VYPR

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BaseStableLikelihood: High

Description

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79

CVEs mapped to this weakness (5,488)

page 220 of 275
  • CVE-2026-12567Jun 17, 2026
    risk 0.00cvss epss 0.00

    The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an…

  • CVE-2026-12565Jun 17, 2026
    risk 0.00cvss epss 0.00

    The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the…

  • CVE-2026-53872Jun 17, 2026
    risk 0.00cvss epss 0.01

    picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like…

  • CVE-2026-54014Jun 17, 2026
    risk 0.00cvss epss 0.00

    ## Summary A path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache directory, by exploiting an incomplete `startswith` containment check that lacks a…

  • CVE-2026-50203Jun 17, 2026
    risk 0.00cvss epss 0.01

    A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is…

  • CVE-2025-26240Jun 17, 2026
    risk 0.00cvss epss 0.00

    In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.

  • CVE-2026-49406Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Summary When Deno was run in BYONM mode (`nodeModulesDir: "manual"`), the module resolver did not validate that a package's resolved entrypoint stayed within its `node_modules//` directory. A malicious `package.json` whose `main` field contained `..` segments was able…

  • CVE-2026-49465Jun 16, 2026
    risk 0.00cvss epss 0.01

    ## Impact An authenticated user with permission to create or modify workflows could supply a local filesystem path as the source repository in the Git node's Clone operation, or as the target repository in the Push operation, bypassing the `N8N_RESTRICT_FILE_ACCESS_TO` file…

  • CVE-2026-42867Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API (`POST /api/v1/knowledge_bases`). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated…

  • CVE-2026-54286Jun 16, 2026
    risk 0.00cvss epss 0.00

    ### Summary On Windows hosts, an encoded backslash (`%5C`) in the request path decodes to `\`, which the Windows path resolver treats as a separator. `serve-static` then resolves a single URL segment such as `admin\secret.txt` into a nested file under the root and serves it,…

  • CVE-2026-49356lowJun 15, 2026
    risk 0.00cvss epss 0.00

    ## Impact Using `@babel/core` to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are _all_ true: - the attacker controls the input source code - the attacker can read the output source code…

  • CVE-2026-54093Jun 12, 2026
    risk 0.00cvss epss 0.00

    ### Summary filebrowser builds the download-as-zip / download-as-tar archive entry names with `filepath.ToSlash`, which on a Linux host is a no-op for backslashes (`\` is only a path separator on Windows). A file whose name contains Windows-style traversal (`..\..\..\evil.txt`)…

  • CVE-2026-54094Jun 12, 2026
    risk 0.00cvss epss 0.00

    ## Summary File Browser enforces per-user scope with `afero.NewBasePathFs(afero.NewOsFs(), scope)`, set up in `users/users.go`. This blocks lexical `../` traversal, but it does not stop the HTTP file handlers from following symbolic links before they open, serve, write, share,…

  • CVE-2026-48049Jun 11, 2026
    risk 0.00cvss epss 0.00

    ### Impact `@hapi/inert` serves static files from a directory configured with `path` (in the `directory` / `file` handlers) or `relativeTo` (for `h.file()`), with confinement enforced by the `confine` option (default `true`). Before the patch, the confinement check compared the…

  • CVE-2026-47385Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary An authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. ### Details The SQLite client and the base/integration create services accepted a…

  • CVE-2026-45723lowJun 5, 2026
    risk 0.00cvss epss 0.00

    ## Summary `managementServer.CreateSchematic` (`internal/backend/grpc/schematics.go`) passes the caller-controlled `TalosVersion` field directly to `imageFactoryClient.OverlaysVersions`, which embeds it verbatim into a `fmt.Sprintf("/version/%s/overlays/official",…

  • CVE-2026-47215Jun 4, 2026
    risk 0.00cvss epss 0.00

    ### Impact The `limit container paths` directive in `singularity.conf` is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may…

  • CVE-2026-44022Jun 3, 2026
    risk 0.00cvss epss 0.00

    ### Impact The LaTeX backend's handling of `\includegraphics`, `\input`, and `\include` commands lacked path containment validation. Attackers could craft malicious LaTeX documents with path traversal sequences (e.g., `../../../etc/passwd`) to: - Read arbitrary files from the…

  • CVE-2026-47425Jun 1, 2026
    risk 0.00cvss epss 0.00

    ## Summary `EntryPoint::FromStr` in `rattler_conda_types` performs only `.trim()` on the `command` field before the linker joins it onto the install prefix and writes an executable Python script. A malicious `noarch:python` package can ship an `info/link.json` with an…

  • CVE-2026-47121May 29, 2026
    risk 0.00cvss epss 0.00

    ## Summary Binary delta apply intermediate-symlink traversal in malicious .delta `Autoupdate/SUBinaryDeltaApply.m` enforces `relativePath.pathComponents containsObject:@".."` and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect…