Skip to main content

CWE-22

Path Traversal

6430 CVEs Avg CVSS 7.0 MITRE
952
CRITICAL
2756
HIGH
2402
MEDIUM
302
LOW
2413
POC
76
KEV

Monthly

CVE-2026-46336 HIGH This Week

Path traversal in Manyfold's file-rename functionality (versions 0.96.0 through 0.139.x) lets an authenticated user move or write files outside the configured 3D-model library directory. The flaw stems from app/models/model_file.rb passing a user-controlled filename straight into File.join(model.path, filename) without stripping '..' sequences, giving low-privileged users write/overwrite primitives on the host filesystem. No public exploit identified at time of analysis, but the upstream fix commit and its test cases plainly demonstrate the traversal, and the issue is resolved in 0.140.0.

Path Traversal Manyfold
NVD GitHub
CVSS 3.1
7.1
CVE-2026-13103 HIGH This Week

Local code execution in Lenovo App Store (Chinese-market distribution only) lets an authenticated local user abuse a path traversal weakness to write or load files outside intended directories and run arbitrary code. The flaw was self-reported by Lenovo and carries a CVSS 4.0 base score of 7.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high to confidentiality, integrity, and availability of the local system, but exploitation requires existing low-privilege local access plus user interaction.

Lenovo Path Traversal RCE App Store
NVD
CVSS 4.0
7.0
CVE-2026-53598 HIGH PATCH This Week

{file:...} expansion resolved paths without confining them to the prompt directory or allowed roots, so absolute paths, ../ traversal, or symlinks could exfiltrate secrets, config, or credentials into the loaded prompt's fields. There is no public exploit identified at time of analysis and it is not in CISA KEV; NVD scores it 7.5 (High), reflecting confidentiality-only impact.

Path Traversal Prompty
NVD GitHub
CVSS 3.1
7.5
CVE-2026-59867 HIGH PATCH This Week

Build-time SSRF, remote file inclusion, and local file inclusion in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description force the `kiota generate` command to fetch arbitrary remote http(s) URLs and read local absolute or out-of-tree file paths while resolving $ref values. Because Kiota inlined those external schemas into generated clients, an attacker could exfiltrate internal endpoints or leak local file contents (e.g. REMOTE_KIOTA_PROP-style properties) into produced code. No public exploit has been identified at time of analysis; the risk is developer/CI-toolchain oriented and requires a developer to run generation against a malicious or influenced description (CVSS 7.1).

SSRF Path Traversal Kiota
NVD GitHub
CVSS 3.1
7.1
CVE-2026-59866 CRITICAL PATCH Act Now

Path traversal and code injection in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description write generated source files outside the intended output directory and inject arbitrary text into class/namespace declarations. When a developer runs `kiota generate` without the -c/--class-name flag, Kiota consumes the clientClassName and clientNamespaceName values from the OpenAPI `x-ms-kiota-info` extension without identifier or path sanitization, using them both as code identifiers and as filesystem path components. There is no public exploit identified at time of analysis and no CISA KEV listing, though the fix (SanitizeClientClassName/SanitizeClientNamespaceName) is visible in the merged patch.

Path Traversal Kiota
NVD GitHub
CVSS 4.0
9.3
CVE-2026-59864 CRITICAL PATCH Act Now

Path traversal in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description inject unvalidated `static_template.file` values (via the x-ai-adaptive-card and x-ai-capabilities extensions) into generated Microsoft 365 Copilot and Teams plugin manifests, so a developer who runs `kiota plugin add` or `kiota plugin generate -t APIPlugin` against a malicious spec produces a manifest that resolves files outside its package when deployed. Rated CVSS 4.0 9.3 (Critical) with high confidentiality/integrity/availability impact and no privileges required. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the upstream fix is confirmed in release v1.32.5.

Microsoft Path Traversal Kiota
NVD GitHub
CVSS 4.0
9.3
CVE-2026-59863 HIGH PATCH This Week

Arbitrary file write via path traversal in Microsoft Kiota (OpenAPI HTTP client/plugin code generator) before 1.32.5 allows a malicious repository or pull request to place files outside the workspace root on a developer or CI host. The tool trusts the checked-in .kiota/workspace.json and honors attacker-controlled per-client and per-plugin outputPath values during 'kiota client generate' and 'kiota plugin generate' without validating them. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but exploitation is realistic in CI/pull-request workflows since it only requires a developer to run generation against poisoned config.

Microsoft Path Traversal Kiota
NVD GitHub VulDB
CVSS 4.0
7.0
CVE-2026-15921 LOW PATCH Monitor

Path traversal in nvm versions 0.32.1 through 0.40.5 allows a hostile Node.js mirror to overwrite arbitrary files in the victim's home directory, including shell startup files, leading to code execution on the next shell session. The vulnerability exists in `nvm ls-remote`, `nvm install --lts`, and any other nvm command that refreshes remote LTS aliases by fetching and parsing a mirror's `index.tab` - the LTS codename field is used as an alias filename without sanitization, permitting sequences like `../../../.bashrc` to escape `$NVM_DIR/alias`. No public exploit identified at time of analysis, but a working proof-of-concept is embedded in the upstream test suite added in the fix commit.

Node.js Path Traversal RCE Nvm
NVD GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-52890 HIGH This Week

Arbitrary file read and denial of service in Wekan (open-source Meteor kanban board) before version 9.31 allows an authenticated board member to read any file the server process can access by supplying attacker-controlled versions.original.path and versions.original.storage values to the /attachments/insert DDP method. Because the server-side insert permission rule only validates board write access and the filesystem store never confirms the path stays within the storage root, a low-privileged user can exfiltrate sensitive host files or hang the process by pointing at special files like /dev/zero. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but a fixing commit and release (v9.31) are public.

Path Traversal Denial Of Service Wekan
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-45533 HIGH PATCH This Week

Arbitrary directory deletion in DataEase, an open-source data visualization and analysis platform, allows an authenticated user (PR:L) to abuse the export-center bulk delete API by injecting path traversal sequences (../) into task identifiers, which are passed unsanitized to ExportCenterManage.delete and used to recursively delete server directories. All releases prior to 2.10.23 are affected, and the fix in 2.10.23 constrains deletion to identifiers that exist as legitimate export tasks in the database. There is no public exploit identified at time of analysis and the issue is not on the CISA KEV list, but a full commit-level patch is publicly available which lowers the barrier to reverse-engineering an exploit.

Path Traversal Dataease
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.3%
CVSS 7.1
HIGH This Week

Path traversal in Manyfold's file-rename functionality (versions 0.96.0 through 0.139.x) lets an authenticated user move or write files outside the configured 3D-model library directory. The flaw stems from app/models/model_file.rb passing a user-controlled filename straight into File.join(model.path, filename) without stripping '..' sequences, giving low-privileged users write/overwrite primitives on the host filesystem. No public exploit identified at time of analysis, but the upstream fix commit and its test cases plainly demonstrate the traversal, and the issue is resolved in 0.140.0.

Path Traversal Manyfold
NVD GitHub
CVSS 7.0
HIGH This Week

Local code execution in Lenovo App Store (Chinese-market distribution only) lets an authenticated local user abuse a path traversal weakness to write or load files outside intended directories and run arbitrary code. The flaw was self-reported by Lenovo and carries a CVSS 4.0 base score of 7.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high to confidentiality, integrity, and availability of the local system, but exploitation requires existing low-privilege local access plus user interaction.

Lenovo Path Traversal RCE +1
NVD
CVSS 7.5
HIGH PATCH This Week

{file:...} expansion resolved paths without confining them to the prompt directory or allowed roots, so absolute paths, ../ traversal, or symlinks could exfiltrate secrets, config, or credentials into the loaded prompt's fields. There is no public exploit identified at time of analysis and it is not in CISA KEV; NVD scores it 7.5 (High), reflecting confidentiality-only impact.

Path Traversal Prompty
NVD GitHub
CVSS 7.1
HIGH PATCH This Week

Build-time SSRF, remote file inclusion, and local file inclusion in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description force the `kiota generate` command to fetch arbitrary remote http(s) URLs and read local absolute or out-of-tree file paths while resolving $ref values. Because Kiota inlined those external schemas into generated clients, an attacker could exfiltrate internal endpoints or leak local file contents (e.g. REMOTE_KIOTA_PROP-style properties) into produced code. No public exploit has been identified at time of analysis; the risk is developer/CI-toolchain oriented and requires a developer to run generation against a malicious or influenced description (CVSS 7.1).

SSRF Path Traversal Kiota
NVD GitHub
CVSS 9.3
CRITICAL PATCH Act Now

Path traversal and code injection in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description write generated source files outside the intended output directory and inject arbitrary text into class/namespace declarations. When a developer runs `kiota generate` without the -c/--class-name flag, Kiota consumes the clientClassName and clientNamespaceName values from the OpenAPI `x-ms-kiota-info` extension without identifier or path sanitization, using them both as code identifiers and as filesystem path components. There is no public exploit identified at time of analysis and no CISA KEV listing, though the fix (SanitizeClientClassName/SanitizeClientNamespaceName) is visible in the merged patch.

Path Traversal Kiota
NVD GitHub
CVSS 9.3
CRITICAL PATCH Act Now

Path traversal in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description inject unvalidated `static_template.file` values (via the x-ai-adaptive-card and x-ai-capabilities extensions) into generated Microsoft 365 Copilot and Teams plugin manifests, so a developer who runs `kiota plugin add` or `kiota plugin generate -t APIPlugin` against a malicious spec produces a manifest that resolves files outside its package when deployed. Rated CVSS 4.0 9.3 (Critical) with high confidentiality/integrity/availability impact and no privileges required. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the upstream fix is confirmed in release v1.32.5.

Microsoft Path Traversal Kiota
NVD GitHub
CVSS 7.0
HIGH PATCH This Week

Arbitrary file write via path traversal in Microsoft Kiota (OpenAPI HTTP client/plugin code generator) before 1.32.5 allows a malicious repository or pull request to place files outside the workspace root on a developer or CI host. The tool trusts the checked-in .kiota/workspace.json and honors attacker-controlled per-client and per-plugin outputPath values during 'kiota client generate' and 'kiota plugin generate' without validating them. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but exploitation is realistic in CI/pull-request workflows since it only requires a developer to run generation against poisoned config.

Microsoft Path Traversal Kiota
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Path traversal in nvm versions 0.32.1 through 0.40.5 allows a hostile Node.js mirror to overwrite arbitrary files in the victim's home directory, including shell startup files, leading to code execution on the next shell session. The vulnerability exists in `nvm ls-remote`, `nvm install --lts`, and any other nvm command that refreshes remote LTS aliases by fetching and parsing a mirror's `index.tab` - the LTS codename field is used as an alias filename without sanitization, permitting sequences like `../../../.bashrc` to escape `$NVM_DIR/alias`. No public exploit identified at time of analysis, but a working proof-of-concept is embedded in the upstream test suite added in the fix commit.

Node.js Path Traversal RCE +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Arbitrary file read and denial of service in Wekan (open-source Meteor kanban board) before version 9.31 allows an authenticated board member to read any file the server process can access by supplying attacker-controlled versions.original.path and versions.original.storage values to the /attachments/insert DDP method. Because the server-side insert permission rule only validates board write access and the filesystem store never confirms the path stays within the storage root, a low-privileged user can exfiltrate sensitive host files or hang the process by pointing at special files like /dev/zero. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but a fixing commit and release (v9.31) are public.

Path Traversal Denial Of Service Wekan
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Arbitrary directory deletion in DataEase, an open-source data visualization and analysis platform, allows an authenticated user (PR:L) to abuse the export-center bulk delete API by injecting path traversal sequences (../) into task identifiers, which are passed unsanitized to ExportCenterManage.delete and used to recursively delete server directories. All releases prior to 2.10.23 are affected, and the fix in 2.10.23 constrains deletion to identifiers that exist as legitimate export tasks in the database. There is no public exploit identified at time of analysis and the issue is not on the CISA KEV list, but a full commit-level patch is publicly available which lowers the barrier to reverse-engineering an exploit.

Path Traversal Dataease
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy