CWE-548
Exposure of Information Through Directory Listing
VariantDraft
Description
The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (6)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-36921 | Hig | 0.49 | 7.5 | 0.00 | Jan 6, 2026 | RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without authentication. | |
| CVE-2017-6045 | Hig | 0.49 | 7.5 | 0.01 | Jun 21, 2017 | An Information Exposure issue was discovered in Trihedral VTScada Versions prior to 11.2.26. Some files are exposed within the web server application to unauthenticated users. These files may contain sensitive configuration information. | |
| CVE-2024-2340 | Med | 0.39 | 5.3 | 0.58 | Apr 9, 2024 | The Avada theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.11.6 via the '/wp-content/uploads/fusion-forms/' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada created form with a file upload mechanism. | |
| CVE-2024-42007 | Med | 0.38 | 5.8 | 0.01 | Jul 26, 2024 | SPX (aka php-spx) through 0.4.15 allows SPX_UI_URI Directory Traversal to read arbitrary files. | |
| CVE-2025-61685 | Med | 0.35 | 6.5 | 0.00 | Oct 3, 2025 | Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for reading file contents, but this check is effectively bypassed by subsequent logic that attempts to find directory suggestions. An attacker can leverage this flaw to list the contents of arbitrary directories on the user's filesystem, including the user's home directory, exposing sensitive information about the file system's structure. This issue is fixed in version 0.13.20. | |
| CVE-2026-41933 | Med | 0.34 | 5.3 | 0.00 | May 14, 2026 | Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps. |