CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 82 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-1000623 | Hig | 0.47 | 7.2 | 0.03 | Jul 9, 2018 | JFrog JFrog Artifactory version Prior to version 6.0.3, since version 4.0.0 contains a Directory Traversal vulnerability in The "Import Repository from Zip" feature, available through the Admin menu -> Import & Export -> Repositories, triggers a vulnerable UI REST endpoint… | ||
| CVE-2018-0300 | Hig | 0.47 | 7.2 | 0.07 | Jun 21, 2018 | A vulnerability in the process of uploading new application images to Cisco FXOS on the Cisco Firepower 4100 Series Next-Generation Firewall (NGFW) and Firepower 9300 Security Appliance could allow an authenticated, remote attacker using path traversal techniques to create or… | ||
| CVE-2018-11341 | Hig | 0.47 | 7.2 | 0.02 | May 22, 2018 | Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to navigate the file system via the filename parameter. | ||
| CVE-2018-1204 | Med | 0.47 | 6.7 | 0.02 | Mar 26, 2018 | Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a path traversal vulnerability in the isi_phone_home tool. A malicious compadmin may potentially exploit this vulnerability… | ||
| CVE-2018-7486 | Hig | 0.47 | 7.2 | 0.03 | Feb 26, 2018 | Blue River Mura CMS before v7.0.7029 supports inline function calls with an [m] tag and [/m] end tag, without proper restrictions on file types or pathnames, which allows remote attackers to execute arbitrary code via an [m]$.dspinclude("../pathname/executable.jpeg")[/m]… | ||
| CVE-2017-16788 | Hig | 0.47 | 7.2 | 0.04 | Dec 15, 2017 | Directory traversal vulnerability in the "Upload Groupkey" functionality in the Web Configuration Utility in Meinberg LANTIME devices with firmware before 6.24.004 allows remote authenticated users with Admin-User access to write to arbitrary files and consequently gain root… | ||
| CVE-2017-0901 | Hig | 0.47 | 7.5 | 0.29 | Aug 31, 2017 | RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. | ||
| CVE-2015-5468 | Hig | 0.47 | 7.5 | 0.24 | May 23, 2017 | Directory traversal vulnerability in the WP e-Commerce Shop Styling plugin before 2.6 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter to includes/download.php. | ||
| CVE-2017-3980 | Hig | 0.47 | 7.2 | 0.03 | May 18, 2017 | A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session. | ||
| CVE-2012-5380 | Med | 0.47 | 6.7 | 0.01 | Oct 11, 2012 | Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the C:\Ruby193\bin directory, which may be added to the PATH system… | ||
| CVE-2026-3840 | Hig | 0.46 | 7.1 | 0.00 | Jun 12, 2026 | A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The `_get_versioned_path()` method in `kedro/io/core.py` directly interpolates user-supplied version strings into filesystem paths without sanitization.… | ||
| CVE-2026-49982 | Hig | 0.46 | 8.2 | 0.01 | Jun 11, 2026 | tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any… | ||
| CVE-2026-44705 | Hig | 0.46 | 8.2 | 0.00 | Jun 11, 2026 | tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal… | ||
| CVE-2026-53777 | Hig | 0.46 | 8.1 | 0.00 | Jun 11, 2026 | Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifact_name field of ArtifactReady WebSocket messages.… | ||
| CVE-2026-11816 | Hig | 0.46 | 8.1 | 0.01 | Jun 11, 2026 | Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in `keras/src/utils/file_utils.py`. The functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` validate archive member paths against the process current… | ||
| CVE-2026-40987 | Hig | 0.46 | 7.1 | 0.00 | Jun 11, 2026 | A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through… | ||
| CVE-2026-45569 | Hig | 0.46 | 8.1 | 0.00 | Jun 10, 2026 | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in config_file_name and configver for improved security") added a line in app/modules/config/config.py:462. This… | ||
| CVE-2026-11416 | Hig | 0.46 | 8.1 | 0.00 | Jun 5, 2026 | MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata… | ||
| CVE-2026-43624 | Hig | 0.46 | 8.2 | 0.00 | Jun 1, 2026 | F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files by passing unsanitized user-supplied project names directly to os.path.join() without validating the resulting… | ||
| CVE-2026-44973 | Hig | 0.46 | 8.1 | 0.00 | May 28, 2026 | Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base… |
- risk 0.47cvss 7.2epss 0.03
JFrog JFrog Artifactory version Prior to version 6.0.3, since version 4.0.0 contains a Directory Traversal vulnerability in The "Import Repository from Zip" feature, available through the Admin menu -> Import & Export -> Repositories, triggers a vulnerable UI REST endpoint…
- risk 0.47cvss 7.2epss 0.07
A vulnerability in the process of uploading new application images to Cisco FXOS on the Cisco Firepower 4100 Series Next-Generation Firewall (NGFW) and Firepower 9300 Security Appliance could allow an authenticated, remote attacker using path traversal techniques to create or…
- risk 0.47cvss 7.2epss 0.02
Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to navigate the file system via the filename parameter.
- risk 0.47cvss 6.7epss 0.02
Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a path traversal vulnerability in the isi_phone_home tool. A malicious compadmin may potentially exploit this vulnerability…
- risk 0.47cvss 7.2epss 0.03
Blue River Mura CMS before v7.0.7029 supports inline function calls with an [m] tag and [/m] end tag, without proper restrictions on file types or pathnames, which allows remote attackers to execute arbitrary code via an [m]$.dspinclude("../pathname/executable.jpeg")[/m]…
- risk 0.47cvss 7.2epss 0.04
Directory traversal vulnerability in the "Upload Groupkey" functionality in the Web Configuration Utility in Meinberg LANTIME devices with firmware before 6.24.004 allows remote authenticated users with Admin-User access to write to arbitrary files and consequently gain root…
- risk 0.47cvss 7.5epss 0.29
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
- risk 0.47cvss 7.5epss 0.24
Directory traversal vulnerability in the WP e-Commerce Shop Styling plugin before 2.6 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter to includes/download.php.
- risk 0.47cvss 7.2epss 0.03
A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session.
- risk 0.47cvss 6.7epss 0.01
Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the C:\Ruby193\bin directory, which may be added to the PATH system…
- risk 0.46cvss 7.1epss 0.00
A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The `_get_versioned_path()` method in `kedro/io/core.py` directly interpolates user-supplied version strings into filesystem paths without sanitization.…
- risk 0.46cvss 8.2epss 0.01
tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any…
- risk 0.46cvss 8.2epss 0.00
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal…
- risk 0.46cvss 8.1epss 0.00
Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifact_name field of ArtifactReady WebSocket messages.…
- risk 0.46cvss 8.1epss 0.01
Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in `keras/src/utils/file_utils.py`. The functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` validate archive member paths against the process current…
- risk 0.46cvss 7.1epss 0.00
A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through…
- risk 0.46cvss 8.1epss 0.00
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in config_file_name and configver for improved security") added a line in app/modules/config/config.py:462. This…
- risk 0.46cvss 8.1epss 0.00
MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata…
- risk 0.46cvss 8.2epss 0.00
F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files by passing unsanitized user-supplied project names directly to os.path.join() without validating the resulting…
- risk 0.46cvss 8.1epss 0.00
Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base…