CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 97 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-22573 | Med | 0.42 | 6.5 | 0.00 | Apr 14, 2026 | An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5 all versions, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through… | ||
| CVE-2026-40180 | Hig | 0.42 | 7.5 | 0.00 | Apr 10, 2026 | Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the… | ||
| CVE-2026-39859 | Hig | 0.42 | 7.5 | 0.00 | Apr 8, 2026 | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance… | ||
| CVE-2026-39408 | Hig | 0.42 | 7.5 | 0.01 | Apr 8, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via… | ||
| CVE-2026-34079 | Hig | 0.42 | 7.5 | 0.00 | Apr 7, 2026 | Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete… | ||
| CVE-2026-39369 | Hig | 0.42 | 7.6 | 0.00 | Apr 7, 2026 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the… | ||
| CVE-2026-35605 | Hig | 0.42 | 7.5 | 0.00 | Apr 7, 2026 | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the Matches() function in rules/rules.go uses strings.HasPrefix() without a trailing directory separator when matching paths… | ||
| CVE-2026-35485 | Hig | 0.42 | 7.5 | 0.01 | Apr 7, 2026 | text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_grammar() allows reading any file on the server filesystem with no extension restriction. Gradio does not server-side… | ||
| CVE-2026-34070 | Hig | 0.42 | 7.5 | 0.01 | Mar 31, 2026 | LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path… | ||
| CVE-2026-27018 | Hig | 0.42 | 7.5 | 0.01 | Mar 30, 2026 | Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0. | ||
| CVE-2026-33748 | Hig | 0.42 | 7.5 | 0.00 | Mar 27, 2026 | BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root.… | ||
| CVE-2026-32846 | Hig | 0.42 | 7.5 | 0.01 | Mar 26, 2026 | OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the… | ||
| CVE-2025-70952 | Hig | 0.42 | 7.5 | 0.01 | Mar 25, 2026 | pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation. | ||
| CVE-2019-25610 | Med | 0.42 | 6.5 | 0.01 | Mar 22, 2026 | NetNumber Titan Master 7.9.1 contains a path traversal vulnerability in the drp endpoint that allows authenticated users to download arbitrary files by injecting directory traversal sequences. Attackers can manipulate the path parameter with base64-encoded payloads containing… | ||
| CVE-2026-2421 | Med | 0.42 | 6.5 | 0.01 | Mar 20, 2026 | The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. This is due to insufficient file path validation before performing a… | ||
| CVE-2026-30403 | Hig | 0.42 | 7.5 | 0.00 | Mar 19, 2026 | There is an arbitrary file read vulnerability in the test connection function of backend database management in wgcloud v3.6.3 and before, which can be used to read any file on the victim's server. | ||
| CVE-2026-3954 | Med | 0.42 | 6.5 | 0.00 | Mar 11, 2026 | A weakness has been identified in OpenBMB XAgent 1.0.0. Affected by this vulnerability is the function workspace of the file XAgentServer/application/routers/workspace.py. This manipulation of the argument file_name causes path traversal. The attack may be initiated remotely.… | ||
| CVE-2026-28807 | Hig | 0.42 | 7.5 | 0.01 | Mar 10, 2026 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static function is vulnerable to path traversal because sanitization runs before… | ||
| CVE-2026-3585 | Hig | 0.42 | 7.5 | 0.00 | Mar 10, 2026 | The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of… | ||
| CVE-2026-3695 | Med | 0.42 | 6.5 | 0.01 | Mar 8, 2026 | A vulnerability has been found in SourceCodester Modern Image Gallery App 1.0. Impacted is an unknown function of the file /delete.php. Such manipulation of the argument filename leads to path traversal. It is possible to launch the attack remotely. The exploit has been… |
- risk 0.42cvss 6.5epss 0.00
An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5 all versions, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through…
- risk 0.42cvss 7.5epss 0.00
Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the…
- risk 0.42cvss 7.5epss 0.00
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance…
- risk 0.42cvss 7.5epss 0.01
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via…
- risk 0.42cvss 7.5epss 0.00
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete…
- risk 0.42cvss 7.6epss 0.00
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the…
- risk 0.42cvss 7.5epss 0.00
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the Matches() function in rules/rules.go uses strings.HasPrefix() without a trailing directory separator when matching paths…
- risk 0.42cvss 7.5epss 0.01
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_grammar() allows reading any file on the server filesystem with no extension restriction. Gradio does not server-side…
- risk 0.42cvss 7.5epss 0.01
LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path…
- risk 0.42cvss 7.5epss 0.01
Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0.
- risk 0.42cvss 7.5epss 0.00
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root.…
- risk 0.42cvss 7.5epss 0.01
OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the…
- risk 0.42cvss 7.5epss 0.01
pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.
- risk 0.42cvss 6.5epss 0.01
NetNumber Titan Master 7.9.1 contains a path traversal vulnerability in the drp endpoint that allows authenticated users to download arbitrary files by injecting directory traversal sequences. Attackers can manipulate the path parameter with base64-encoded payloads containing…
- risk 0.42cvss 6.5epss 0.01
The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. This is due to insufficient file path validation before performing a…
- risk 0.42cvss 7.5epss 0.00
There is an arbitrary file read vulnerability in the test connection function of backend database management in wgcloud v3.6.3 and before, which can be used to read any file on the victim's server.
- risk 0.42cvss 6.5epss 0.00
A weakness has been identified in OpenBMB XAgent 1.0.0. Affected by this vulnerability is the function workspace of the file XAgentServer/application/routers/workspace.py. This manipulation of the argument file_name causes path traversal. The attack may be initiated remotely.…
- risk 0.42cvss 7.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static function is vulnerable to path traversal because sanitization runs before…
- risk 0.42cvss 7.5epss 0.00
The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of…
- risk 0.42cvss 6.5epss 0.01
A vulnerability has been found in SourceCodester Modern Image Gallery App 1.0. Impacted is an unknown function of the file /delete.php. Such manipulation of the argument filename leads to path traversal. It is possible to launch the attack remotely. The exploit has been…