VYPR

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BaseStableLikelihood: High

Description

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79

CVEs mapped to this weakness (5,488)

page 82 of 275
  • CVE-2018-1000623HigJul 9, 2018
    risk 0.47cvss 7.2epss 0.03

    JFrog JFrog Artifactory version Prior to version 6.0.3, since version 4.0.0 contains a Directory Traversal vulnerability in The "Import Repository from Zip" feature, available through the Admin menu -> Import & Export -> Repositories, triggers a vulnerable UI REST endpoint…

  • CVE-2018-0300HigJun 21, 2018
    risk 0.47cvss 7.2epss 0.07

    A vulnerability in the process of uploading new application images to Cisco FXOS on the Cisco Firepower 4100 Series Next-Generation Firewall (NGFW) and Firepower 9300 Security Appliance could allow an authenticated, remote attacker using path traversal techniques to create or…

  • CVE-2018-11341HigMay 22, 2018
    risk 0.47cvss 7.2epss 0.02

    Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to navigate the file system via the filename parameter.

  • CVE-2018-1204MedMar 26, 2018
    risk 0.47cvss 6.7epss 0.02

    Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a path traversal vulnerability in the isi_phone_home tool. A malicious compadmin may potentially exploit this vulnerability…

  • CVE-2018-7486HigFeb 26, 2018
    risk 0.47cvss 7.2epss 0.03

    Blue River Mura CMS before v7.0.7029 supports inline function calls with an [m] tag and [/m] end tag, without proper restrictions on file types or pathnames, which allows remote attackers to execute arbitrary code via an [m]$.dspinclude("../pathname/executable.jpeg")[/m]…

  • CVE-2017-16788HigDec 15, 2017
    risk 0.47cvss 7.2epss 0.04

    Directory traversal vulnerability in the "Upload Groupkey" functionality in the Web Configuration Utility in Meinberg LANTIME devices with firmware before 6.24.004 allows remote authenticated users with Admin-User access to write to arbitrary files and consequently gain root…

  • CVE-2017-0901HigAug 31, 2017
    risk 0.47cvss 7.5epss 0.29

    RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

  • CVE-2015-5468HigMay 23, 2017
    risk 0.47cvss 7.5epss 0.24

    Directory traversal vulnerability in the WP e-Commerce Shop Styling plugin before 2.6 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter to includes/download.php.

  • CVE-2017-3980HigMay 18, 2017
    risk 0.47cvss 7.2epss 0.03

    A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session.

  • CVE-2012-5380MedOct 11, 2012
    risk 0.47cvss 6.7epss 0.01

    Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the C:\Ruby193\bin directory, which may be added to the PATH system…

  • CVE-2026-3840HigJun 12, 2026
    risk 0.46cvss 7.1epss 0.00

    A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The `_get_versioned_path()` method in `kedro/io/core.py` directly interpolates user-supplied version strings into filesystem paths without sanitization.…

  • CVE-2026-49982HigJun 11, 2026
    risk 0.46cvss 8.2epss 0.01

    tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any…

  • CVE-2026-44705HigJun 11, 2026
    risk 0.46cvss 8.2epss 0.00

    tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal…

  • CVE-2026-53777HigJun 11, 2026
    risk 0.46cvss 8.1epss 0.00

    Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifact_name field of ArtifactReady WebSocket messages.…

  • CVE-2026-11816HigJun 11, 2026
    risk 0.46cvss 8.1epss 0.01

    Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in `keras/src/utils/file_utils.py`. The functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` validate archive member paths against the process current…

  • CVE-2026-40987HigJun 11, 2026
    risk 0.46cvss 7.1epss 0.00

    A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through…

  • CVE-2026-45569HigJun 10, 2026
    risk 0.46cvss 8.1epss 0.00

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in config_file_name and configver for improved security") added a line in app/modules/config/config.py:462. This…

  • CVE-2026-11416HigJun 5, 2026
    risk 0.46cvss 8.1epss 0.00

    MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata…

  • CVE-2026-43624HigJun 1, 2026
    risk 0.46cvss 8.2epss 0.00

    F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files by passing unsanitized user-supplied project names directly to os.path.join() without validating the resulting…

  • CVE-2026-44973HigMay 28, 2026
    risk 0.46cvss 8.1epss 0.00

    Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base…