CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 39 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-52755 | Hig | 0.51 | 7.8 | 0.00 | Jun 10, 2026 | Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that allows attackers to write files outside the intended theme directory. Attackers can craft malicious theme ZIP files with traversal sequences in filenames to execute arbitrary code… | ||
| CVE-2026-52752 | Hig | 0.51 | 7.8 | 0.00 | Jun 10, 2026 | Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails to validate ZIP entry names during extraction. Attackers can craft malicious extensions with traversal sequences like ../ in filenames to write arbitrary files outside the intended… | ||
| CVE-2026-22926 | Hig | 0.51 | 7.8 | 0.00 | Jun 9, 2026 | Omnissa Workspace ONE® Assist for macOS contains a Local Privilege Escalation Vulnerability. | ||
| CVE-2026-50207 | Hig | 0.51 | 7.8 | 0.00 | Jun 4, 2026 | The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity. | ||
| CVE-2026-7474 | Hig | 0.51 | 8.8 | 0.07 | May 12, 2026 | HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11. | ||
| CVE-2026-28915 | — | Hig | 0.51 | 7.8 | 0.00 | May 11, 2026 | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to gain root privileges. | |
| CVE-2026-29059 | Hig | 0.51 | 7.5 | 0.03 | Mar 6, 2026 | Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})".… | ||
| CVE-2026-3223 | Hig | 0.51 | 7.8 | 0.00 | Feb 27, 2026 | Arbitrary file write & potential privilege escalation exploiting zip slip vulnerability in Google Web Designer. | ||
| CVE-2026-1557 | Hig | 0.51 | 7.5 | 0.02 | Feb 26, 2026 | The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain… | ||
| CVE-2026-20615 | Hig | 0.51 | 7.8 | 0.00 | Feb 11, 2026 | A path handling issue was addressed with improved validation. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. An app may be able to gain root privileges. | ||
| CVE-2026-20614 | Hig | 0.51 | 7.8 | 0.00 | Feb 11, 2026 | A path handling issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3. An app may be able to gain root privileges. | ||
| CVE-2026-0651 | Hig | 0.51 | 7.8 | 0.00 | Feb 10, 2026 | A path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP server’s handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the raw path when normalization… | ||
| CVE-2025-68143 | Hig | 0.51 | 8.8 | 0.08 | Dec 17, 2025 | Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target… | ||
| CVE-2025-12060 | Hig | 0.51 | — | 0.01 | Oct 30, 2025 | The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive… | ||
| CVE-2025-12055 | Hig | 0.51 | 7.5 | 0.04 | Oct 27, 2025 | HYDRA X, MIP 2 and FEDRA 2 of MPDV Mikrolab GmbH suffer from an unauthenticated local file disclosure vulnerability in all releases until Maintenance Pack 36 with Servicepack 8 (week 36/2025), which allows an attacker to read arbitrary files from the Windows operating system.… | ||
| CVE-2025-3718 | Hig | 0.51 | 7.9 | 0.00 | Oct 7, 2025 | A client-side path traversal vulnerability was discovered in the web management interface front-end due to missing validation of an input parameter. An authenticated user with limited privileges can craft a malicious URL which, if visited by an authenticated victim, leads to a… | ||
| CVE-2024-56179 | Hig | 0.51 | 7.8 | 0.00 | Aug 22, 2025 | In MindManager Windows versions prior to 24.1.150, attackers could potentially write to unexpected directories in victims' machines via directory traversal if victims opened file attachments located in malicious mmap files. | ||
| CVE-2025-8941 | Hig | 0.51 | 7.8 | 0.00 | Aug 13, 2025 | A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020. | ||
| CVE-2025-6020 | Hig | 0.51 | 7.8 | 0.00 | Jun 17, 2025 | A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions. | ||
| CVE-2024-9362 | Hig | 0.51 | 7.5 | 0.04 | Mar 20, 2025 | An unauthenticated directory traversal vulnerability exists in Polyaxon, affecting the latest version. This vulnerability allows an attacker to retrieve directory information and file contents from the server without proper authorization, leading to sensitive information… |
- risk 0.51cvss 7.8epss 0.00
Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that allows attackers to write files outside the intended theme directory. Attackers can craft malicious theme ZIP files with traversal sequences in filenames to execute arbitrary code…
- risk 0.51cvss 7.8epss 0.00
Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails to validate ZIP entry names during extraction. Attackers can craft malicious extensions with traversal sequences like ../ in filenames to write arbitrary files outside the intended…
- risk 0.51cvss 7.8epss 0.00
Omnissa Workspace ONE® Assist for macOS contains a Local Privilege Escalation Vulnerability.
- risk 0.51cvss 7.8epss 0.00
The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity.
- risk 0.51cvss 8.8epss 0.07
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
- risk 0.51cvss 7.8epss 0.00
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to gain root privileges.
- risk 0.51cvss 7.5epss 0.03
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})".…
- risk 0.51cvss 7.8epss 0.00
Arbitrary file write & potential privilege escalation exploiting zip slip vulnerability in Google Web Designer.
- risk 0.51cvss 7.5epss 0.02
The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain…
- risk 0.51cvss 7.8epss 0.00
A path handling issue was addressed with improved validation. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. An app may be able to gain root privileges.
- risk 0.51cvss 7.8epss 0.00
A path handling issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3. An app may be able to gain root privileges.
- risk 0.51cvss 7.8epss 0.00
A path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP server’s handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the raw path when normalization…
- risk 0.51cvss 8.8epss 0.08
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target…
- risk 0.51cvss —epss 0.01
The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive…
- risk 0.51cvss 7.5epss 0.04
HYDRA X, MIP 2 and FEDRA 2 of MPDV Mikrolab GmbH suffer from an unauthenticated local file disclosure vulnerability in all releases until Maintenance Pack 36 with Servicepack 8 (week 36/2025), which allows an attacker to read arbitrary files from the Windows operating system.…
- risk 0.51cvss 7.9epss 0.00
A client-side path traversal vulnerability was discovered in the web management interface front-end due to missing validation of an input parameter. An authenticated user with limited privileges can craft a malicious URL which, if visited by an authenticated victim, leads to a…
- risk 0.51cvss 7.8epss 0.00
In MindManager Windows versions prior to 24.1.150, attackers could potentially write to unexpected directories in victims' machines via directory traversal if victims opened file attachments located in malicious mmap files.
- risk 0.51cvss 7.8epss 0.00
A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.
- risk 0.51cvss 7.8epss 0.00
A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
- risk 0.51cvss 7.5epss 0.04
An unauthenticated directory traversal vulnerability exists in Polyaxon, affecting the latest version. This vulnerability allows an attacker to retrieve directory information and file contents from the server without proper authorization, leading to sensitive information…