VYPR

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BaseStableLikelihood: High

Description

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79

CVEs mapped to this weakness (5,488)

page 42 of 275
  • CVE-2026-44307HigMay 12, 2026
    risk 0.50cvss epss 0.01

    Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads…

  • CVE-2026-43888HigMay 11, 2026
    risk 0.50cvss 8.7epss 0.00

    Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When…

  • CVE-2026-42605HigMay 9, 2026
    risk 0.50cvss 8.8epss 0.01

    AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with…

  • CVE-2026-42275HigMay 8, 2026
    risk 0.50cvss 8.7epss 0.00

    zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared…

  • CVE-2026-40076HigMay 6, 2026
    risk 0.50cvss 8.8epss 0.01

    OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST `/openmrs/ws/rest/v1/module` is vulnerable to a Zip Slip path traversal attack. During automatic…

  • CVE-2026-7875HigMay 6, 2026
    risk 0.50cvss 8.8epss 0.00

    NanoClaw version 1.2.0 and prior contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted…

  • CVE-2026-35397HigMay 5, 2026
    risk 0.50cvss 8.8epss 0.01

    Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the…

  • CVE-2026-40909HigApr 21, 2026
    risk 0.50cvss 8.7epss 0.01

    WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then…

  • CVE-2026-40876HigApr 21, 2026
    risk 0.50cvss 8.8epss 0.00

    goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail…

  • CVE-2026-40611HigApr 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../…

  • CVE-2026-3464HigApr 17, 2026
    risk 0.50cvss 8.8epss 0.01

    The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers with a role…

  • CVE-2025-14868HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.00

    The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. This is due to missing nonce validation and insufficient file path validation on the delete action…

  • CVE-2026-34619HigApr 14, 2026
    risk 0.50cvss 7.7epss 0.09

    ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized…

  • CVE-2026-40157HigApr 10, 2026
    risk 0.50cvss 8.8epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output…

  • CVE-2026-39981HigApr 9, 2026
    risk 0.50cvss 8.8epss 0.01

    AGiXT is a dynamic AI Agent Automation Platform. Prior to 1.9.2, the safe_join() function in the essential_abilities extension fails to validate that resolved file paths remain within the designated agent workspace. An authenticated attacker can use directory traversal sequences…

  • CVE-2026-3243HigApr 8, 2026
    risk 0.50cvss 8.8epss 0.01

    The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level…

  • CVE-2026-35214HigApr 3, 2026
    risk 0.50cvss 8.7epss 0.01

    Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder…

  • CVE-2026-34728HigApr 2, 2026
    risk 0.50cvss 8.7epss 0.01

    phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload…

  • CVE-2026-33686HigMar 26, 2026
    risk 0.50cvss 8.8epss 0.01

    Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer.…

  • CVE-2025-67030HigMar 25, 2026
    risk 0.50cvss 8.8epss 0.01

    Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code