CWE-36
Absolute Path Traversal
Description
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-597
CVEs mapped to this weakness (55)
page 2 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-4373 | Hig | 0.42 | 7.5 | 0.00 | Mar 21, 2026 | The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload… | ||
| CVE-2026-0846 | Hig | 0.42 | 7.5 | 0.00 | Mar 9, 2026 | A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access… | ||
| CVE-2025-0001 | — | Med | 0.42 | 6.5 | 0.00 | Feb 17, 2025 | Abacus ERP is versions older than 2024.210.16036, 2023.205.15833, 2022.105.15542 are affected by an authenticated arbitrary file read vulnerability. | |
| CVE-2023-41830 | Med | 0.42 | 6.5 | 0.00 | May 3, 2024 | An improper absolute path traversal vulnerability was reported for the Ready For application allowing a local application access to files without authorization. | ||
| CVE-2025-8575 | Hig | 0.40 | 7.2 | 0.01 | Sep 12, 2025 | The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level… | ||
| CVE-2025-8213 | Hig | 0.40 | 7.2 | 0.00 | Jul 31, 2025 | The NinjaScanner – Virus & Malware scan plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'nscan_ajax_quarantine' and 'nscan_quarantine_select' functions in all versions up to, and including, 3.2.5. This makes it… | ||
| CVE-2026-46345 | hig | 0.39 | — | 0.00 | May 28, 2026 | **Relevant Products/Components:** * `trestle/core/commands/author/jinja.py` * `trestle author jinja` --- ## Detailed Description: The `-o/--output` argument in `trestle author jinja` allows writing files outside the intended workspace. The application does not properly… | ||
| CVE-2026-47243 | hig | 0.39 | — | 0.00 | May 27, 2026 | ### Summary In the runtime-rs standalone virtio-fs path, verified here with QEMU (and verified with Cloud Hypervisor too), Kata Containers runs host `virtiofsd` as root with: ``` --sandbox none --seccomp none ``` If an attacker has root-equivalent execution inside the Kata… | ||
| CVE-2024-13945 | Med | 0.39 | 6.0 | 0.00 | May 23, 2025 | Stored Absolute Path Traversal vulnerabilities in ASPECT could expose sensitive data if administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*. | ||
| CVE-2026-53698 | Med | 0.35 | 6.5 | 0.00 | Jun 10, 2026 | Silverpeas through 6.4.6 mishandles the "Personal space" feature that is selected when no componentId is set. | ||
| CVE-2026-10075 | Med | 0.34 | 5.3 | 0.00 | May 29, 2026 | DreamMaker developed by Interinfo has a Path Traversal vulnerability, allowing unauthenticated remote attackers to read file names under arbitrary path by exploiting an Absolute Path Traversal vulnerability. | ||
| CVE-2026-7217 | — | Med | 0.34 | 5.3 | 0.00 | Apr 28, 2026 | A security vulnerability has been detected in Deepractice PromptX up to 2.4.0. The affected element is the function read_docx/read_xlsx/read_pptx/list_xlsx_sheets/read_pdf of the file packages/mcp-office/src/index.ts of the component Document File Handler. Such manipulation of… | |
| CVE-2026-6418 | Med | 0.32 | 4.9 | 0.00 | May 5, 2026 | An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an… | ||
| CVE-2025-9516 | Med | 0.32 | 4.9 | 0.00 | Sep 4, 2025 | The atec Debug plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to view the contents of files… | ||
| CVE-2024-10651 | Med | 0.32 | 4.9 | 0.01 | Nov 1, 2024 | IDExpert from CHANGING Information Technology does not properly validate a specific parameter in the administrator interface, allowing remote attackers with administrator privileges to exploit this vulnerability to read arbitrary system files. | ||
| CVE-2026-32175 | Med | 0.28 | 4.3 | 0.01 | May 12, 2026 | A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited… | ||
| CVE-2026-44029 | Med | 0.27 | 5.3 | 0.01 | May 5, 2026 | An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7); | ||
| CVE-2024-57966 | Med | 0.26 | 5.0 | 0.00 | Feb 3, 2025 | libarchiveplugin.cpp in KDE ark before 24.12.0 can extract to an absolute path from an archive. | ||
| CVE-2025-8009 | Med | 0.25 | 4.9 | 0.01 | Jul 24, 2025 | The Security Ninja – WordPress Security Plugin & Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.242 via the 'get_file_source' function. This makes it possible for authenticated attackers, with Administrator-level… | ||
| CVE-2025-67898 | Med | 0.22 | 4.5 | 0.00 | Dec 14, 2025 | MJML through 4.18.0 allows mj-include directory traversal to test file existence and (in the type="css" case) read files. NOTE: this issue exists because of an incomplete fix for CVE-2020-12827. |
- risk 0.42cvss 7.5epss 0.00
The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload…
- risk 0.42cvss 7.5epss 0.00
A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access…
- risk 0.42cvss 6.5epss 0.00
Abacus ERP is versions older than 2024.210.16036, 2023.205.15833, 2022.105.15542 are affected by an authenticated arbitrary file read vulnerability.
- risk 0.42cvss 6.5epss 0.00
An improper absolute path traversal vulnerability was reported for the Ready For application allowing a local application access to files without authorization.
- risk 0.40cvss 7.2epss 0.01
The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level…
- risk 0.40cvss 7.2epss 0.00
The NinjaScanner – Virus & Malware scan plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'nscan_ajax_quarantine' and 'nscan_quarantine_select' functions in all versions up to, and including, 3.2.5. This makes it…
- risk 0.39cvss —epss 0.00
**Relevant Products/Components:** * `trestle/core/commands/author/jinja.py` * `trestle author jinja` --- ## Detailed Description: The `-o/--output` argument in `trestle author jinja` allows writing files outside the intended workspace. The application does not properly…
- risk 0.39cvss —epss 0.00
### Summary In the runtime-rs standalone virtio-fs path, verified here with QEMU (and verified with Cloud Hypervisor too), Kata Containers runs host `virtiofsd` as root with: ``` --sandbox none --seccomp none ``` If an attacker has root-equivalent execution inside the Kata…
- risk 0.39cvss 6.0epss 0.00
Stored Absolute Path Traversal vulnerabilities in ASPECT could expose sensitive data if administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.
- risk 0.35cvss 6.5epss 0.00
Silverpeas through 6.4.6 mishandles the "Personal space" feature that is selected when no componentId is set.
- risk 0.34cvss 5.3epss 0.00
DreamMaker developed by Interinfo has a Path Traversal vulnerability, allowing unauthenticated remote attackers to read file names under arbitrary path by exploiting an Absolute Path Traversal vulnerability.
- risk 0.34cvss 5.3epss 0.00
A security vulnerability has been detected in Deepractice PromptX up to 2.4.0. The affected element is the function read_docx/read_xlsx/read_pptx/list_xlsx_sheets/read_pdf of the file packages/mcp-office/src/index.ts of the component Document File Handler. Such manipulation of…
- risk 0.32cvss 4.9epss 0.00
An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an…
- risk 0.32cvss 4.9epss 0.00
The atec Debug plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to view the contents of files…
- risk 0.32cvss 4.9epss 0.01
IDExpert from CHANGING Information Technology does not properly validate a specific parameter in the administrator interface, allowing remote attackers with administrator privileges to exploit this vulnerability to read arbitrary system files.
- risk 0.28cvss 4.3epss 0.01
A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited…
- risk 0.27cvss 5.3epss 0.01
An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7);
- risk 0.26cvss 5.0epss 0.00
libarchiveplugin.cpp in KDE ark before 24.12.0 can extract to an absolute path from an archive.
- risk 0.25cvss 4.9epss 0.01
The Security Ninja – WordPress Security Plugin & Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.242 via the 'get_file_source' function. This makes it possible for authenticated attackers, with Administrator-level…
- risk 0.22cvss 4.5epss 0.00
MJML through 4.18.0 allows mj-include directory traversal to test file existence and (in the type="css" case) read files. NOTE: this issue exists because of an incomplete fix for CVE-2020-12827.