CWE-36
Absolute Path Traversal
BaseDraft
Description
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-597
CVEs mapped to this weakness (33)
page 2 of 2| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-0846 | Hig | 0.42 | 7.5 | 0.00 | Mar 9, 2026 | A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input. | |
| CVE-2025-0001 | Med | 0.42 | 6.5 | 0.00 | Feb 17, 2025 | Abacus ERP is versions older than 2024.210.16036, 2023.205.15833, 2022.105.15542 are affected by an authenticated arbitrary file read vulnerability. | |
| CVE-2023-41830 | Med | 0.42 | 6.5 | 0.00 | May 3, 2024 | An improper absolute path traversal vulnerability was reported for the Ready For application allowing a local application access to files without authorization. | |
| CVE-2024-13945 | Med | 0.39 | 6.0 | 0.00 | May 23, 2025 | Stored Absolute Path Traversal vulnerabilities in ASPECT could expose sensitive data if administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*. | |
| CVE-2026-44029 | Med | 0.34 | 5.3 | 0.00 | May 5, 2026 | An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7); | |
| CVE-2026-7217 | Med | 0.34 | 5.3 | 0.00 | Apr 28, 2026 | A security vulnerability has been detected in Deepractice PromptX up to 2.4.0. The affected element is the function read_docx/read_xlsx/read_pptx/list_xlsx_sheets/read_pdf of the file packages/mcp-office/src/index.ts of the component Document File Handler. Such manipulation of the argument path leads to absolute path traversal. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |
| CVE-2026-6418 | Med | 0.32 | 4.9 | 0.00 | May 5, 2026 | An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files. When the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application's account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running. | |
| CVE-2025-9516 | Med | 0.32 | 4.9 | 0.00 | Sep 4, 2025 | The atec Debug plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to view the contents of files outside of the originally intended directory. | |
| CVE-2025-8009 | Med | 0.32 | 4.9 | 0.00 | Jul 24, 2025 | The Security Ninja – WordPress Security Plugin & Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.242 via the 'get_file_source' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to extract sensitive data, including the contents of any file on the server. | |
| CVE-2024-10651 | Med | 0.32 | 4.9 | 0.00 | Nov 1, 2024 | IDExpert from CHANGING Information Technology does not properly validate a specific parameter in the administrator interface, allowing remote attackers with administrator privileges to exploit this vulnerability to read arbitrary system files. | |
| CVE-2025-67898 | Med | 0.29 | 4.5 | 0.00 | Dec 14, 2025 | MJML through 4.18.0 allows mj-include directory traversal to test file existence and (in the type="css" case) read files. NOTE: this issue exists because of an incomplete fix for CVE-2020-12827. | |
| CVE-2026-32175 | Med | 0.28 | 4.3 | 0.00 | May 12, 2026 | A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories. To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system. The security update fixes the vulnerability by ensuring .NET Core properly handles files. | |
| CVE-2024-57966 | Med | 0.26 | 5.0 | 0.00 | Feb 3, 2025 | libarchiveplugin.cpp in KDE ark before 24.12.0 can extract to an absolute path from an archive. |