CWE-23
Relative Path Traversal
BaseDraft
Description
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-139 · CAPEC-76
CVEs mapped to this weakness (100)
page 2 of 5| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-47788 | Cri | 0.54 | — | 0.01 | May 15, 2025 | Atheos is a self-hosted browser-based cloud IDE. Prior to v602, similar to GHSA-rgjm-6p59-537v/CVE-2025-22152, the `$target` parameter in `/controller.php` was not properly validated, which could allow an attacker to execute arbitrary files on the server via path traversal. v602 contains a fix for the issue. | |
| CVE-2025-2007 | Hig | 0.54 | 8.1 | 0.11 | Apr 1, 2025 | The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1. | |
| CVE-2026-5966 | Hig | 0.53 | 8.1 | 0.00 | Apr 20, 2026 | ThreatSonar Anti-Ransomware developed by TeamT5 has an Arbitrary File Deletion vulnerability. Authenticated remote attackers with web access can exploit Path Traversal to delete arbitrary files on the system. | |
| CVE-2026-4415 | Hig | 0.53 | 8.1 | 0.01 | Mar 30, 2026 | Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulnerability. When the pairing feature is enabled, unauthenticated remote attackers can write arbitrary files to any location on the underlying operating system, leading to arbitrary code execution or privilege escalation. | |
| CVE-2026-2818 | Hig | 0.53 | 8.2 | 0.00 | Feb 20, 2026 | A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only. | |
| CVE-2025-32409 | Hig | 0.53 | 8.1 | 0.04 | Apr 7, 2025 | Ratta SuperNote A6 X2 Nomad before December 2024 allows remote code execution because an arbitrary firmware image (signed with debug keys) can be sent to TCP port 60002, and placed into the correct image-update location as a consequence of both directory traversal and unintended handling of concurrency. | |
| CVE-2026-33435 | Hig | 0.52 | 8.0 | 0.00 | Apr 15, 2026 | Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects. | |
| CVE-2025-10203 | Hig | 0.51 | 7.8 | 0.00 | Sep 15, 2025 | Relative path traversal vulnerability due to improper input validation in Digilent WaveForms that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .DWF3WORK file. This vulnerability affects Digilent WaveForms 3.24.3 and prior versions. | |
| CVE-2024-35186 | Hig | 0.50 | 8.8 | 0.00 | May 23, 2024 | gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0. | |
| CVE-2026-43533 | Hig | 0.49 | 8.6 | 0.00 | May 5, 2026 | OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling. | |
| CVE-2026-31831 | Hig | 0.49 | 7.5 | 0.00 | Mar 30, 2026 | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0. | |
| CVE-2026-30345 | Hig | 0.49 | 7.5 | 0.00 | Mar 18, 2026 | A zip slip vulnerability in the Admin import functionality of CTFd v3.8.1-18-gdb5a18c4 allows attackers to write arbitrary files outside the intended directories via supplying a crafted import. | |
| CVE-2025-12097 | Hig | 0.49 | 7.5 | 0.00 | Dec 4, 2025 | There is a relative path traversal vulnerability in the NI System Web Server that may result in information disclosure. Successful exploitation requires an attacker to send a specially crafted request to the NI System Web Server, allowing the attacker to read arbitrary files. This vulnerability existed in the NI System Web Server 2012 and prior versions. It was fixed in 2013. | |
| CVE-2025-13161 | Hig | 0.49 | 7.5 | 0.00 | Nov 14, 2025 | IQ-Support developed by IQ Service International has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | |
| CVE-2025-58429 | Hig | 0.49 | 7.5 | 0.01 | Oct 23, 2025 | A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary files on the target machine. | |
| CVE-2025-58078 | Hig | 0.49 | 7.5 | 0.00 | Oct 23, 2025 | A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine. | |
| CVE-2025-11898 | Hig | 0.49 | 7.5 | 0.00 | Oct 17, 2025 | Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | |
| CVE-2025-59835 | Hig | 0.49 | — | 0.00 | Oct 2, 2025 | LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5. | |
| CVE-2025-9639 | Hig | 0.49 | 7.5 | 0.00 | Aug 29, 2025 | The QbiCRMGateway developed by Ai3 has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | |
| CVE-2025-7146 | Hig | 0.49 | 7.5 | 0.00 | Jul 8, 2025 | The iPublish System developed by Jhenggao has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to read arbitrary system file. |