VYPR

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BaseStableLikelihood: High

Description

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79

CVEs mapped to this weakness (5,488)

page 3 of 275
  • CVE-2017-17739CriDec 18, 2017
    risk 0.68cvss 9.8epss 0.12

    The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has directory traversal via the /storage.html rp parameter, allowing an attacker to read or write to files.

  • CVE-2015-8352CriAug 24, 2017
    risk 0.68cvss 9.8epss 0.16

    Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to ajax.php.

  • CVE-2017-12637HigKEVAug 7, 2017
    risk 0.68cvss 7.5epss 0.95

    Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security…

  • CVE-2017-7462CriApr 11, 2017
    risk 0.68cvss 9.8epss 0.13

    Intellinet NFC-30ir IP Camera has a vendor backdoor that can allow a remote attacker access to a vendor-supplied CGI script in the web directory.

  • CVE-2006-7079CriMar 2, 2007
    risk 0.68cvss 9.8epss 0.13

    Variable extraction vulnerability in include/common.php in exV2 2.0.4.3 and earlier allows remote attackers to overwrite arbitrary program variables and conduct directory traversal attacks to execute arbitrary code by modifying the $xoopsOption['pagetype'] variable.

  • CVE-2024-27173CriJun 14, 2024
    risk 0.67cvss 9.8epss 0.03

    Remote Command program allows an attacker to get Remote Code Execution by overwriting existing Python files containing executable code. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this…

  • CVE-2016-3976HigKEVApr 7, 2016
    risk 0.67cvss 7.5epss 0.47

    Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.

  • CVE-2009-4581CriJan 6, 2010
    risk 0.67cvss 9.8epss 0.05

    Directory traversal vulnerability in modules/admincp.php in RoseOnlineCMS 3 B1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the admin parameter.

  • CVE-2025-34126HigJul 16, 2025
    risk 0.66cvss epss 0.01

    A path traversal vulnerability exists in RIPS Scanner version 0.54. The vulnerability allows remote attackers to read arbitrary files on the system with the privileges of the web server by sending crafted HTTP GET requests to the 'windows/code.php' script with a manipulated…

  • CVE-2024-34313CriJun 24, 2024
    risk 0.66cvss 9.8epss 0.01

    An issue in VPL Jail System up to v4.0.2 allows attackers to execute a directory traversal via a crafted request to a public endpoint.

  • CVE-2018-2380MedKEVMar 1, 2018
    risk 0.66cvss 6.6epss 0.29

    SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.

  • CVE-2017-8947CriFeb 15, 2018
    risk 0.66cvss 9.8epss 0.30

    A Remote Code Execution vulnerability in HPE UCMDB version v10.10, v10.11, v10.20, v10.21, v10.22, v10.30, v10.31 was found.

  • CVE-2014-5301HigAug 28, 2017
    risk 0.66cvss 8.8epss 0.78

    Directory traversal vulnerability in ServiceDesk Plus MSP v5 to v9.0 v9030; AssetExplorer v4 to v6.1; SupportCenter v5 to v7.9; IT360 v8 to v10.4.

  • CVE-2017-11389CriAug 2, 2017
    risk 0.66cvss 9.8epss 0.27

    Directory traversal vulnerability in Trend Micro Control Manager 6.0 allows remote code execution by attackers able to drop arbitrary files in a web-facing directory. Formerly ZDI-CAN-4684.

  • CVE-2017-7577CriApr 7, 2017
    risk 0.66cvss 9.8epss 0.29

    XiongMai uc-httpd has directory traversal allowing the reading of arbitrary files via a "GET ../" HTTP request.

  • CVE-2007-4559CriAug 28, 2007
    risk 0.66cvss 9.8epss 0.27

    Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

  • CVE-2026-11429CriJun 5, 2026
    risk 0.65cvss epss 0.01

    Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file uploads where a user-supplied filename component is used to construct the destination path without validation, allowing arbitrary files to be written to any…

  • CVE-2026-7411CriMay 5, 2026
    risk 0.65cvss 10.0epss 0.04

    In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload…

  • CVE-2026-36767CriApr 30, 2026
    risk 0.65cvss 10.0epss 0.00

    A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request.

  • CVE-2026-41211CriApr 23, 2026
    risk 0.65cvss 10.0epss 0.00

    Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the…