VYPR

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BaseStableLikelihood: High

Description

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79

CVEs mapped to this weakness (5,488)

page 164 of 275
  • CVE-2022-36113MedSep 14, 2022
    risk 0.23cvss 4.6epss 0.01

    Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the…

  • CVE-2016-10538LowMay 31, 2018
    risk 0.23cvss 3.5epss 0.01

    The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

  • CVE-2026-9062LowJun 13, 2026
    risk 0.22cvss 3.4epss 0.00

    The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and…

  • CVE-2026-45279MedJun 1, 2026
    risk 0.22cvss 4.4epss 0.00

    Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on…

  • CVE-2026-42549MedMay 13, 2026
    risk 0.22cvss 4.4epss 0.00

    Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by…

  • CVE-2026-41656MedMay 7, 2026
    risk 0.22cvss 4.5epss 0.00

    Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type (HTML encoding), allowing path traversal characters (../) to pass through unfiltered. Combined with…

  • CVE-2026-29051MedApr 24, 2026
    risk 0.22cvss 4.4epss 0.00

    melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining…

  • CVE-2026-35206MedApr 9, 2026
    risk 0.22cvss 4.4epss 0.00

    Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working…

  • CVE-2026-34726MedApr 2, 2026
    risk 0.22cvss 4.4epss 0.00

    Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it…

  • CVE-2025-13698MedDec 23, 2025
    risk 0.22cvss 4.5epss 0.00

    Deciso OPNsense diag_backup.php filename Directory Traversal Arbitrary File Creation Vulnerability. This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of Deciso OPNsense. Authentication is required to exploit this…

  • CVE-2025-24889MedFeb 13, 2025
    risk 0.22cvss 4.5epss 0.00

    The SecureDrop Client is a desktop application for journalists to communicate with sources and work with submissions on the SecureDrop Workstation. Prior to versions 0.14.1 and 1.0.1, an attacker who has already gained code execution in a virtual machine on the SecureDrop…

  • CVE-2024-6971MedOct 11, 2024
    risk 0.22cvss 4.4epss 0.00

    A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the `lollms_file_system.py` file. The functions `add_rag_database`, `toggle_mount_rag_database`, and `vectorize_folder` do not implement security measures such as…

  • CVE-2024-23897CriKEVJan 24, 2024
    risk 0.22cvss 9.8epss 1.00

    Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins…

  • CVE-2023-6160LowNov 22, 2023
    risk 0.22cvss 3.3epss 0.01

    The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 7.4.2 via the maybe_serve_export function. This makes it possible for authenticated attackers, with administrator or LMS manager…

  • CVE-2023-30852MedApr 27, 2023
    risk 0.22cvss 4.4epss 0.01

    Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the `/admin/misc/script-proxy` API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the `scriptPath` and…

  • CVE-2022-4772MedDec 27, 2022
    risk 0.22cvss 4.5epss 0.00

    A vulnerability was found in Widoco and classified as critical. Affected by this issue is the function unZipIt of the file src/main/java/widoco/WidocoUtils.java. The manipulation leads to path traversal. It is possible to launch the attack on the local host. The name of the…

  • CVE-2021-44111MedFeb 11, 2022
    risk 0.22cvss 4.4epss 0.00

    A Directory Traversal vulnerability exists in S-Cart 6.7 via download in sc-admin/backup.

  • CVE-2021-43840MedDec 17, 2021
    risk 0.22cvss 4.4epss 0.02

    message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine…

  • CVE-2018-0660LowSep 7, 2018
    risk 0.22cvss 3.3epss 0.01

    Directory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3.3.0.0 and earlier allows an attacker to create arbitrary files via specially crafted ATC file.

  • CVE-2026-49497LowJun 10, 2026
    risk 0.21cvss 3.3epss 0.00

    Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem…