CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 224 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-32274 | 0.00 | — | 0.01 | Mar 12, 2026 | Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker… | |||
| CVE-2026-32232 | — | 0.00 | — | 0.01 | Mar 12, 2026 | ZeptoClaw is a personal AI assistant. Prior to 0.7.6, there is a Dangling Symlink Component Bypass, TOCTOU Between Validation and Use, and Hardlink Alias Bypass. This vulnerability is fixed in 0.7.6. | ||
| CVE-2026-32116 | 0.00 | — | 0.00 | Mar 12, 2026 | Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys… | |||
| CVE-2026-28791 | — | 0.00 | — | 0.00 | Mar 12, 2026 | Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path… | ||
| CVE-2026-28793 | — | 0.00 | — | 0.00 | Mar 12, 2026 | Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When… | ||
| CVE-2026-28792 | — | 0.00 | — | 0.01 | Mar 12, 2026 | Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote… | ||
| CVE-2026-24125 | — | 0.00 | — | 0.00 | Mar 12, 2026 | Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the… | ||
| CVE-2026-32061 | 0.00 | — | 0.00 | Mar 11, 2026 | OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying… | |||
| CVE-2026-32060 | 0.00 | — | 0.01 | Mar 11, 2026 | OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted… | |||
| CVE-2026-31817 | 0.00 | — | 0.01 | Mar 10, 2026 | OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied… | |||
| CVE-2026-30952 | 0.00 | — | 0.01 | Mar 10, 2026 | liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials:… | |||
| CVE-2026-23907 | — | 0.00 | — | 0.01 | Mar 10, 2026 | This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from … | ||
| CVE-2026-30869 | 0.00 | — | 0.01 | Mar 9, 2026 | SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double‑encoded traversal sequences, an attacker can access sensitive… | |||
| CVE-2026-31802 | 0.00 | — | 0.00 | Mar 9, 2026 | node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd… | |||
| CVE-2026-30848 | 0.00 | — | 0.00 | Mar 7, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files… | |||
| CVE-2026-29786 | 0.00 | — | 0.00 | Mar 7, 2026 | node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal… | |||
| CVE-2026-29780 | — | 0.00 | — | 0.00 | Mar 7, 2026 | eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal… | ||
| CVE-2026-29790 | — | 0.00 | — | 0.00 | Mar 6, 2026 | dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses… | ||
| CVE-2026-29064 | — | 0.00 | — | 0.00 | Mar 6, 2026 | Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling… | ||
| CVE-2026-29065 | 0.00 | — | 0.01 | Mar 6, 2026 | changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version… |
- CVE-2026-32274Mar 12, 2026risk 0.00cvss —epss 0.01
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker…
- CVE-2026-32232Mar 12, 2026risk 0.00cvss —epss 0.01
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, there is a Dangling Symlink Component Bypass, TOCTOU Between Validation and Use, and Hardlink Alias Bypass. This vulnerability is fixed in 0.7.6.
- CVE-2026-32116Mar 12, 2026risk 0.00cvss —epss 0.00
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys…
- CVE-2026-28791Mar 12, 2026risk 0.00cvss —epss 0.00
Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path…
- CVE-2026-28793Mar 12, 2026risk 0.00cvss —epss 0.00
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When…
- CVE-2026-28792Mar 12, 2026risk 0.00cvss —epss 0.01
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote…
- CVE-2026-24125Mar 12, 2026risk 0.00cvss —epss 0.00
Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the…
- CVE-2026-32061Mar 11, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying…
- CVE-2026-32060Mar 11, 2026risk 0.00cvss —epss 0.01
OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted…
- CVE-2026-31817Mar 10, 2026risk 0.00cvss —epss 0.01
OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied…
- CVE-2026-30952Mar 10, 2026risk 0.00cvss —epss 0.01
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials:…
- CVE-2026-23907Mar 10, 2026risk 0.00cvss —epss 0.01
This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from …
- CVE-2026-30869Mar 9, 2026risk 0.00cvss —epss 0.01
SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double‑encoded traversal sequences, an attacker can access sensitive…
- CVE-2026-31802Mar 9, 2026risk 0.00cvss —epss 0.00
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd…
- CVE-2026-30848Mar 7, 2026risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files…
- CVE-2026-29786Mar 7, 2026risk 0.00cvss —epss 0.00
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal…
- CVE-2026-29780Mar 7, 2026risk 0.00cvss —epss 0.00
eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal…
- CVE-2026-29790Mar 6, 2026risk 0.00cvss —epss 0.00
dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses…
- CVE-2026-29064Mar 6, 2026risk 0.00cvss —epss 0.00
Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling…
- CVE-2026-29065Mar 6, 2026risk 0.00cvss —epss 0.01
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version…