File-Deletion

PraisonAI's template loader is vulnerable to a path traversal flaw (GHSA-f44v-7qgw-9gh9) when processing GitHub template URIs, allowing an unauthenticated attacker to write arbitrary files or delete arbitrary directories on the system running PraisonAI, leading to corruption of user configuration, project state, or application data.

The Kirki plugin for WordPress is vulnerable to arbitrary file deletion via CVE-2026-8073 due to insufficient file path validation and a missing capability check in the 'downloadZIP' function, allowing unauthenticated attackers to delete files within the WordPress uploads directory.

WooCommerce CSV Importer 3.3.6 contains a path traversal vulnerability (CVE-2018-25325) that allows registered users to delete arbitrary files by submitting crafted filenames via the delete_export_file AJAX action.

WordPress Backup and Restore plugin 1.0.3 contains an arbitrary file deletion vulnerability (CVE-2021-47979) allowing authenticated attackers to delete files by manipulating parameters in AJAX requests to admin-ajax.php.

A path traversal vulnerability in SimpleSAMLphp's casserver module allows remote attackers to read and potentially delete arbitrary files outside the ticket directory by manipulating the ticket parameter in CAS validation requests, impacting confidentiality and integrity.

Open WebUI version 0.8.3 and earlier is vulnerable to an authorization bypass, allowing any authenticated user to permanently delete files owned by other users via `DELETE /api/v1/files/{id}` if the target file is referenced in any shared chat due to a flaw in the `has_access_to_file()` function.

Crabbox versions before 0.9.0 contain a path traversal vulnerability (CVE-2026-45224) in the Islo provider's workspace path resolution, allowing attackers to cause arbitrary file deletion and overwrite by crafting malicious .crabbox.yaml files with traversal sequences when sync.delete is enabled.

Open WebUI is vulnerable to path traversal (CVE-2026-44565), allowing attackers to upload files to arbitrary locations on the web server's filesystem and subsequently delete them due to insufficient filename sanitization in the `/ollama/models/upload` API endpoint.

A path traversal vulnerability exists in FileBrowser's public share DELETE API allowing unauthenticated attackers with valid share hashes and delete permissions to delete arbitrary files outside the shared directory, leading to unauthorized data loss and potential service disruption.

CVE-2018-25308 is a remote code execution vulnerability in BuddyPress Xprofile Custom Fields Type 2.6.3 that allows authenticated users to delete arbitrary files on the server by manipulating POST parameters.

OpenClaw before 2026.4.2 is vulnerable to arbitrary directory deletion in mirror mode, enabling attackers to delete remote directories by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values.

Hermes WebUI is vulnerable to arbitrary file deletion via path traversal in the /api/session/delete endpoint due to insufficient validation of the session_id parameter, allowing authenticated attackers to delete writable JSON files on the host system.

The Everest Forms plugin for WordPress is vulnerable to arbitrary file read and deletion, allowing unauthenticated attackers to access sensitive data or cause denial of service by manipulating the 'old_files' parameter in versions up to 3.4.4.

TeamT5's ThreatSonar Anti-Ransomware is vulnerable to arbitrary file deletion via path traversal, allowing authenticated remote attackers with web access to delete arbitrary files on the system.

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation, allowing authenticated attackers to read sensitive files or delete critical files leading to potential remote code execution.

A path traversal vulnerability (CVE-2026-31939) in Chamilo LMS versions prior to 1.11.38 allows authenticated attackers to delete arbitrary files via unsanitized user input in the 'test' parameter of savescores.php.

The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion due to a logic flaw that allows authenticated users to delete arbitrary files writable by the PHP process by manipulating post metadata.

Goshs is vulnerable to an authorization bypass (CVE-2026-40189) due to inconsistent enforcement of .goshs ACLs on state-changing routes, allowing an unauthenticated attacker to manipulate files within protected directories and bypass authentication barriers.

The goshs application is vulnerable to unauthenticated path traversal (CVE-2026-35471) due to a missing return statement in the `deleteFile()` function, allowing attackers to delete arbitrary files and directories using a crafted GET request.

The Perfmatters plugin for WordPress versions up to 2.5.9.1 is vulnerable to arbitrary file deletion via path traversal, allowing authenticated attackers with minimal privileges to delete sensitive files.

Endian Firewall versions 3.3.25 and prior allow authenticated users to delete arbitrary files due to a path traversal vulnerability in the `remove ARCHIVE` parameter of the `/cgi-bin/backup.cgi` script, leading to unauthorized file system modification.

Detection of web server access log deletion across Windows, Linux, and macOS systems indicates potential defense evasion and destruction of forensic evidence by threat actors.

The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation, allowing authenticated attackers with subscriber-level access or higher to delete arbitrary files, potentially leading to remote code execution.

The WP-Optimize plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation, allowing authenticated attackers with author-level access or higher to delete arbitrary files, potentially leading to remote code execution.