By weakness (CWE)
CWE-23: related vulnerabilities
CVEs classified under CWE-23. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
5 published vulnerabilities
- CVE-2025-41280HIGH 7.8
Waterfall Security's WF-500 RX Host contains a path traversal vulnerability (Zip Slip) that allows attackers who have already gained access to the TX Host to execute arbitrary code on the RX Host, provided MySQL connector functionality is configured and file compression is enabled. The vulnerability stems from improper handling of file paths during decompression operations, enabling attackers to write files outside their intended directory. This is a privilege escalation concern within an already-compromised environment rather than an initial access vector.
- CVE-2025-41271HIGH 7.5
A path traversal vulnerability exists in the Waterfall WF-500 Console WebUI that allows attackers to read sensitive files from affected devices without requiring authentication. The flaw stems from improper handling of relative file paths, enabling an attacker to navigate outside intended directories and access arbitrary files on the system. This is a remote attack requiring only network access—no user interaction or special privileges needed.
- CVE-2026-10073HIGH 7.5
DreamMaker, a product by Interinfo, contains a flaw that allows attackers to read arbitrary files from the system without authentication. An attacker can exploit a relative path traversal weakness to access sensitive system files they shouldn't be able to reach. This is a network-accessible vulnerability, meaning an attacker doesn't need physical access or prior system credentials to attempt exploitation.
- CVE-2025-48977MEDIUM 6.5
Apache Ignite REST API contains a path traversal vulnerability that allows authenticated users to read arbitrary files from the server by manipulating the log path parameter in API commands. An attacker with valid REST API credentials can escape the intended log directory and access sensitive files anywhere on the system. This affects Ignite versions 2.0.0 through 2.17.0, and the vendor has released version 2.18.0 to address it.
- CVE-2026-10074MEDIUM 4.9
DreamMaker, a product developed by Interinfo, contains a vulnerability that allows authenticated administrators or privileged users with local access to read arbitrary files from the system. An attacker with elevated privileges can exploit a path traversal flaw to access sensitive system files they shouldn't normally be able to retrieve, potentially exposing configuration data, credentials, or other protected information.