CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
BaseStableLikelihood: High
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (3,079)
page 2 of 154| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-4524 | Cri | 0.68 | 9.8 | 0.14 | May 21, 2025 | The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |
| CVE-2012-6664 | Cri | 0.68 | 9.1 | 0.73 | Jun 21, 2024 | Multiple directory traversal vulnerabilities in the TFTP Server in Distinct Intranet Servers 3.10 and earlier allow remote attackers to read or write arbitrary files via a .. (dot dot) in the (1) get or (2) put commands. | |
| CVE-2024-27954 | Cri | 0.68 | 9.3 | 0.93 | May 17, 2024 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server Side Request Forgery.This issue affects Automatic: from n/a through 3.92.0. | |
| CVE-2017-12637 | Hig | 0.68 | 7.5 | 0.93 | KEV | Aug 7, 2017 | Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657. |
| CVE-2006-7079 | Cri | 0.68 | 9.8 | 0.15 | Mar 2, 2007 | Variable extraction vulnerability in include/common.php in exV2 2.0.4.3 and earlier allows remote attackers to overwrite arbitrary program variables and conduct directory traversal attacks to execute arbitrary code by modifying the $xoopsOption['pagetype'] variable. | |
| CVE-2024-27173 | Cri | 0.67 | 9.8 | 0.45 | Jun 14, 2024 | Remote Command program allows an attacker to get Remote Code Execution by overwriting existing Python files containing executable code. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the "Base Score" of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https://www.toshibatec.com/contacts/products/ As for the affected products/models/versions, see the reference URL. | |
| CVE-2009-4581 | Cri | 0.67 | 9.8 | 0.05 | Jan 6, 2010 | Directory traversal vulnerability in modules/admincp.php in RoseOnlineCMS 3 B1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the admin parameter. | |
| CVE-2009-1936 | Cri | 0.67 | 9.8 | 0.08 | Jun 5, 2009 | _functions.php in cpCommerce 1.2.x, possibly including 1.2.9, sends a redirect but does not exit when it is called directly, which allows remote attackers to bypass a protection mechanism to conduct remote file inclusion and directory traversal attacks, execute arbitrary PHP code, or read arbitrary files via the GLOBALS[prefix] parameter, a different vector than CVE-2003-1500. | |
| CVE-2025-34126 | Hig | 0.66 | — | 0.83 | Jul 16, 2025 | A path traversal vulnerability exists in RIPS Scanner version 0.54. The vulnerability allows remote attackers to read arbitrary files on the system with the privileges of the web server by sending crafted HTTP GET requests to the 'windows/code.php' script with a manipulated 'file' parameter. This can lead to disclosure of sensitive information. | |
| CVE-2024-34313 | Cri | 0.66 | 9.8 | 0.25 | Jun 24, 2024 | An issue in VPL Jail System up to v4.0.2 allows attackers to execute a directory traversal via a crafted request to a public endpoint. | |
| CVE-2015-0666 | Hig | 0.66 | 7.5 | 0.60 | KEV | Apr 3, 2015 | Directory traversal vulnerability in the fmserver servlet in Cisco Prime Data Center Network Manager (DCNM) before 7.1(1) allows remote attackers to read arbitrary files via a crafted pathname, aka Bug ID CSCus00241. |
| CVE-2026-7411 | Cri | 0.65 | 10.0 | 0.00 | May 5, 2026 | In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise. | |
| CVE-2026-36767 | Cri | 0.65 | 10.0 | 0.00 | Apr 30, 2026 | A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request. | |
| CVE-2026-41211 | Cri | 0.65 | 10.0 | 0.00 | Apr 23, 2026 | Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the `VP_HOME/package_manager/<pm>/` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch. | |
| CVE-2026-39861 | Cri | 0.65 | 10.0 | 0.00 | Apr 21, 2026 | Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation. This allowed a sandbox escape where neither the sandboxed command nor the unsandboxed app could independently write outside the workspace, but their combination could write to arbitrary locations, potentially leading to code execution outside the sandbox. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection. Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to version 2.1.64 or later. | |
| CVE-2026-22557 | Cri | 0.65 | 10.0 | 0.00 | Mar 19, 2026 | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account. | |
| CVE-2026-2731 | Cri | 0.65 | — | 0.00 | Feb 19, 2026 | Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests | |
| CVE-2025-69770 | Cri | 0.65 | 10.0 | 0.00 | Feb 13, 2026 | A zip slip vulnerability in the /DesignTools/SkinList.aspx endpoint of MojoPortal CMS v2.9.0.1 allows attackers to execute arbitrary commands via uploading a crafted zip file. | |
| CVE-2025-64075 | Cri | 0.65 | 10.0 | 0.01 | Feb 11, 2026 | A path traversal vulnerability in the check_token function of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote attackers to bypass authentication and perform administrative actions by supplying a crafted session cookie value. | |
| CVE-2024-13984 | Cri | 0.65 | — | 0.02 | Aug 27, 2025 | QiAnXin TianQing Management Center versions up to and including 6.7.0.4130 contain a path traversal vulnerability in the rptsvr component that allows unauthenticated attackers to upload files to arbitrary locations on the server. The /rptsvr/upload endpoint fails to sanitize the filename parameter in multipart form-data requests, enabling path traversal. This allows attackers to place executable files in web-accessible directories, potentially leading to remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-23 UTC. |