VYPR

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BaseStableLikelihood: High

Description

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79

CVEs mapped to this weakness (5,488)

page 121 of 275
  • CVE-2023-43802HigOct 18, 2023
    risk 0.39cvss 7.1epss 0.00

    Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/upload` which handles request with the `filename` parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the…

  • CVE-2023-28459MedApr 20, 2023
    risk 0.39cvss 6.5epss 0.07

    pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Users were able to upload crafted HTML documents that trigger the reading of arbitrary files.

  • CVE-2022-23532HigJan 14, 2023
    risk 0.39cvss 7.1epss 0.01

    APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j that provides hundreds of procedures and functions. A path traversal vulnerability found in the apoc.export.* procedures of apoc plugins in Neo4j Graph database. The issue allows a malicious actor to potentially…

  • CVE-2021-23340HigFeb 18, 2021
    risk 0.39cvss 7.1epss 0.01

    This affects the package pimcore/pimcore before 6.8.8. A Local FIle Inclusion vulnerability exists in the downloadCsvAction function of the CustomReportController class (bundles/AdminBundle/Controller/Reports/CustomReportController.php). An authenticated user can reach this…

  • CVE-2016-1000249higSep 1, 2020
    risk 0.39cvss epss 0.06

    `fury-adapter-swagger` from version 0.2.0 until version 0.9.7 has a weakness that allows an attacker to read arbitrary files off of the system. This can be used to read sensitive data, or to cause a denial of service condition by attempting to read something like `/dev/zero`. …

  • CVE-2019-9648MedMar 22, 2019
    risk 0.39cvss 5.3epss 0.14

    An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information.

  • CVE-2018-11762MedSep 19, 2018
    risk 0.39cvss 5.9epss 0.05

    In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file.

  • CVE-2018-15141MedAug 13, 2018
    risk 0.39cvss 6.5epss 0.14

    Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to delete arbitrary files via the "docid" parameter when the mode is set to delete.

  • CVE-2018-13980MedJul 16, 2018
    risk 0.39cvss 5.5epss 0.07

    The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.

  • CVE-2018-10860MedJun 29, 2018
    risk 0.39cvss 5.4epss 0.49

    perl-archive-zip is vulnerable to a directory traversal in Archive::Zip. It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or…

  • CVE-2018-5755MedJun 16, 2018
    risk 0.39cvss 5.5epss 0.08

    Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before 7.8.2-rev4, 7.8.3 before 7.8.3-rev5, and 7.8.4 before 7.8.4-rev4 allows remote attackers to read arbitrary files via a full pathname in a formula in a…

  • CVE-2018-6409MedMay 26, 2018
    risk 0.39cvss 5.3epss 0.15

    An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q…

  • CVE-2017-8189MedNov 22, 2017
    risk 0.39cvss 6.0epss 0.00

    FusionSphere OpenStack V100R006C00SPC102(NFV)has a path traversal vulnerability. Due to insufficient path validation, an attacker with high privilege may exploit this vulnerability to cover some files, causing services abnormal.

  • CVE-2017-5163MedFeb 13, 2017
    risk 0.39cvss 5.9epss 0.02

    An issue was discovered in Belden Hirschmann GECKO Lite Managed switch, Version 2.0.00 and prior versions. After an administrator downloads a configuration file, a copy of the configuration file, which includes hashes of user passwords, is saved to a location that is accessible…

  • CVE-2016-7116MedDec 10, 2016
    risk 0.39cvss 6.0epss 0.01

    Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string.

  • CVE-2016-1231MedJan 12, 2016
    risk 0.39cvss 5.9epss 0.03

    Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.

  • CVE-2026-55878higJun 19, 2026
    risk 0.38cvss epss

    ### Description The `ux:install` console command installs files from a recipe kit by copying paths listed in a `copy-files` map. The only guard against malicious paths was `Path::isRelative()`, which returns `true` for paths like `../../../etc`. `Path::join()` then resolves the…

  • CVE-2026-55760higJun 17, 2026
    risk 0.38cvss epss

    ### Impact Any application that passes user-controlled input to Handlebars.compile() using a FileTemplateLoader (or ClassPathTemplateLoader) is vulnerable to arbitrary file read. This is a realistic attack surface for web applications that use template names from URL path…

  • CVE-2026-54017higJun 17, 2026
    risk 0.38cvss epss 0.00

    ### Summary The terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `path` segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal…

  • CVE-2026-52797higJun 16, 2026
    risk 0.38cvss epss 0.00

    **Vulnerability type:** Path Traversal **Impact:** DoS **Exploitation prerequisite:** authorized user **Description:** As an authorized user, an intruder can dictate the value which is passed to the `git diff` command which, together with bypassing the filtering of the passed…