VYPR

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BaseStableLikelihood: High

Description

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79

CVEs mapped to this weakness (5,488)

page 119 of 275
  • CVE-2022-31195HigAug 1, 2022
    risk 0.40cvss 7.2epss 0.01

    DSpace open source software is a repository application which provides durable access to digital resources. In affected versions the ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF (simple archive format) package could cause a…

  • CVE-2020-12827HigJun 17, 2020
    risk 0.40cvss 7.2epss 0.03

    MJML prior to 4.6.3 contains a path traversal vulnerability when processing the mj-include directive within an MJML document.

  • CVE-2019-6799MedJan 26, 2019
    risk 0.40cvss 5.9epss 0.16

    An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the…

  • CVE-2018-16059MedSep 7, 2018
    risk 0.40cvss 5.3epss 0.30

    Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.

  • CVE-2018-15140MedAug 13, 2018
    risk 0.40cvss 6.5epss 0.17

    Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to read arbitrary files via the "docid" parameter when the mode is set to get.

  • CVE-2018-6660MedApr 2, 2018
    risk 0.40cvss 6.2epss 0.02

    Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows administrators to use Windows alternate data streams, which could be used to bypass the file extensions, via not properly validating the path when exporting a particular…

  • CVE-2015-5471MedJan 12, 2016
    risk 0.40cvss 5.3epss 0.33

    Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.

  • CVE-2026-48099higJun 11, 2026
    risk 0.39cvss epss 0.00

    ### Impact WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout. ### Patches The issue is fixed with version 4.3.4. ### Preconditions The practical impact depends…

  • CVE-2026-49742HigJun 9, 2026
    risk 0.39cvss epss 0.00

    Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such…

  • CVE-2026-47735higJun 8, 2026
    risk 0.39cvss epss 0.00

    ### Summary Arc's user-SQL validator (`internal/api/query.go:ValidateSQLRequest`) blocked only `read_parquet(` and `arc_partition_agg(` via regex denylist. The broader DuckDB I/O function family — `read_csv_auto`, `read_csv`, `read_json`, `read_json_auto`, `read_text`,…

  • CVE-2026-48827HigJun 1, 2026
    risk 0.39cvss 7.1epss 0.01

    Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory. …

  • CVE-2026-46345higMay 28, 2026
    risk 0.39cvss epss 0.00

    **Relevant Products/Components:** * `trestle/core/commands/author/jinja.py` * `trestle author jinja` --- ## Detailed Description: The `-o/--output` argument in `trestle author jinja` allows writing files outside the intended workspace. The application does not properly…

  • CVE-2026-47243higMay 27, 2026
    risk 0.39cvss epss 0.00

    ### Summary In the runtime-rs standalone virtio-fs path, verified here with QEMU (and verified with Cloud Hypervisor too), Kata Containers runs host `virtiofsd` as root with: ``` --sandbox none --seccomp none ``` If an attacker has root-equivalent execution inside the Kata…

  • CVE-2026-44641HigMay 15, 2026
    risk 0.39cvss 7.1epss 0.00

    Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are…

  • CVE-2026-44647HigMay 14, 2026
    risk 0.39cvss epss 0.00

    OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that…

  • CVE-2026-45224HigMay 11, 2026
    risk 0.39cvss 7.1epss 0.00

    Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or…

  • CVE-2026-44243HigMay 7, 2026
    risk 0.39cvss 7.1epss 0.00

    GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the…

  • CVE-2026-5656HigMay 1, 2026
    risk 0.39cvss 7.0epss 0.00

    Profile import path traversal in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution

  • CVE-2026-41894HigApr 24, 2026
    risk 0.39cvss epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause — a redundant url.PathUnescape() call in serveExport(). An authenticated attacker can use…

  • CVE-2026-6940HigApr 23, 2026
    risk 0.39cvss 7.1epss 0.00

    radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to…