VYPR

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BaseStableLikelihood: High

Description

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79

CVEs mapped to this weakness (5,488)

page 120 of 275
  • CVE-2026-34414HigApr 22, 2026
    risk 0.39cvss 7.1epss 0.03

    Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can…

  • CVE-2026-39973HigApr 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding…

  • CVE-2026-40518HigApr 17, 2026
    risk 0.39cvss 7.1epss 0.00

    ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed. Attackers can supply traversal-style values or absolute paths as the agent name to…

  • CVE-2026-40090HigApr 15, 2026
    risk 0.39cvss 7.1epss 0.00

    Zarf is an Airgap Native Packager Manager for Kubernetes. Versions 0.23.0 through 0.74.1 contain an arbitrary file write vulnerability in the zarf package inspect sbom and zarf package inspect documentation subcommands. These subcommands output file paths are constructed by…

  • CVE-2025-68649MedApr 14, 2026
    risk 0.39cvss 6.0epss 0.00

    An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through…

  • CVE-2025-61624MedApr 14, 2026
    risk 0.39cvss 6.0epss 0.01

    An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiPAM 1.7.0, FortiPAM…

  • CVE-2026-40024HigApr 8, 2026
    risk 0.39cvss 7.1epss 0.00

    The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem…

  • CVE-2026-39308HigApr 7, 2026
    risk 0.39cvss 7.1epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP…

  • CVE-2026-35167HigApr 6, 2026
    risk 0.39cvss 7.1epss 0.00

    Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path…

  • CVE-2026-34604HigApr 1, 2026
    risk 0.39cvss 7.1epss 0.00

    Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under…

  • CVE-2026-34603HigApr 1, 2026
    risk 0.39cvss 7.1epss 0.00

    Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link…

  • CVE-2026-24046HigJan 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read…

  • CVE-2025-11059higSep 10, 2025
    risk 0.39cvss epss 0.00

    ### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML. ### Workarounds Test untrusted input with `link` elements with `rel="attachment"` before…

  • CVE-2025-11058higAug 26, 2025
    risk 0.39cvss epss 0.00

    ### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML. ### Workarounds Test untrusted input with `link` elements with `rel="attachment"` before processing. ###…

  • CVE-2025-41242MedAug 18, 2025
    risk 0.39cvss 5.9epss 0.02

    Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded…

  • CVE-2025-24019HigJan 21, 2025
    risk 0.39cvss 7.1epss 0.01

    YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for any authenticated user, through the use of the filemanager to delete any file owned by the user running the FastCGI Process Manager (FPM) on the host without any limitation on the…

  • CVE-2024-49760HigOct 24, 2024
    risk 0.39cvss 7.1epss 0.01

    OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it…

  • CVE-2024-47191HigOct 9, 2024
    risk 0.39cvss 7.1epss 0.00

    pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink.

  • CVE-2023-33310MedMay 17, 2024
    risk 0.39cvss 6.0epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Valiano Unite Gallery Lite allows PHP Local File Inclusion.This issue affects Unite Gallery Lite: from n/a through 1.7.59.

  • CVE-2024-1163HigFeb 13, 2024
    risk 0.39cvss 7.1epss 0.00

    The attacker may exploit a path traversal vulnerability leading to information disclosure.