CVE-2025-48050

HIGH Year: 2025
CVSS v3 Score
7.5
High
Weakness Type
CWE-24
View all →

Vulnerability Description

In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started."

Related Vulnerabilities

CVE-2014-125033

HIGH
CVSS:7.5(High)

A vulnerability was found in rails-cv-app. It has been rated as problematic. Affected by this issue is some unknown functionality of the file app/controllers/uploaded_files_controller.rb. The manipula...

CWE-242014

CVE-2018-25094

HIGH
CVSS:7.5(High)

A vulnerability was found in ระบบบัญชีออนไลน์ Online Accounting System up to 1.4.0 and classified as problematic. This issue affects some unknown processing of the file ckeditor/filemanager/browser/de...

CWE-242018

CVE-2019-25087

HIGH
CVSS:7.5(High)

A vulnerability was found in RamseyK httpserver. It has been rated as critical. This issue affects the function ResourceHost::getResource of the file src/ResourceHost.cpp of the component URI Handler....

CWE-242019

CVE-2020-9708

HIGH
CVSS:7.5(High)

The resolveRepositoryPath function doesn't properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot. This issue may lead to unauthorized access o...

CWE-242020

CVE-2021-29466

HIGH
CVSS:7.5(High)

Discord-Recon is a bot for the Discord chat service. In versions of Discord-Recon 0.0.3 and prior, a remote attacker is able to read local files from the server that can disclose important information...

CWE-242021

CVE-2023-3239

HIGH
CVSS:7.5(High)

A vulnerability, which was classified as problematic, was found in OTCMS up to 6.62. Affected is an unknown function of the file admin/readDeal.php?mudi=readQrCode. The manipulation of the argument im...

CWE-242023