CWE-548
Exposure of Information Through Directory Listing
Description
The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (16)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-32750 | Hig | 0.49 | 7.5 | 0.00 | May 20, 2026 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | ||
| CVE-2020-36921 | Hig | 0.49 | 7.5 | 0.00 | Jan 6, 2026 | RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without… | ||
| CVE-2018-14785 | Hig | 0.49 | 7.5 | 0.02 | Aug 10, 2018 | NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The directory of the device is listed openly without authentication. | ||
| CVE-2018-10590 | Hig | 0.49 | 7.5 | 0.02 | May 15, 2018 | In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an information exposure vulnerability through directory… | ||
| CVE-2017-6045 | Hig | 0.49 | 7.5 | 0.02 | Jun 21, 2017 | An Information Exposure issue was discovered in Trihedral VTScada Versions prior to 11.2.26. Some files are exposed within the web server application to unauthenticated users. These files may contain sensitive configuration information. | ||
| CVE-2024-2340 | Med | 0.40 | 5.3 | 0.28 | Apr 9, 2024 | The Avada theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.11.6 via the '/wp-content/uploads/fusion-forms/' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada… | ||
| CVE-2024-42007 | Med | 0.38 | 5.8 | 0.01 | Jul 26, 2024 | SPX (aka php-spx) through 0.4.15 allows SPX_UI_URI Directory Traversal to read arbitrary files. | ||
| CVE-2025-61685 | Med | 0.35 | 6.5 | 0.01 | Oct 3, 2025 | Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for… | ||
| CVE-2026-50233 | Med | 0.34 | 5.3 | 0.00 | Jun 5, 2026 | Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no… | ||
| CVE-2026-41933 | Med | 0.27 | 5.3 | 0.00 | May 14, 2026 | Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such… | ||
| CVE-2026-22860 | 0.00 | — | 0.01 | Feb 18, 2026 | Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root… | |||
| CVE-2025-62396 | 0.00 | — | 0.00 | Oct 23, 2025 | An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured. | |||
| CVE-2020-8161 | — | 0.00 | — | 0.04 | Jul 2, 2020 | A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure. | ||
| CVE-2019-5437 | — | 0.00 | — | 0.01 | May 10, 2019 | Information exposure through the directory listing in npm's harp module allows to access files that are supposed to be ignored according to the harp server rules.Vulnerable versions are <= 0.29.0 and no fix was applied to our knowledge. | ||
| CVE-2019-5415 | 0.00 | — | 0.02 | Mar 17, 2019 | A bug in handling the ignore files and directories feature in serve 6.5.3 allows an attacker to read a file or list the directory that the victim has not allowed access to. | |||
| CVE-2018-16493 | — | 0.00 | — | 0.02 | Feb 1, 2019 | A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL. |
- risk 0.49cvss 7.5epss 0.00
Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.
- risk 0.49cvss 7.5epss 0.00
RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without…
- risk 0.49cvss 7.5epss 0.02
NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The directory of the device is listed openly without authentication.
- risk 0.49cvss 7.5epss 0.02
In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an information exposure vulnerability through directory…
- risk 0.49cvss 7.5epss 0.02
An Information Exposure issue was discovered in Trihedral VTScada Versions prior to 11.2.26. Some files are exposed within the web server application to unauthenticated users. These files may contain sensitive configuration information.
- risk 0.40cvss 5.3epss 0.28
The Avada theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.11.6 via the '/wp-content/uploads/fusion-forms/' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada…
- risk 0.38cvss 5.8epss 0.01
SPX (aka php-spx) through 0.4.15 allows SPX_UI_URI Directory Traversal to read arbitrary files.
- risk 0.35cvss 6.5epss 0.01
Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for…
- risk 0.34cvss 5.3epss 0.00
Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no…
- risk 0.27cvss 5.3epss 0.00
Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such…
- CVE-2026-22860Feb 18, 2026risk 0.00cvss —epss 0.01
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root…
- CVE-2025-62396Oct 23, 2025risk 0.00cvss —epss 0.00
An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.
- CVE-2020-8161Jul 2, 2020risk 0.00cvss —epss 0.04
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
- CVE-2019-5437May 10, 2019risk 0.00cvss —epss 0.01
Information exposure through the directory listing in npm's harp module allows to access files that are supposed to be ignored according to the harp server rules.Vulnerable versions are <= 0.29.0 and no fix was applied to our knowledge.
- CVE-2019-5415Mar 17, 2019risk 0.00cvss —epss 0.02
A bug in handling the ignore files and directories feature in serve 6.5.3 allows an attacker to read a file or list the directory that the victim has not allowed access to.
- CVE-2018-16493Feb 1, 2019risk 0.00cvss —epss 0.02
A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL.