CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 119 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-31195 | Hig | 0.40 | 7.2 | 0.01 | Aug 1, 2022 | DSpace open source software is a repository application which provides durable access to digital resources. In affected versions the ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF (simple archive format) package could cause a… | ||
| CVE-2020-12827 | — | Hig | 0.40 | 7.2 | 0.03 | Jun 17, 2020 | MJML prior to 4.6.3 contains a path traversal vulnerability when processing the mj-include directive within an MJML document. | |
| CVE-2019-6799 | Med | 0.40 | 5.9 | 0.16 | Jan 26, 2019 | An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the… | ||
| CVE-2018-16059 | Med | 0.40 | 5.3 | 0.30 | Sep 7, 2018 | Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter. | ||
| CVE-2018-15140 | Med | 0.40 | 6.5 | 0.17 | Aug 13, 2018 | Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to read arbitrary files via the "docid" parameter when the mode is set to get. | ||
| CVE-2018-6660 | Med | 0.40 | 6.2 | 0.02 | Apr 2, 2018 | Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows administrators to use Windows alternate data streams, which could be used to bypass the file extensions, via not properly validating the path when exporting a particular… | ||
| CVE-2015-5471 | Med | 0.40 | 5.3 | 0.33 | Jan 12, 2016 | Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter. | ||
| CVE-2026-48099 | hig | 0.39 | — | 0.00 | Jun 11, 2026 | ### Impact WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout. ### Patches The issue is fixed with version 4.3.4. ### Preconditions The practical impact depends… | ||
| CVE-2026-49742 | Hig | 0.39 | — | 0.00 | Jun 9, 2026 | Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such… | ||
| CVE-2026-47735 | hig | 0.39 | — | 0.00 | Jun 8, 2026 | ### Summary Arc's user-SQL validator (`internal/api/query.go:ValidateSQLRequest`) blocked only `read_parquet(` and `arc_partition_agg(` via regex denylist. The broader DuckDB I/O function family — `read_csv_auto`, `read_csv`, `read_json`, `read_json_auto`, `read_text`,… | ||
| CVE-2026-48827 | Hig | 0.39 | 7.1 | 0.01 | Jun 1, 2026 | Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory. … | ||
| CVE-2026-46345 | hig | 0.39 | — | 0.00 | May 28, 2026 | **Relevant Products/Components:** * `trestle/core/commands/author/jinja.py` * `trestle author jinja` --- ## Detailed Description: The `-o/--output` argument in `trestle author jinja` allows writing files outside the intended workspace. The application does not properly… | ||
| CVE-2026-47243 | hig | 0.39 | — | 0.00 | May 27, 2026 | ### Summary In the runtime-rs standalone virtio-fs path, verified here with QEMU (and verified with Cloud Hypervisor too), Kata Containers runs host `virtiofsd` as root with: ``` --sandbox none --seccomp none ``` If an attacker has root-equivalent execution inside the Kata… | ||
| CVE-2026-44641 | Hig | 0.39 | 7.1 | 0.00 | May 15, 2026 | Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are… | ||
| CVE-2026-44647 | Hig | 0.39 | — | 0.00 | May 14, 2026 | OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that… | ||
| CVE-2026-45224 | Hig | 0.39 | 7.1 | 0.00 | May 11, 2026 | Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or… | ||
| CVE-2026-44243 | Hig | 0.39 | 7.1 | 0.00 | May 7, 2026 | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the… | ||
| CVE-2026-5656 | Hig | 0.39 | 7.0 | 0.00 | May 1, 2026 | Profile import path traversal in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution | ||
| CVE-2026-41894 | Hig | 0.39 | — | 0.00 | Apr 24, 2026 | SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause — a redundant url.PathUnescape() call in serveExport(). An authenticated attacker can use… | ||
| CVE-2026-6940 | Hig | 0.39 | 7.1 | 0.00 | Apr 23, 2026 | radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to… |
- risk 0.40cvss 7.2epss 0.01
DSpace open source software is a repository application which provides durable access to digital resources. In affected versions the ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF (simple archive format) package could cause a…
- risk 0.40cvss 7.2epss 0.03
MJML prior to 4.6.3 contains a path traversal vulnerability when processing the mj-include directive within an MJML document.
- risk 0.40cvss 5.9epss 0.16
An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the…
- risk 0.40cvss 5.3epss 0.30
Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.
- risk 0.40cvss 6.5epss 0.17
Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to read arbitrary files via the "docid" parameter when the mode is set to get.
- risk 0.40cvss 6.2epss 0.02
Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows administrators to use Windows alternate data streams, which could be used to bypass the file extensions, via not properly validating the path when exporting a particular…
- risk 0.40cvss 5.3epss 0.33
Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.
- risk 0.39cvss —epss 0.00
### Impact WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout. ### Patches The issue is fixed with version 4.3.4. ### Preconditions The practical impact depends…
- risk 0.39cvss —epss 0.00
Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such…
- risk 0.39cvss —epss 0.00
### Summary Arc's user-SQL validator (`internal/api/query.go:ValidateSQLRequest`) blocked only `read_parquet(` and `arc_partition_agg(` via regex denylist. The broader DuckDB I/O function family — `read_csv_auto`, `read_csv`, `read_json`, `read_json_auto`, `read_text`,…
- risk 0.39cvss 7.1epss 0.01
Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory. …
- risk 0.39cvss —epss 0.00
**Relevant Products/Components:** * `trestle/core/commands/author/jinja.py` * `trestle author jinja` --- ## Detailed Description: The `-o/--output` argument in `trestle author jinja` allows writing files outside the intended workspace. The application does not properly…
- risk 0.39cvss —epss 0.00
### Summary In the runtime-rs standalone virtio-fs path, verified here with QEMU (and verified with Cloud Hypervisor too), Kata Containers runs host `virtiofsd` as root with: ``` --sandbox none --seccomp none ``` If an attacker has root-equivalent execution inside the Kata…
- risk 0.39cvss 7.1epss 0.00
Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are…
- risk 0.39cvss —epss 0.00
OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that…
- risk 0.39cvss 7.1epss 0.00
Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or…
- risk 0.39cvss 7.1epss 0.00
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the…
- risk 0.39cvss 7.0epss 0.00
Profile import path traversal in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution
- risk 0.39cvss —epss 0.00
SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause — a redundant url.PathUnescape() call in serveExport(). An authenticated attacker can use…
- risk 0.39cvss 7.1epss 0.00
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to…