VYPR

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BaseStableLikelihood: High

Description

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79

CVEs mapped to this weakness (5,488)

page 44 of 275
  • CVE-2025-24765HigJun 27, 2025
    risk 0.50cvss 7.7epss 0.00

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RobMarsh Image Shadow image-shadow allows Path Traversal.This issue affects Image Shadow: from n/a through <= 1.1.0.

  • CVE-2025-37100HigJun 10, 2025
    risk 0.50cvss 7.7epss 0.00

    A vulnerability in the APIs of HPE Aruba Networking Private 5G Core could potentially expose sensitive information to unauthorized users. A successful exploitation could allow an attacker to iteratively navigate through the filesystem and ultimately download protected system…

  • CVE-2025-48387HigJun 2, 2025
    risk 0.50cvss epss 0.00

    tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore…

  • CVE-2025-31053HigMay 23, 2025
    risk 0.50cvss 7.7epss 0.00

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in quantumcloud KBx Pro Ultimate knowledgebase-helpdesk-pro allows Path Traversal.This issue affects KBx Pro Ultimate: from n/a through < 8.0.5.

  • CVE-2025-3424HigApr 7, 2025
    risk 0.50cvss epss 0.00

    The IntelliSpace portal application utilizes .NET Remoting for its functionality. The vulnerability arises from the exploitation of port 755 through the "Object Marshalling" technique, which allows an attacker to read internal files without any authentication. This is possible…

  • CVE-2025-26540HigMar 3, 2025
    risk 0.50cvss 7.7epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in helloprint Helloprint helloprint allows Path Traversal.This issue affects Helloprint: from n/a through <= 2.0.7.

  • CVE-2025-25284HigFeb 18, 2025
    risk 0.50cvss epss 0.01

    The ZOO-Project is an open source processing platform, released under MIT/X11 Licence. A vulnerability in ZOO-Project's WPS (Web Processing Service) implementation allows unauthorized access to files outside the intended directory through path traversal. Specifically, the…

  • CVE-2025-25295HigFeb 14, 2025
    risk 0.50cvss epss 0.01

    Label Studio is an open source data labeling tool. A path traversal vulnerability in Label Studio SDK versions prior to 1.0.10 allows unauthorized file access outside the intended directory structure. The flaw exists in the VOC, COCO and YOLO export functionalities. These…

  • CVE-2025-24960HigFeb 3, 2025
    risk 0.50cvss 8.7epss 0.01

    Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the route(s). This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admin(s), there is very little scope for abuse.…

  • CVE-2024-54374HigDec 16, 2024
    risk 0.50cvss 7.5epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Sabri Sogrid sogrid allows PHP Local File Inclusion.This issue affects Sogrid: from n/a through <= 1.5.6.

  • CVE-2024-37108HigNov 1, 2024
    risk 0.50cvss 7.7epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WishList Products WishList Member X allows Path Traversal.This issue affects WishList Member X: from n/a through 3.26.6.

  • CVE-2024-48735HigOct 30, 2024
    risk 0.50cvss 7.7epss 0.01

    Directory Traversal in /SASStudio/sasexec/sessions/{sessionID}/workspace/{InternalPath} in SAS Studio 9.4 allows remote attacker to access internal files by manipulating default path during file download. NOTE: this is disputed by the vendor because these filesystem paths are…

  • CVE-2024-47637HigOct 16, 2024
    risk 0.50cvss 8.8epss 0.01

    Relative Path Traversal vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Path Traversal.This issue affects LiteSpeed Cache: from n/a through <= 6.4.1.

  • CVE-2024-37728HigSep 10, 2024
    risk 0.50cvss 7.5epss 0.02

    Arbitrary File Read vulnerability in Xi'an Daxi Information Technology Co., Ltd OfficeWeb365 v.7.18.23.0 and v8.6.1.0 allows a remote attacker to obtain sensitive information via the "Pic/Indexes" interface

  • CVE-2023-30584HigSep 7, 2024
    risk 0.50cvss 7.7epss 0.00

    A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions. Please note that at the time this CVE was issued, the permission…

  • CVE-2020-24102HigJul 22, 2024
    risk 0.50cvss 7.6epss 0.01

    Directory Traversal vulnerability in Punkbuster pbsv.d64 2.351, allows remote attackers to execute arbitrary code.

  • CVE-2024-37497HigJul 9, 2024
    risk 0.50cvss 7.7epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Crocoblock JetThemeCore jet-theme-core.This issue affects JetThemeCore: from n/a through < 2.2.1.

  • CVE-2024-5349HigJul 2, 2024
    risk 0.50cvss 8.8epss 0.01

    The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.8.1 via the 'map_style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include…

  • CVE-2024-38449HigJun 17, 2024
    risk 0.50cvss 7.7epss 0.01

    A Directory Traversal vulnerability in KasmVNC 1.3.1.230e50f7b89663316c70de7b0e3db6f6b9340489 and possibly earlier versions allows remote authenticated attackers to browse parent directories and read the content of files outside the scope of the application.

  • CVE-2024-32703HigJun 9, 2024
    risk 0.50cvss 7.7epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in reputeinfosystems ARForms arforms.This issue affects ARForms: from n/a through <= 6.4.