CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 164 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-36113 | — | Med | 0.23 | 4.6 | 0.01 | Sep 14, 2022 | Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the… | |
| CVE-2016-10538 | Low | 0.23 | 3.5 | 0.01 | May 31, 2018 | The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to. | ||
| CVE-2026-9062 | Low | 0.22 | 3.4 | 0.00 | Jun 13, 2026 | The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and… | ||
| CVE-2026-45279 | Med | 0.22 | 4.4 | 0.00 | Jun 1, 2026 | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on… | ||
| CVE-2026-42549 | Med | 0.22 | 4.4 | 0.00 | May 13, 2026 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by… | ||
| CVE-2026-41656 | Med | 0.22 | 4.5 | 0.00 | May 7, 2026 | Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type (HTML encoding), allowing path traversal characters (../) to pass through unfiltered. Combined with… | ||
| CVE-2026-29051 | Med | 0.22 | 4.4 | 0.00 | Apr 24, 2026 | melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining… | ||
| CVE-2026-35206 | Med | 0.22 | 4.4 | 0.00 | Apr 9, 2026 | Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working… | ||
| CVE-2026-34726 | Med | 0.22 | 4.4 | 0.00 | Apr 2, 2026 | Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it… | ||
| CVE-2025-13698 | Med | 0.22 | 4.5 | 0.00 | Dec 23, 2025 | Deciso OPNsense diag_backup.php filename Directory Traversal Arbitrary File Creation Vulnerability. This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of Deciso OPNsense. Authentication is required to exploit this… | ||
| CVE-2025-24889 | Med | 0.22 | 4.5 | 0.00 | Feb 13, 2025 | The SecureDrop Client is a desktop application for journalists to communicate with sources and work with submissions on the SecureDrop Workstation. Prior to versions 0.14.1 and 1.0.1, an attacker who has already gained code execution in a virtual machine on the SecureDrop… | ||
| CVE-2024-6971 | — | Med | 0.22 | 4.4 | 0.00 | Oct 11, 2024 | A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the `lollms_file_system.py` file. The functions `add_rag_database`, `toggle_mount_rag_database`, and `vectorize_folder` do not implement security measures such as… | |
| CVE-2024-23897 | Cri | 0.22 | 9.8 | 1.00 | KEV | Jan 24, 2024 | Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins… | |
| CVE-2023-6160 | Low | 0.22 | 3.3 | 0.01 | Nov 22, 2023 | The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 7.4.2 via the maybe_serve_export function. This makes it possible for authenticated attackers, with administrator or LMS manager… | ||
| CVE-2023-30852 | Med | 0.22 | 4.4 | 0.01 | Apr 27, 2023 | Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the `/admin/misc/script-proxy` API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the `scriptPath` and… | ||
| CVE-2022-4772 | — | Med | 0.22 | 4.5 | 0.00 | Dec 27, 2022 | A vulnerability was found in Widoco and classified as critical. Affected by this issue is the function unZipIt of the file src/main/java/widoco/WidocoUtils.java. The manipulation leads to path traversal. It is possible to launch the attack on the local host. The name of the… | |
| CVE-2021-44111 | Med | 0.22 | 4.4 | 0.00 | Feb 11, 2022 | A Directory Traversal vulnerability exists in S-Cart 6.7 via download in sc-admin/backup. | ||
| CVE-2021-43840 | — | Med | 0.22 | 4.4 | 0.02 | Dec 17, 2021 | message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine… | |
| CVE-2018-0660 | — | Low | 0.22 | 3.3 | 0.01 | Sep 7, 2018 | Directory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3.3.0.0 and earlier allows an attacker to create arbitrary files via specially crafted ATC file. | |
| CVE-2026-49497 | Low | 0.21 | 3.3 | 0.00 | Jun 10, 2026 | Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem… |
- risk 0.23cvss 4.6epss 0.01
Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the…
- risk 0.23cvss 3.5epss 0.01
The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.
- risk 0.22cvss 3.4epss 0.00
The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and…
- risk 0.22cvss 4.4epss 0.00
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on…
- risk 0.22cvss 4.4epss 0.00
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by…
- risk 0.22cvss 4.5epss 0.00
Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type (HTML encoding), allowing path traversal characters (../) to pass through unfiltered. Combined with…
- risk 0.22cvss 4.4epss 0.00
melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining…
- risk 0.22cvss 4.4epss 0.00
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working…
- risk 0.22cvss 4.4epss 0.00
Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it…
- risk 0.22cvss 4.5epss 0.00
Deciso OPNsense diag_backup.php filename Directory Traversal Arbitrary File Creation Vulnerability. This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of Deciso OPNsense. Authentication is required to exploit this…
- risk 0.22cvss 4.5epss 0.00
The SecureDrop Client is a desktop application for journalists to communicate with sources and work with submissions on the SecureDrop Workstation. Prior to versions 0.14.1 and 1.0.1, an attacker who has already gained code execution in a virtual machine on the SecureDrop…
- risk 0.22cvss 4.4epss 0.00
A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the `lollms_file_system.py` file. The functions `add_rag_database`, `toggle_mount_rag_database`, and `vectorize_folder` do not implement security measures such as…
- risk 0.22cvss 9.8epss 1.00
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins…
- risk 0.22cvss 3.3epss 0.01
The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 7.4.2 via the maybe_serve_export function. This makes it possible for authenticated attackers, with administrator or LMS manager…
- risk 0.22cvss 4.4epss 0.01
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the `/admin/misc/script-proxy` API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the `scriptPath` and…
- risk 0.22cvss 4.5epss 0.00
A vulnerability was found in Widoco and classified as critical. Affected by this issue is the function unZipIt of the file src/main/java/widoco/WidocoUtils.java. The manipulation leads to path traversal. It is possible to launch the attack on the local host. The name of the…
- risk 0.22cvss 4.4epss 0.00
A Directory Traversal vulnerability exists in S-Cart 6.7 via download in sc-admin/backup.
- risk 0.22cvss 4.4epss 0.02
message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine…
- risk 0.22cvss 3.3epss 0.01
Directory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3.3.0.0 and earlier allows an attacker to create arbitrary files via specially crafted ATC file.
- risk 0.21cvss 3.3epss 0.00
Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem…