Skip to main content

CWE-41

Improper Resolution of Path Equivalence

24 CVEs Avg CVSS 6.0 MITRE
0
CRITICAL
8
HIGH
15
MEDIUM
1
LOW
4
POC
0
KEV

Monthly

CVE-2026-49401 Cargo HIGH PATCH GHSA This Week

Permission-sandbox bypass in the Deno runtime (versions <= 2.7.13) on macOS lets untrusted code reach paths that operators explicitly blocked with --deny-read, --deny-write, --deny-run, or --deny-ffi. Because Deno compared paths byte-for-byte while APFS treats Unicode-equivalent and case-equivalent spellings as the same file, a script granted broad --allow-* but with --deny-* carve-outs can read, write, execute, or FFI-load a protected file by referring to it with an alternate spelling (NFD vs NFC, case folding, ligatures, or German ss vs ß). No public exploit identified at time of analysis, and EPSS is low (0.14%), but the bypass is trivial to perform once an attacker controls the path string.

Microsoft Apple Information Disclosure
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-50568 LOW PATCH Monitor

Path traversal in Fission's SanitizeFilePath function (pkg/utils/utils.go) allows a low-privileged tenant to read or write files outside an intended safe directory on a shared Kubernetes volume. Versions prior to 1.25.0 validated directory confinement using strings.HasPrefix, which performs a purely lexical string comparison: a sibling path such as /packages-extra/evil incorrectly passes a check for the safe directory /packages because it satisfies the string prefix condition without a directory-separator boundary. The builder's Clean handler and the fetcher's Fetch and Upload handlers were all affected. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Kubernetes
NVD GitHub VulDB
CVSS 3.1
3.6
EPSS
0.0%
CVE-2026-5816 HIGH POC PATCH This Week

Cross-site scripting (XSS) in GitLab CE/EE versions 18.10.0-18.10.3 and 18.11.0 enables unauthenticated attackers to execute arbitrary JavaScript in victim browser sessions via improper path validation. GitLab disclosed this vulnerability with publicly available exploit code (HackerOne report 3572231), though CISA SSVC indicates no active exploitation confirmed at time of analysis. CVSS 8.0 reflects the changed scope (S:C) allowing impact beyond the vulnerable component, though High attack complexity (AC:H) and required user interaction (UI:R) limit ease of exploitation. Patched in versions 18.10.4 and 18.11.1.

Information Disclosure Gitlab
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-34510 npm MEDIUM PATCH This Month

OpenClaw before version 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style network paths without proper local-path validation, allowing unauthenticated remote attackers to bypass access restrictions and read local files. With a CVSS score of 6.9 and network-based attack vector requiring no user interaction, this vulnerability presents moderate risk to systems processing untrusted media content. No public exploit code or active exploitation has been confirmed at the time of analysis.

Path Traversal Microsoft
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-23674 HIGH PATCH This Week

Windows MapUrlToZone security bypass in Windows 11 24H2, Windows 10 21H2, and Windows Server 2016/2025 allows unauthenticated remote attackers to circumvent zone-based security restrictions through improper path equivalence resolution. An attacker can exploit this network-accessible vulnerability without user interaction to bypass intended access controls. No patch is currently available for this high-severity vulnerability.

Microsoft Authentication Bypass Windows 11 24h2 Windows 10 21h2 Windows Server 2025 +12
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-43298 HIGH This Week

A parsing issue in the handling of directory paths was addressed with improved path validation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Apple Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-54107 MEDIUM Monitor

Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Windows 10 1507 Windows 10 1607 Windows 10 1809 +13
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-8765 HIGH POC PATCH This Month

In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Lunary
NVD GitHub
CVSS 3.0
7.3
EPSS
0.2%
CVE-2024-6839 PyPI MEDIUM POC PATCH This Month

corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Flask Cors Suse
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2025-0115 MEDIUM This Month

A vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated admin on the PAN-OS CLI to read arbitrary files. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Paloalto
NVD
CVSS 4.0
6.8
EPSS
0.1%
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Permission-sandbox bypass in the Deno runtime (versions <= 2.7.13) on macOS lets untrusted code reach paths that operators explicitly blocked with --deny-read, --deny-write, --deny-run, or --deny-ffi. Because Deno compared paths byte-for-byte while APFS treats Unicode-equivalent and case-equivalent spellings as the same file, a script granted broad --allow-* but with --deny-* carve-outs can read, write, execute, or FFI-load a protected file by referring to it with an alternate spelling (NFD vs NFC, case folding, ligatures, or German ss vs ß). No public exploit identified at time of analysis, and EPSS is low (0.14%), but the bypass is trivial to perform once an attacker controls the path string.

Microsoft Apple Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 3.6
LOW PATCH Monitor

Path traversal in Fission's SanitizeFilePath function (pkg/utils/utils.go) allows a low-privileged tenant to read or write files outside an intended safe directory on a shared Kubernetes volume. Versions prior to 1.25.0 validated directory confinement using strings.HasPrefix, which performs a purely lexical string comparison: a sibling path such as /packages-extra/evil incorrectly passes a check for the safe directory /packages because it satisfies the string prefix condition without a directory-separator boundary. The builder's Clean handler and the fetcher's Fetch and Upload handlers were all affected. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH POC PATCH This Week

Cross-site scripting (XSS) in GitLab CE/EE versions 18.10.0-18.10.3 and 18.11.0 enables unauthenticated attackers to execute arbitrary JavaScript in victim browser sessions via improper path validation. GitLab disclosed this vulnerability with publicly available exploit code (HackerOne report 3572231), though CISA SSVC indicates no active exploitation confirmed at time of analysis. CVSS 8.0 reflects the changed scope (S:C) allowing impact beyond the vulnerable component, though High attack complexity (AC:H) and required user interaction (UI:R) limit ease of exploitation. Patched in versions 18.10.4 and 18.11.1.

Information Disclosure Gitlab
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

OpenClaw before version 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style network paths without proper local-path validation, allowing unauthenticated remote attackers to bypass access restrictions and read local files. With a CVSS score of 6.9 and network-based attack vector requiring no user interaction, this vulnerability presents moderate risk to systems processing untrusted media content. No public exploit code or active exploitation has been confirmed at the time of analysis.

Path Traversal Microsoft
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Windows MapUrlToZone security bypass in Windows 11 24H2, Windows 10 21H2, and Windows Server 2016/2025 allows unauthenticated remote attackers to circumvent zone-based security restrictions through improper path equivalence resolution. An attacker can exploit this network-accessible vulnerability without user interaction to bypass intended access controls. No patch is currently available for this high-severity vulnerability.

Microsoft Authentication Bypass Windows 11 24h2 +14
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

A parsing issue in the handling of directory paths was addressed with improved path validation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Apple Information Disclosure
NVD
EPSS 0% CVSS 4.3
MEDIUM Monitor

Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Windows 10 1507 +15
NVD
EPSS 0% CVSS 7.3
HIGH POC PATCH This Month

In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Lunary
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Flask Cors +1
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

A vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated admin on the PAN-OS CLI to read arbitrary files. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Paloalto
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy