Skip to main content

CWE-24

Path Traversal: '../filedir'

76 CVEs Avg CVSS 6.7 MITRE
11
CRITICAL
21
HIGH
40
MEDIUM
4
LOW
36
POC
1
KEV

Monthly

CVE-2026-34151 Maven HIGH PATCH GHSA This Week

Path traversal in XWiki running on Jetty 12+ lets remote users read arbitrary files the Jetty process can access by sending doubly URL-encoded '../' sequences to the skin resource endpoint (e.g. /xwiki/bin/skin/..%252f/..). Depending on how deep the webapp sits below root, this exposes both in-webapp secrets such as WEB-INF/xwiki.cfg and Hibernate configuration, and out-of-webapp OS files like /etc/passwd. No public exploit or active exploitation is tracked, but the vendor advisory (GHSA-qj4x-9g63-25g6) itself publishes working request URLs, so weaponization is trivial.

Atlassian Information Disclosure Tomcat Docker
NVD GitHub
CVE-2026-44942 MEDIUM PATCH This Month

Path traversal in libzypp's .repo file processing enables low-privileged network-accessible attackers to write content into arbitrary directories on the host filesystem beyond the intended zypp cache boundary. Affected versions span the 17.x series before 17.38.13 and the 16.x series before 16.22.19, covering systems running SUSE Linux Enterprise and openSUSE derivatives that use zypper as their package manager. The primary real-world impact is disk exhaustion across unexpected filesystem paths, causing a denial of service; no confidentiality impact is attributed in the CVSS assessment. No public exploit or CISA KEV listing has been identified at time of analysis.

Path Traversal Libzypp Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-49103 CRITICAL PATCH Act Now

Path traversal in Webmin's mailboxes component before version 2.640 lets an authenticated user write saved attachment files outside the intended directory by controlling the attachment's filename. The flaw lives in mailboxes/detachall.cgi, which constructs the on-disk filename directly from the email attachment's MIME name without stripping path separators, so a crafted name can redirect the write to an attacker-chosen location. Carrying a CVSS 4.0 base score of 9.4 with total technical impact, the issue is fixed in 2.640; CISA's SSVC framework currently lists exploitation status as none and no public exploit has been identified.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-48047 Maven MEDIUM PATCH GHSA This Month

Path traversal in XWiki Platform's WebJars API enables a subwiki admin who can publish and install a malicious WebJar extension to write arbitrary files anywhere on the server filesystem. The affected Maven component `xwiki-platform-webjars-api` fails to validate that JAR entry paths extracted during extension installation remain within the intended export directory, allowing overwrite of configuration files or potential superadmin credential manipulation. No public exploit is identified and no CISA KEV listing exists; vendor-released patches are available across three version branches.

Atlassian Path Traversal
NVD GitHub
EPSS
0.1%
CVE-2026-22810 npm HIGH PATCH GHSA This Week

Path traversal vulnerability in Joplin's OneNote importer (versions 3.2.2 through 3.5.6) allows local attackers with authenticated access to overwrite arbitrary files on disk by importing malicious .one files containing directory traversal sequences in embedded file names. The vulnerability can lead to remote code execution by overwriting system files like .bashrc. Publicly available exploit code exists, with vendor-released patch available in version 3.5.7.

Path Traversal RCE
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-33431 MEDIUM PATCH This Month

Roxy-WI versions prior to 8.2.6.4 allow authenticated attackers to read arbitrary files via path traversal in the POST /config/<service>/show API endpoint. The configver parameter is directly concatenated into a file path without proper validation, permitting directory escape sequences (../) to bypass the existing path guard. An authenticated user can exploit this to access sensitive configuration files and other data readable by the web application process.

Apache Path Traversal Nginx
NVD GitHub
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-40318 Go HIGH PATCH GHSA This Week

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.

Path Traversal Siyuan
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.1%
CVE-2026-41082 HIGH PATCH This Week

In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory.

Information Disclosure Opam
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-39813 CRITICAL POC NEWS Act Now

Path traversal in Fortinet FortiSandbox 4.4.0-4.4.8 and 5.0.0-5.0.5 enables remote unauthenticated attackers to achieve full system compromise. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), the vulnerability permits network-based exploitation without credentials or user interaction, leading to complete confidentiality, integrity, and availability impact. Despite critical severity, EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). SSVC framework marks it as automatable with total technical impact but no current exploitation. The incomplete CVE description (placeholder text for attack vector) suggests early disclosure; verify completeness with Fortinet advisory FG-IR-26-112.

Privilege Escalation Fortinet Path Traversal Fortisandbox Fortisandbox Cloud
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-43035 npm MEDIUM PATCH This Month

Fonoster 0.5.5 before 0.6.1 allows ../ directory traversal to read arbitrary files via the /sounds/:file or /tts/:file VoiceServer endpoint. This occurs in serveFiles in mods/voice/src/utils.ts. [CVSS 5.8 MEDIUM]

Path Traversal
NVD GitHub
CVSS 3.1
5.8
EPSS
0.2%
HIGH PATCH This Week

Path traversal in XWiki running on Jetty 12+ lets remote users read arbitrary files the Jetty process can access by sending doubly URL-encoded '../' sequences to the skin resource endpoint (e.g. /xwiki/bin/skin/..%252f/..). Depending on how deep the webapp sits below root, this exposes both in-webapp secrets such as WEB-INF/xwiki.cfg and Hibernate configuration, and out-of-webapp OS files like /etc/passwd. No public exploit or active exploitation is tracked, but the vendor advisory (GHSA-qj4x-9g63-25g6) itself publishes working request URLs, so weaponization is trivial.

Atlassian Information Disclosure Tomcat +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal in libzypp's .repo file processing enables low-privileged network-accessible attackers to write content into arbitrary directories on the host filesystem beyond the intended zypp cache boundary. Affected versions span the 17.x series before 17.38.13 and the 16.x series before 16.22.19, covering systems running SUSE Linux Enterprise and openSUSE derivatives that use zypper as their package manager. The primary real-world impact is disk exhaustion across unexpected filesystem paths, causing a denial of service; no confidentiality impact is attributed in the CVSS assessment. No public exploit or CISA KEV listing has been identified at time of analysis.

Path Traversal Libzypp Red Hat +1
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Path traversal in Webmin's mailboxes component before version 2.640 lets an authenticated user write saved attachment files outside the intended directory by controlling the attachment's filename. The flaw lives in mailboxes/detachall.cgi, which constructs the on-disk filename directly from the email attachment's MIME name without stripping path separators, so a crafted name can redirect the write to an attacker-chosen location. Carrying a CVSS 4.0 base score of 9.4 with total technical impact, the issue is fixed in 2.640; CISA's SSVC framework currently lists exploitation status as none and no public exploit has been identified.

Information Disclosure
NVD GitHub VulDB
EPSS 0%
MEDIUM PATCH This Month

Path traversal in XWiki Platform's WebJars API enables a subwiki admin who can publish and install a malicious WebJar extension to write arbitrary files anywhere on the server filesystem. The affected Maven component `xwiki-platform-webjars-api` fails to validate that JAR entry paths extracted during extension installation remain within the intended export directory, allowing overwrite of configuration files or potential superadmin credential manipulation. No public exploit is identified and no CISA KEV listing exists; vendor-released patches are available across three version branches.

Atlassian Path Traversal
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Path traversal vulnerability in Joplin's OneNote importer (versions 3.2.2 through 3.5.6) allows local attackers with authenticated access to overwrite arbitrary files on disk by importing malicious .one files containing directory traversal sequences in embedded file names. The vulnerability can lead to remote code execution by overwriting system files like .bashrc. Publicly available exploit code exists, with vendor-released patch available in version 3.5.7.

Path Traversal RCE
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Roxy-WI versions prior to 8.2.6.4 allow authenticated attackers to read arbitrary files via path traversal in the POST /config/<service>/show API endpoint. The configver parameter is directly concatenated into a file path without proper validation, permitting directory escape sequences (../) to bypass the existing path guard. An authenticated user can exploit this to access sensitive configuration files and other data readable by the web application process.

Apache Path Traversal Nginx
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.

Path Traversal Siyuan
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory.

Information Disclosure Opam
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Path traversal in Fortinet FortiSandbox 4.4.0-4.4.8 and 5.0.0-5.0.5 enables remote unauthenticated attackers to achieve full system compromise. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), the vulnerability permits network-based exploitation without credentials or user interaction, leading to complete confidentiality, integrity, and availability impact. Despite critical severity, EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). SSVC framework marks it as automatable with total technical impact but no current exploitation. The incomplete CVE description (placeholder text for attack vector) suggests early disclosure; verify completeness with Fortinet advisory FG-IR-26-112.

Privilege Escalation Fortinet Path Traversal +2
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Fonoster 0.5.5 before 0.6.1 allows ../ directory traversal to read arbitrary files via the /sounds/:file or /tts/:file VoiceServer endpoint. This occurs in serveFiles in mods/voice/src/utils.ts. [CVSS 5.8 MEDIUM]

Path Traversal
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy