of Defense - 7 upvotes, $0
- CVE-2022-27780: percent-encoded path separator in URL host to curl - 7 upvotes, $0
- Path traversal leads to reading of local files on ███████ and ████ to U.S. Dept Of Defense - 7 upvotes, $0
- Potential directory traversal in OC\Files\Node\Folder::getFullPath to Nextcloud - 7 upvotes, $0
- CVE-2023-27534: SFTP path ~ resolving discrepancy to Internet Bug Bounty - 6 upvotes, $480
- Fix : (Security) Mitigate Path Traversal Bug to Hyperledger - 6 upvotes, $200
- Remote file Inclusion - RFI in upload to Slack - 6 upvotes, $0
- Path Disclosure Vulnerability to Ian Dunn - 6 upvotes, $0
- Wordpress: Directory Traversal / Denial of Serivce to Nextcloud - 6 upvotes, $0
- Remote file inclusion vulnerability on a DoD website to U.S. Dept Of Defense - 6 upvotes, $0
- [626] Path Traversal allows to read arbitrary file from remote server to Node.js third-party modules - 6 upvotes, $0
- [node-srv] Path Traversal allows to read arbitrary files from remote server to Node.js third-party modules - 6 upvotes, $0
- [mcstatic] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 6 upvotes, $0
- Import File Converter - local File inclusion to ExpressionEngine - 6 upvotes, $0
- [mcstatic] Server Directory Traversal to Node.js third-party modules - 6 upvotes, $0
- [serve] Server Directory Traversal to Node.js third-party modules - 6 upvotes, $0
- [takeapeek] Path traversal allow to expose directory and files to Node.js third-party modules - 6 upvotes, $0
- [static-resource-server] Path Traversal allows to read content of arbitrary file on the server to Node.js third-party modules - 6 upvotes, $0
- Read-only path traversal (CVE-2020-3452) at https://██████.mil to U.S. Dept Of Defense - 6 upvotes, $0
- Text app leaks file path of shared files to Nextcloud - 6 upvotes, $0
- Arbitrary File Deletion via Path Traversal in image-edit.php to ImpressCMS - 6 upvotes, $0
- Path paths and file disclosure vulnerabilities at influxdb.quality.gitlab.net to GitLab - 6 upvotes, $0
- Local file inclusion to Yahoo! - 5 upvotes, $0
- FULL PATH DISCLOSUR to Concrete CMS - 5 upvotes, $0
- Directory traversal attack in view resolver to Ruby on Rails - 5 upvotes, $0
- Full Path Disclosure to Mail.ru - 5 upvotes, $0
- [allods.my.com] Full Path Disclosure to Mail.ru - 5 upvotes, $0
superstatic
is vulnerable to path traversal on Windows to Node.js third-party modules - 5 upvotes, $0- [bruteser] Path Traversal allows to read content of arbitrary file to Node.js third-party modules - 5 upvotes, $0
- http-live-simulator npm module is prone to path traversal attacks to Node.js third-party modules - 5 upvotes, $0
- [serve] Path Traversal to Vercel - 5 upvotes, $0
- Full Path Disclosure to Unikrn - 5 upvotes, $0
- [statichttpserver] List any file in the folder by using path traversal. to Node.js third-party modules - 5 upvotes, $0
- https://█████████ Vulnerable to CVE-2018-0296 Cisco ASA Path Traversal Authentication Bypass to U.S. Dept Of Defense - 5 upvotes, $0
- Remote File Inclusion, Malicious File Hosting, and Cross-site Scripting (XSS) in ████████ to U.S. Dept Of Defense - 5 upvotes, $0
- Path traversal on [███] to U.S. Dept Of Defense - 5 upvotes, $0
- Error in Deleting Deck cards attachment reveals the full path of the website to Nextcloud - 5 upvotes, $0
- Relative Path Traversal vulnerability in fabric-private-chaincode to Hyperledger - 5 upvotes, $0
- the complete server installation path is visible in cloud/user endpoint to Nextcloud - 5 upvotes, $0
- Filesystem experimental permissions policy does not handle path traversal cases. to Node.js - 5 upvotes, $0
- Tor Project - Full Path Disclosure to Tor - 5 upvotes, $0
- [Java]: CWE-073 - File path injection with the JFinal framework to GitHub Security Lab - 4 upvotes, $1800
- CVE-2021-22924: Bad connection reuse due to flawed path name checks to curl - 4 upvotes, $1200
- Image Upload Path Disclosure to Instacart - 4 upvotes, $100
- full path disclosure vulnerability at https://security.olx.com/* to OLX - 4 upvotes, $0
- newrelic.com rails directory traversal vuln to New Relic - 4 upvotes, $0
- [serve-here] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 4 upvotes, $0
- [featurebook] Specification Server Directory Traversal via Crafted Browser Request to Node.js third-party modules - 4 upvotes, $0
- [public] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 4 upvotes, $0
- [angular-http-server] Server Directory Traversal to Node.js third-party modules - 4 upvotes, $0
- Bypass to defective fix of Path Traversal to Node.js third-party modules - 4 upvotes, $0
- [ponse] Path traversal in ponse module allows to read any file on server to Node.js third-party modules - 4 upvotes, $0
- Path traversal in command line client to MariaDB - 4 upvotes, $0
- [sapper] Path Traversal to Node.js third-party modules - 4 upvotes, $0
- Full path disclosure vulnerability via Upload .htaccess file to Nextcloud - 4 upvotes, $0
- [hnzserver] Path Traversal allowing to read any files on the server to Node.js third-party modules - 4 upvotes, $0
- [██████████.mil] Cisco VPN Service Path Traversal to U.S. Dept Of Defense - 4 upvotes, $0
- Read-only path traversal (CVE-2020-3452) at https://█████ to U.S. Dept Of Defense - 4 upvotes, $0
- Read-only path traversal (CVE-2020-3452) at https://████████ to U.S. Dept Of Defense - 4 upvotes, $0
- [JAVA]: Partial Path Traversal to GitHub Security Lab - 3 upvotes, $1800
- Path Disclosure (Info Disclosure) in http://www.localize.io to Localize - 3 upvotes, $0
- Full Path Disclosure to Respondly - 3 upvotes, $0
- Full Path Disclosure (FPD) in www.localize.im to Localize - 3 upvotes, $0
- Full Path Disclosure (FPD) in www.localize.im to Localize - 3 upvotes, $0
- Directory Traversal at http://staging.jsdelivr.net/ to jsDelivr - 3 upvotes, $0
- Full Path Disclosure on gmchat.gm.com to General Motors - 3 upvotes, $0
- Full path + some back-end code disclosure to ExpressionEngine - 3 upvotes, $0
- Full Path Disclosure at 27.prd.vine.co to X (Formerly Twitter) - 3 upvotes, $0
- Image lib - unescaped file path to ExpressionEngine - 3 upvotes, $0
- [lactate] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 3 upvotes, $0
- [augustine] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 3 upvotes, $0
foreman
is vulnerable to ReDoS in path to Node.js third-party modules - 3 upvotes, $0- [file-static-server] Path Traversal allows to read content of arbitrary file on the server to Node.js third-party modules - 3 upvotes, $0
- Cross-Domain JavaScript Source File Inclusion to RubyGems - 3 upvotes, $0
- [harp] Path traversal using symlink to Node.js third-party modules - 3 upvotes, $0
- Path traversal in https://www.npmjs.com/package/http_server via symlink to Node.js third-party modules - 3 upvotes, $0
- LFI from bypassing image parser and faking HEAD response with redirection to BugPoC - 3 upvotes, $0
- https://██████/ Vulnerable to CVE-2013-3827 (Directory-traversal vulnerability) to U.S. Dept Of Defense - 3 upvotes, $0
- Path Traversal CVE-2021-26086 CVE-2021-26085 to MariaDB - 3 upvotes, $0
- error parse uri path in curl to curl - 3 upvotes, $0
- fix(security):Path Traversal Bug to Hyperledger - 3 upvotes, $0
- CVE-2023-27534: SFTP path ~ resolving discrepancy to curl - 3 upvotes, $0
- Phabricator Phame Blog Skins Local File Inclusion to Phabricator - 2 upvotes, $500
- Full path disclosure at https://keybase.io/_/api/1.0/invitation_request.json to Keybase - 2 upvotes, $100
- Full Path Disclosure to ownCloud - 2 upvotes, $25
- Full Path Disclosure on [smarthistory.khanacademy.org] to Khan Academy - 2 upvotes, $0
- Full path disclosure to Localize - 2 upvotes, $0
- Full Path Disclosure (FPD) in www.localize.io to Localize - 2 upvotes, $0
- Full Path Disclosure / Info Disclosure in Importing XML Section! to Localize - 2 upvotes, $0
- Full Path Disclosure (2) to Localize - 2 upvotes, $0
- Full Path Disclosure to Localize - 2 upvotes, $0
- CONCRETE5 - path disclosure. to Concrete CMS - 2 upvotes, $0
- PHP PDOException and Full Path Disclosure to Localize - 2 upvotes, $0
- full path disclosure from false language to Localize - 2 upvotes, $0
- Suffix of url-path is vulnerable to XSS-attack to Khan Academy - 2 upvotes, $0
- Multiple sub domain are vulnerable because of leaking full path to Udemy - 2 upvotes, $0
- apps.owncloud.com: Path Disclosure to ownCloud - 2 upvotes, $0
- Full path disclosure when CSRF validation failed to Paragon Initiative Enterprises - 2 upvotes, $0
- Full Path Disclosure by removing CSRF token to Paragon Initiative Enterprises - 2 upvotes, $0
- [Not just a server configuration issue] Full Path Disclosure to Ian Dunn - 2 upvotes, $0
- Full path disclosure vulnerability at http://corporate.olx.ph to OLX - 2 upvotes, $0
- Full Path Disclousure on https://airship.paragonie.com to Paragon Initiative Enterprises - 2 upvotes, $0
- full path disclosure at hosted.weblate.org/admin/accounts/profile/ to Weblate - 2 upvotes, $0
- [m-server] Path Traversal allows to display content of arbitrary file(s) from the server to Node.js third-party modules - 2 upvotes, $0
- [http-live-simulator] Path traversal vulnerability to Node.js third-party modules - 2 upvotes, $0
- [public] Path traversal using symlink to Node.js third-party modules - 2 upvotes, $0
- Directory traversal allows execution of arbitrary binaries usign doveadm exec to Open-Xchange - 2 upvotes, $0
- [static-server-gx] Path Traversal allowing to read any files on the server to Node.js third-party modules - 2 upvotes, $0
- [http_server] Path Traversal allowing to read any files on the server to Node.js third-party modules - 2 upvotes, $0
- [node-downloader-helper] Path traversal via Content-Disposition header to Node.js third-party modules - 2 upvotes, $0
- RXSS Via URI Path - https://██████████/ to U.S. Dept Of Defense - 2 upvotes, $0
- [www.█████] Path-based reflected Cross Site Scripting to U.S. Dept Of Defense - 2 upvotes, $0
- Full path disclosure at ads.twitter.com to X (Formerly Twitter) - 1 upvotes, $140
- Full Path Disclosure to ownCloud - 1 upvotes, $25
- PHP PDOException and Full Path Disclosure to Localize - 1 upvotes, $0
- Path disclosure in platform0.twitter.com to X (Formerly Twitter) - 1 upvotes, $0
- Full Path Disclosure to Paragon Initiative Enterprises - 1 upvotes, $0
- don't expose path of Python to Gratipay - 1 upvotes, $0
- Default.aspx exposing full path and other info on wip.origin-community.xero.com to Xero - 1 upvotes, $0
- Full path disclosure to Phabricator - 1 upvotes, $0
- Full path disclosure vulnerability on paragonie.com to Paragon Initiative Enterprises - 1 upvotes, $0
- file full path discloser. to Paragon Initiative Enterprises - 1 upvotes, $0
- Prototype Pollution Vulnerability in cached-path-relative Package to Node.js third-party modules - 1 upvotes, $0
- [statics-server] Path Traversal due to lack of provided path sanitization to Node.js third-party modules - 1 upvotes, $0
- [servey] Path Traversal allows to retrieve content of any file with extension from remote server to Node.js third-party modules - 1 upvotes, $0
- [md-fileserver] Path Traversal to Node.js third-party modules - 1 upvotes, $0
- [deliver-or-else] Path Traversal to Node.js third-party modules - 1 upvotes, $0
- [https://███] Local File Inclusion via graph.php to U.S. Dept Of Defense - 1 upvotes, $0
- https://█████ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability to U.S. Dept Of Defense - 1 upvotes, $0
- [sirloin] Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 1 upvotes, $0
- [hangersteak] Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 1 upvotes, $0
- [zenn-cli] Path traversal on Windows allows the attacker to read arbitrary .md files to Node.js third-party modules - 1 upvotes, $0
- "blog.skillfactory.ru" Vulnerable to Directory Traversal to Mail.ru - 1 upvotes, $0
- Full Path Disclosure of Server through 500 Server Error to Kartpay - 1 upvotes, $0
- Leaking sensitive information through JSON file path. to Nextcloud - 1 upvotes, $0
- [Python]: Add shutil module sinks for path injection query to GitHub Security Lab - 1 upvotes, $0
- Directory Traversal at █████ to U.S. Dept Of Defense - 1 upvotes, $0
- Server Path Disclosure to Aspen - 0 upvotes, $0
- Full Path Disclosure in airship.paragonie.com '/cabins/' to Paragon Initiative Enterprises - 0 upvotes, $0
- Full Path Disclosure in password lock to Paragon Initiative Enterprises - 0 upvotes, $0
- Full Path Disclosure In EasyDB to Paragon Initiative Enterprises - 0 upvotes, $0
- [██████████] — Directory traversal via
/aerosol-bin/███████/display_directory_████_t.cgi
to U.S. Dept Of Defense - 0 upvotes, $0 - [object-path-set] Prototype pollution to Node.js third-party modules - 0 upvotes, $0
- Access to admininstrative resources/account via path traversal to U.S. Dept Of Defense - 0 upvotes, $0