CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 23 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-26752 | Hig | 0.56 | 8.6 | 0.01 | Feb 25, 2025 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper Broadcast Live Video videowhisper-live-streaming-integration allows Path Traversal.This issue affects Broadcast Live Video: from n/a through <= 6.2. | ||
| CVE-2025-22663 | Hig | 0.56 | 8.6 | 0.01 | Feb 18, 2025 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Path Traversal.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.2.12. | ||
| CVE-2025-25243 | Hig | 0.56 | 8.6 | 0.01 | Feb 11, 2025 | SAP Supplier Relationship Management (Master Data Management Catalog) allows an unauthenticated attacker to use a publicly available servlet to download an arbitrary file over the network without any user interaction. This can reveal highly sensitive information with no impact… | ||
| CVE-2024-12849 | Hig | 0.56 | 7.5 | 0.47 | Jan 7, 2025 | The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary… | ||
| CVE-2024-9935 | Hig | 0.56 | 7.5 | 0.07 | Nov 16, 2024 | The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.0.0 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary… | ||
| CVE-2024-52371 | Hig | 0.56 | 8.6 | 0.01 | Nov 14, 2024 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in DonnellC Global Gateway e4 | Payeezy Gateway | globe-gateway-e4.This issue affects Global Gateway e4 | Payeezy Gateway |: from n/a through <= 2.0. | ||
| CVE-2024-49315 | Hig | 0.56 | 8.6 | 0.01 | Oct 17, 2024 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CodeFlock FREE DOWNLOAD MANAGER free-download-manager allows Path Traversal.This issue affects FREE DOWNLOAD MANAGER: from n/a through <= 1.0.0. | ||
| CVE-2024-45241 | Hig | 0.56 | 7.5 | 0.14 | Aug 26, 2024 | A traversal vulnerability in GeneralDocs.aspx in CentralSquare CryWolf (False Alarm Management) through 2024-08-09 allows unauthenticated attackers to read files outside of the working web directory via the rpt parameter, leading to the disclosure of sensitive information. | ||
| CVE-2024-41628 | Hig | 0.56 | 7.5 | 0.06 | Jul 26, 2024 | Directory Traversal vulnerability in Severalnines Cluster Control 1.9.8 before 1.9.8-9778, 2.0.0 before 2.0.0-9779, and 2.1.0 before 2.1.0-9780 allows a remote attacker to include and display file content in an HTTP request via the CMON API. | ||
| CVE-2024-37932 | Hig | 0.56 | 8.6 | 0.01 | Jul 12, 2024 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in anhvnit Woocommerce OpenPos allows File Manipulation.This issue affects Woocommerce OpenPos: from n/a through 6.4.4. | ||
| CVE-2024-37928 | Hig | 0.56 | 8.6 | 0.01 | Jul 12, 2024 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NooTheme Jobmonster allows File Manipulation.This issue affects Jobmonster: from n/a through 4.7.0. | ||
| CVE-2024-6085 | Hig | 0.56 | 8.6 | 0.01 | Jun 27, 2024 | A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this… | ||
| CVE-2023-39163 | Hig | 0.56 | 8.6 | 0.01 | May 17, 2024 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Averta Phlox Shop allows PHP Local File Inclusion.This issue affects Phlox Shop: from n/a through 2.0.0. | ||
| CVE-2023-38399 | Hig | 0.56 | 8.6 | 0.01 | May 17, 2024 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Averta Phlox Portfolio allows PHP Local File Inclusion.This issue affects Phlox Portfolio: from n/a through 2.3.1. | ||
| CVE-2024-32399 | Hig | 0.56 | 7.6 | 0.03 | Apr 22, 2024 | Directory Traversal vulnerability in RaidenMAILD Mail Server v.4.9.4 and before allows a remote attacker to obtain sensitive information via the /webeditor/ component. | ||
| CVE-2022-31474 | Hig | 0.56 | 7.5 | 0.64 | Mar 13, 2023 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in iThemes BackupBuddy allows Path Traversal.This issue affects BackupBuddy: from 8.5.8.0 through 8.7.4.1. | ||
| CVE-2018-10956 | Hig | 0.56 | 7.5 | 0.56 | Jun 25, 2018 | IPConfigure Orchid Core VMS 2.0.5 allows Directory Traversal. | ||
| CVE-2015-1503 | Hig | 0.56 | 7.5 | 0.59 | May 8, 2018 | Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the file parameter to a webmail/client/skins/default/css/css.php page or .../. (dot dot dot slash dot) in the (2) script or… | ||
| CVE-2018-9118 | Hig | 0.56 | 7.5 | 0.48 | Apr 12, 2018 | exports/download.php in the 99 Robots WP Background Takeover Advertisements plugin before 4.1.5 for WordPress has Directory Traversal via a .. in the filename parameter. | ||
| CVE-2018-9205 | Hig | 0.56 | 7.5 | 0.57 | Apr 4, 2018 | Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path. |
- risk 0.56cvss 8.6epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper Broadcast Live Video videowhisper-live-streaming-integration allows Path Traversal.This issue affects Broadcast Live Video: from n/a through <= 6.2.
- risk 0.56cvss 8.6epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Path Traversal.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.2.12.
- risk 0.56cvss 8.6epss 0.01
SAP Supplier Relationship Management (Master Data Management Catalog) allows an unauthenticated attacker to use a publicly available servlet to download an arbitrary file over the network without any user interaction. This can reveal highly sensitive information with no impact…
- risk 0.56cvss 7.5epss 0.47
The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary…
- risk 0.56cvss 7.5epss 0.07
The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.0.0 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary…
- risk 0.56cvss 8.6epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in DonnellC Global Gateway e4 | Payeezy Gateway | globe-gateway-e4.This issue affects Global Gateway e4 | Payeezy Gateway |: from n/a through <= 2.0.
- risk 0.56cvss 8.6epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CodeFlock FREE DOWNLOAD MANAGER free-download-manager allows Path Traversal.This issue affects FREE DOWNLOAD MANAGER: from n/a through <= 1.0.0.
- risk 0.56cvss 7.5epss 0.14
A traversal vulnerability in GeneralDocs.aspx in CentralSquare CryWolf (False Alarm Management) through 2024-08-09 allows unauthenticated attackers to read files outside of the working web directory via the rpt parameter, leading to the disclosure of sensitive information.
- risk 0.56cvss 7.5epss 0.06
Directory Traversal vulnerability in Severalnines Cluster Control 1.9.8 before 1.9.8-9778, 2.0.0 before 2.0.0-9779, and 2.1.0 before 2.1.0-9780 allows a remote attacker to include and display file content in an HTTP request via the CMON API.
- risk 0.56cvss 8.6epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in anhvnit Woocommerce OpenPos allows File Manipulation.This issue affects Woocommerce OpenPos: from n/a through 6.4.4.
- risk 0.56cvss 8.6epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NooTheme Jobmonster allows File Manipulation.This issue affects Jobmonster: from n/a through 4.7.0.
- risk 0.56cvss 8.6epss 0.01
A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this…
- risk 0.56cvss 8.6epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Averta Phlox Shop allows PHP Local File Inclusion.This issue affects Phlox Shop: from n/a through 2.0.0.
- risk 0.56cvss 8.6epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Averta Phlox Portfolio allows PHP Local File Inclusion.This issue affects Phlox Portfolio: from n/a through 2.3.1.
- risk 0.56cvss 7.6epss 0.03
Directory Traversal vulnerability in RaidenMAILD Mail Server v.4.9.4 and before allows a remote attacker to obtain sensitive information via the /webeditor/ component.
- risk 0.56cvss 7.5epss 0.64
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in iThemes BackupBuddy allows Path Traversal.This issue affects BackupBuddy: from 8.5.8.0 through 8.7.4.1.
- risk 0.56cvss 7.5epss 0.56
IPConfigure Orchid Core VMS 2.0.5 allows Directory Traversal.
- risk 0.56cvss 7.5epss 0.59
Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the file parameter to a webmail/client/skins/default/css/css.php page or .../. (dot dot dot slash dot) in the (2) script or…
- risk 0.56cvss 7.5epss 0.48
exports/download.php in the 99 Robots WP Background Takeover Advertisements plugin before 4.1.5 for WordPress has Directory Traversal via a .. in the filename parameter.
- risk 0.56cvss 7.5epss 0.57
Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path.