CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 147 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-16819 | Med | 0.32 | 4.9 | 0.01 | Sep 18, 2018 | admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests. | ||
| CVE-2018-16831 | — | Med | 0.32 | 5.9 | 0.03 | Sep 11, 2018 | Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir protection mechanism via a file:./../ substring in an include statement. | |
| CVE-2018-16437 | Med | 0.32 | 4.9 | 0.02 | Sep 5, 2018 | Gxlcms 2.0 before bug fix 20180915 has Directory Traversal exploitable by an administrator. | ||
| CVE-2018-15536 | Med | 0.32 | 5.5 | 0.06 | Aug 24, 2018 | /filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 does not properly validate file paths in archives, allowing for the extraction of crafted archives to overwrite arbitrary files via an extract action, aka Directory Traversal. | ||
| CVE-2018-4861 | — | Med | 0.32 | 4.9 | 0.02 | Jun 26, 2018 | A vulnerability has been identified in SCALANCE M875 (All versions). An authenticated remote attacker with access to the web interface (443/tcp), could potentially read and download arbitrary files from the device's file system. Successful exploitation requires that the attacker… | |
| CVE-2016-10528 | — | Med | 0.32 | 4.9 | 0.01 | May 31, 2018 | restafary is a REpresentful State Transfer API for Creating, Reading, Using, Deleting files on a server from the web. Restafary before 1.6.1 is able to set up a root path, which should only allow it to run inside of that root path it specified. | |
| CVE-2018-11495 | — | Med | 0.32 | 4.9 | 0.02 | May 26, 2018 | OpenCart through 3.0.2.0 allows directory traversal in the editDownload function in admin\model\catalog\download.php via admin/index.php?route=catalog/download/edit, related to the download_id. For example, an attacker can download ../../config.php. | |
| CVE-2017-16759 | Med | 0.32 | 5.9 | 0.02 | Nov 9, 2017 | The installation process in LibreNMS before 2017-08-18 allows remote attackers to read arbitrary files, related to html/install.php. | ||
| CVE-2017-10841 | Med | 0.32 | 4.9 | 0.02 | Aug 29, 2017 | Directory traversal vulnerability in WebCalendar 1.2.7 and earlier allows authenticated attackers to read arbitrary files via unspecified vectors. | ||
| CVE-2017-11440 | Med | 0.32 | 4.9 | 0.02 | Jul 19, 2017 | In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter. | ||
| CVE-2017-8003 | Med | 0.32 | 4.9 | 0.03 | Jul 9, 2017 | EMC Data Protection Advisor prior to 6.4 contains a path traversal vulnerability. A remote authenticated high privileged user may potentially exploit this vulnerability to access unauthorized information from the underlying OS server by supplying specially crafted strings in… | ||
| CVE-2017-5966 | Med | 0.32 | 4.9 | 0.02 | May 23, 2017 | Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path traversal attack on sitecore/shell/download.aspx with the file parameter. | ||
| CVE-2017-2117 | Med | 0.32 | 4.9 | 0.02 | Apr 28, 2017 | Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary files via unspecified vectors. | ||
| CVE-2016-7135 | Med | 0.32 | 4.9 | 0.03 | Mar 7, 2017 | Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions. | ||
| CVE-2016-5092 | Med | 0.32 | 4.9 | 0.02 | Jul 13, 2016 | Directory traversal vulnerability in Fortinet FortiWeb before 5.5.3 allows remote authenticated administrators with read and write privileges to read arbitrary files by leveraging the autolearn feature. | ||
| CVE-2026-0270 | Med | 0.31 | — | 0.00 | Jun 10, 2026 | A path traversal vulnerability in Palo Alto Networks Cortex XSOAR engine software running on Linux allows an unauthenticated attacker on an adjacent network, with the ability to intercept and manipulate network response traffic via a man-in-the-middle (MITM) attack, to write… | ||
| CVE-2026-52756 | Med | 0.31 | 4.8 | 0.00 | Jun 10, 2026 | Ghidra before 12.2 contains an unauthenticated path traversal vulnerability in the IsfServer that accepts TCP connections and passes client-supplied namespace strings directly to filesystem operations without validation. Remote attackers can connect to port 54321 and send… | ||
| CVE-2026-52902 | Med | 0.31 | 4.7 | 0.00 | Jun 9, 2026 | A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it… | ||
| CVE-2026-44837 | Med | 0.31 | 5.9 | 0.00 | May 26, 2026 | view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the… | ||
| CVE-2026-41389 | Med | 0.31 | 5.8 | 0.00 | Apr 20, 2026 | OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result media references to trigger host-side file reads or Windows network path access,… |
- risk 0.32cvss 4.9epss 0.01
admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests.
- risk 0.32cvss 5.9epss 0.03
Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir protection mechanism via a file:./../ substring in an include statement.
- risk 0.32cvss 4.9epss 0.02
Gxlcms 2.0 before bug fix 20180915 has Directory Traversal exploitable by an administrator.
- risk 0.32cvss 5.5epss 0.06
/filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 does not properly validate file paths in archives, allowing for the extraction of crafted archives to overwrite arbitrary files via an extract action, aka Directory Traversal.
- risk 0.32cvss 4.9epss 0.02
A vulnerability has been identified in SCALANCE M875 (All versions). An authenticated remote attacker with access to the web interface (443/tcp), could potentially read and download arbitrary files from the device's file system. Successful exploitation requires that the attacker…
- risk 0.32cvss 4.9epss 0.01
restafary is a REpresentful State Transfer API for Creating, Reading, Using, Deleting files on a server from the web. Restafary before 1.6.1 is able to set up a root path, which should only allow it to run inside of that root path it specified.
- risk 0.32cvss 4.9epss 0.02
OpenCart through 3.0.2.0 allows directory traversal in the editDownload function in admin\model\catalog\download.php via admin/index.php?route=catalog/download/edit, related to the download_id. For example, an attacker can download ../../config.php.
- risk 0.32cvss 5.9epss 0.02
The installation process in LibreNMS before 2017-08-18 allows remote attackers to read arbitrary files, related to html/install.php.
- risk 0.32cvss 4.9epss 0.02
Directory traversal vulnerability in WebCalendar 1.2.7 and earlier allows authenticated attackers to read arbitrary files via unspecified vectors.
- risk 0.32cvss 4.9epss 0.02
In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter.
- risk 0.32cvss 4.9epss 0.03
EMC Data Protection Advisor prior to 6.4 contains a path traversal vulnerability. A remote authenticated high privileged user may potentially exploit this vulnerability to access unauthorized information from the underlying OS server by supplying specially crafted strings in…
- risk 0.32cvss 4.9epss 0.02
Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path traversal attack on sitecore/shell/download.aspx with the file parameter.
- risk 0.32cvss 4.9epss 0.02
Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary files via unspecified vectors.
- risk 0.32cvss 4.9epss 0.03
Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions.
- risk 0.32cvss 4.9epss 0.02
Directory traversal vulnerability in Fortinet FortiWeb before 5.5.3 allows remote authenticated administrators with read and write privileges to read arbitrary files by leveraging the autolearn feature.
- risk 0.31cvss —epss 0.00
A path traversal vulnerability in Palo Alto Networks Cortex XSOAR engine software running on Linux allows an unauthenticated attacker on an adjacent network, with the ability to intercept and manipulate network response traffic via a man-in-the-middle (MITM) attack, to write…
- risk 0.31cvss 4.8epss 0.00
Ghidra before 12.2 contains an unauthenticated path traversal vulnerability in the IsfServer that accepts TCP connections and passes client-supplied namespace strings directly to filesystem operations without validation. Remote attackers can connect to port 54321 and send…
- risk 0.31cvss 4.7epss 0.00
A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it…
- risk 0.31cvss 5.9epss 0.00
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the…
- risk 0.31cvss 5.8epss 0.00
OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result media references to trigger host-side file reads or Windows network path access,…