Skip to main content

Path Traversal

7724 CVEs technique

Monthly

CVE-2026-32007 npm MEDIUM PATCH GHSA This Month

OpenClaw versions before 2026.2.23 allow authenticated users with sandbox access to bypass workspace restrictions through a path traversal flaw in the apply_patch tool, enabling arbitrary file modification on the system. The vulnerability stems from inconsistent validation of mounted paths outside the workspace directory, permitting attackers to write to writable mounts beyond the intended sandbox boundaries. No patch is currently available for this MEDIUM severity issue.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-25928 MEDIUM PATCH This Month

Improper path sanitization in OpenEMR's DICOM export feature prior to version 8.0.0.2 allows authenticated users with DICOM permissions to write arbitrary files outside the intended directory through path traversal sequences. An attacker could exploit this to place malicious PHP files within the web root, potentially achieving remote code execution. The vulnerability requires valid credentials but poses significant risk to systems containing sensitive healthcare data.

PHP RCE Path Traversal
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-33344 Go HIGH PATCH This Week

Path traversal in Apple and Kubernetes DAG management APIs allows authenticated attackers to access arbitrary files outside the intended directory by injecting URL-encoded forward slashes into file name parameters on GET, DELETE, RENAME, and EXECUTE endpoints. The vulnerability affects systems where a previous patch (CVE-2026-27598) only secured the CREATE endpoint while leaving other API functions unprotected. An attacker with valid credentials can read, modify, or execute unintended DAG files on the affected system.

Path Traversal Apple Kubernetes macOS Suse
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
3.0%
CVE-2026-33309 PyPI CRITICAL POC PATCH GHSA Act Now

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrary files anywhere on the host system, leading to remote code execution. The vulnerability affects Langflow version 1.7.3 and earlier, where the multipart upload filename bypasses security checks due to missing boundary containment in the LocalStorageService layer. A proof-of-concept exploit is publicly available demonstrating successful arbitrary file write outside the intended user directory.

RCE Python Docker Path Traversal Canonical
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-33293 PHP HIGH This Week

Arbitrary file deletion in PHP CloneSite plugin allows authenticated attackers to bypass path validation and remove critical files via path traversal in the deleteDump parameter, causing denial of service or facilitating privilege escalation attacks. An attacker with valid clone credentials can leverage unvalidated input passed directly to unlink() to delete arbitrary files including configuration.php and other security-critical application files. No patch is currently available for this vulnerability.

PHP Denial Of Service Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33292 PHP HIGH This Week

Unauthenticated attackers can stream any private or paid video in PHP, Oracle, and Apple applications through a path traversal vulnerability in the HLS streaming endpoint. The flaw exploits a split-oracle condition where authorization validation and file access use different parsing logic on the videoDirectory parameter, allowing attackers to bypass authentication checks while accessing unauthorized content. No patch is currently available for this high-severity vulnerability.

PHP Path Traversal Oracle Apple
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-3029 PyPI HIGH PATCH This Week

PyMuPDF versions up to 1.26.5 allow unauthenticated remote attackers to write arbitrary files to the system through path traversal in the embedded get function. This vulnerability enables denial of service attacks and potential system compromise without requiring authentication or user interaction. No patch is currently available.

Path Traversal PyMuPDF
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27043 HIGH This Week

The ThemeGoods Photography WordPress theme through version 7.7.5 permits authenticated administrators to upload arbitrary files with path traversal capabilities, enabling remote code execution and complete site compromise. While the CVSS score of 7.2 indicates high severity, the requirement for high-privileged admin credentials (PR:H) significantly constrains real-world exploitability. The EPSS score of 0.04% (12th percentile) suggests minimal likelihood of active exploitation, with no public exploit code identified at time of analysis.

Path Traversal File Upload
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-22557 CRITICAL POC Act Now

A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attackers to access arbitrary files on the underlying system and manipulate them to gain account access. This vulnerability affects Ubiquiti's UniFi Network Application with a maximum CVSS score of 10.0, indicating critical severity with network-based exploitation requiring no user interaction or privileges. The vulnerability was reported through HackerOne, suggesting responsible disclosure, though current exploitation status in the wild is not confirmed.

Path Traversal Ubiquiti
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-33242 Cargo HIGH PATCH This Week

Nginx's path traversal vulnerability enables unauthenticated remote attackers to bypass proxy routing controls and access unintended backend resources by exploiting improper normalization of encoded path sequences. The flaw allows attackers to reach protected endpoints and administrative interfaces that should be restricted through the proxy's access controls. A patch is available for this high-severity issue with a CVSS score of 7.5.

Path Traversal Nginx
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33238 PHP MEDIUM PATCH This Month

The `listFiles.json.php` endpoint in AVideo accepts an unsanitized POST parameter `path` and passes it directly to PHP's `glob()` function without restricting traversal to an allowed base directory, enabling authenticated uploaders to enumerate `.mp4` files anywhere on the server filesystem. An attacker with the standard `canUpload` permission can discover private, premium, or access-controlled video files stored outside the intended upload directory by supplying arbitrary absolute paths, revealing both filenames and full filesystem paths that may aid further exploitation. A proof-of-concept is available demonstrating traversal from the web root to arbitrary locations such as `/var/private/premium-content/` and the root filesystem.

Path Traversal PHP
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-33236 PyPI HIGH PATCH This Week

NLTK downloader contains a path traversal vulnerability that allows remote attackers to write arbitrary files to any location on the filesystem when a user downloads packages from a malicious server. Attackers controlling a remote XML index server can inject path traversal sequences (../) into package metadata to overwrite critical system files including /etc/passwd or SSH authorized_keys. A working proof-of-concept exploit exists demonstrating arbitrary file creation at /tmp/test_file.zip via malicious server and client script.

Python Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-30403 HIGH This Week

A arbitrary file access vulnerability in the test connection function of backend database management in wgcloud (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Path Traversal
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-67115 MEDIUM This Month

A path traversal vulnerability in /ftl/web/setup.cgi in Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote authenticated users to read arbitrary files from the filesystem via crafted values in the...

Path Traversal
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15031 PyPI CRITICAL PATCH Act Now

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc extraction process that allows arbitrary file writes. The vulnerability stems from unsafe use of tarfile.extractall without proper path validation, enabling attackers to craft malicious tar.gz files with directory traversal sequences or absolute paths to write files outside the intended extraction directory. This poses critical risk in multi-tenant environments and can lead to remote code execution, with a CVSS score of 8.1 and confirmed exploit details available via Huntr.

RCE Path Traversal Mlflow Mlflow
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-33211 Go CRITICAL PATCH Act Now

The Tekton Pipelines git resolver contains a path traversal vulnerability allowing authenticated tenants to read arbitrary files from the resolver pod's filesystem via the pathInRepo parameter. Affected products include github.com/tektoncd/pipeline versions 1.0.0 through 1.10.0 across multiple release branches. The vulnerability enables credential exfiltration and privilege escalation from namespace-scoped access to cluster-wide secret reading capabilities. A proof-of-concept was provided by the vulnerability reporter Oleh Konko.

Path Traversal Privilege Escalation Kubernetes
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-33194 Go MEDIUM PATCH This Month

Docker's IsSensitivePath() function uses an incomplete denylist that fails to restrict access to sensitive directories including /opt, /usr, /home, /mnt, and /media, allowing authenticated users with high privileges to read arbitrary files outside the intended workspace through the globalCopyFiles and importStdMd endpoints. An attacker with administrative credentials could exploit this path traversal vulnerability to access sensitive configuration files and data from other users or mounted volumes. No patch is currently available for this medium-severity issue.

Path Traversal Docker Suse
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-33064 Go HIGH PATCH This Week

A NULL pointer dereference vulnerability in free5GC v4.0.1's UDM (Unified Data Management) service allows remote attackers to crash the service via a crafted POST request to the /sdm-subscriptions endpoint containing path traversal sequences and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go fails to validate pointers before dereferencing, causing complete service disruption requiring manual restart. All deployments of free5GC v4.0.1 utilizing UDM HTTP callback functionality are affected, and a patch is available via PR free5gc/udm#78.

Denial Of Service Null Pointer Dereference Path Traversal Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-33054 PyPI CRITICAL PATCH Act Now

A path traversal vulnerability in A Path Traversal vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.

Microsoft Path Traversal Denial Of Service Python Windows
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-33171 PHP MEDIUM PATCH This Month

Authenticated Control Panel users can read arbitrary JSON, YAML, and CSV files from the server by manipulating the filename parameter in the fieldtype endpoint, resulting in unauthorized information disclosure. The vulnerability requires valid authentication credentials and affects versions prior to 5.73.14 and 6.7.0. No patch is currently available for affected deployments.

Path Traversal
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-33166 Maven HIGH PATCH This Week

Path traversal in Allure report generator for Jenkins allows unauthenticated attackers to read arbitrary files from the host system by crafting malicious test result files with specially crafted attachment paths. The vulnerability stems from insufficient path validation when processing attachments during report generation, enabling sensitive files to be included in generated reports. A patch is not currently available.

Jenkins Path Traversal Information Disclosure Java
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-32731 npm CRITICAL PATCH Act Now

Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments.

Path Traversal Node.js CSRF Denial Of Service Google +3
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-3479 LOW PATCH Monitor

The pkgutil.get_data() function in CPython fails to properly validate the resource argument, enabling path traversal attacks that allow unauthorized information disclosure. This vulnerability affects CPython across multiple versions and could permit attackers to read arbitrary files from the system where Python code is executing. A patch is available from the Python Software Foundation, and the vulnerability has been documented with proof-of-concept references in the official CPython repository.

Path Traversal Cpython
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-27523 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation bypass vulnerability that allows local attackers with low privileges to circumvent allowed-root and blocked-path security checks through symlinked parent directories combined with non-existent leaf paths. An attacker can craft bind source paths that appear to reside within permitted sandbox roots but resolve outside sandbox boundaries once missing path components are created, effectively weakening the sandbox's bind-source isolation enforcement. A patch is available from the vendor, and exploitation requires local access with standard user privileges, making this a practical threat in multi-tenant or shared-system environments.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-27522 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability that allows authenticated attackers to read arbitrary files from the host system through the sendAttachment and setGroupIcon message actions when sandboxRoot configuration is unset. An attacker with valid credentials can exploit path traversal to hydrate media from absolute file paths, gaining unauthorized access to sensitive files accessible by the OpenClaw runtime user. A patch is available from the vendor, and this vulnerability has been tracked in the ENISA EUVD database (EUVD-2026-12732) with confirmed GitHub security advisory and commit-level patch information.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22171 npm HIGH PATCH This Week

OpenClaw contains a path traversal vulnerability in the Feishu media download functionality where untrusted media key values are directly interpolated into temporary file paths without sanitization. OpenClaw versions prior to 2026.2.19 are affected, allowing remote unauthenticated attackers to write arbitrary files within the process permissions by using directory traversal sequences in media keys. No public evidence of active exploitation (KEV) or public proof-of-concept exists at this time, though the high CVSS score of 8.2 reflects the network-accessible attack vector and lack of authentication requirements.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-32981 PyPI HIGH POC PATCH GHSA This Week

Local file disclosure in the Ray Dashboard (default TCP port 8265) of the Ray distributed-computing framework affects all releases prior to 2.8.1, where the static file handler fails to sanitize user-supplied paths. Remote attackers can submit directory-traversal sequences to read arbitrary files outside the intended static directory, exposing source code, configuration, and credentials. Publicly available exploit code exists (reported by VulnCheck), though EPSS estimates exploitation probability at only 0.07% (20th percentile) and the issue is not listed in CISA KEV.

Path Traversal Ray
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-25770 CRITICAL PATCH Act Now

Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauthenticated root code execution by exploiting insecure file permissions in the cluster synchronization protocol. An attacker with cluster node access can overwrite the manager's configuration file to inject malicious commands that are subsequently executed with root privileges by the logcollector service. This vulnerability affects multi-node Wazuh deployments and has no available patch.

RCE Privilege Escalation Path Traversal Wazuh
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-4307 LOW POC Monitor

Agent Zero 0.9.7-10's get_abs_path function in python/helpers/files.py is vulnerable to path traversal, allowing authenticated remote attackers to access files outside intended directories with limited confidentiality impact. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.

Path Traversal Python
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4285 LOW Monitor

A vulnerability was identified in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433.

Path Traversal Java
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-21991 MEDIUM This Month

The DTrace dtprobed component contains a path traversal vulnerability (CWE-22) that allows local attackers with limited privileges to create arbitrary files on the system by supplying crafted USDT provider names. This vulnerability affects Oracle Linux 8, 9, and 10, and while it carries a CVSS score of 5.5, the EPSS score of 0.01% (percentile 2%) indicates very low exploitation probability in the wild, with no evidence of active exploitation or public proof-of-concept code.

Path Traversal
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-32805 Go HIGH PATCH This Week

Path traversal in the webserver's archive extraction function allows unauthenticated remote attackers to write files outside the intended directory by crafting malicious tar archives, due to incomplete path validation in the sanitizeArchivePath function. The vulnerability affects the download command's decompression functionality and could enable arbitrary file placement on the system. A patch is available.

Path Traversal Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-29522 HIGH This Week

Remote unauthenticated attackers can read arbitrary server files in ZwickRoell Test Data Management versions before 3.0.8 by exploiting a path traversal flaw in the node_upgrade_srv.js endpoint's firmware parameter. The vulnerability enables direct access to sensitive system files including credentials, configuration data, and source code without authentication. Despite the high CVSS score (8.7), the low EPSS probability (0.06%, 17th percentile) indicates minimal automated exploitation activity, though the unauthenticated network attack vector and low complexity make this readily exploitable if discovered by adversaries targeting industrial testing infrastructure.

Path Traversal Information Disclosure Test Data Management
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-32771 Go HIGH PATCH GHSA This Week

Path traversal in the `extractor` CLI tool and `extract.DumpOTelCollector` library function allows attackers to write files outside the intended extraction directory by exploiting an incomplete path validation check in the `sanitizeArchivePath` function. A maliciously crafted tar archive can bypass the prefix check and place arbitrary files on the system when processed. A patch is available to address the missing trailing path separator validation.

Path Traversal Suse
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-32758 Go MEDIUM PATCH This Month

Path traversal in the resourcePatchHandler allows authenticated users with Create or Rename permissions to bypass access control rules by injecting path traversal sequences (`..\`) into PATCH requests, since validation occurs before path normalization. An attacker can exploit this to copy or rename files to restricted directories that should be protected by administrator-configured deny rules. No patch is currently available.

Path Traversal Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32750 Go MEDIUM PATCH This Month

SiYuan Note contains an unrestricted path traversal vulnerability in the POST /api/import/importStdMd endpoint that allows authenticated administrators to recursively import arbitrary files from the host filesystem into the workspace database without any validation or blocklisting. Affected versions of SiYuan (pkg:go/github.com_siyuan-note_siyuan) allow admin users to permanently store sensitive files such as /proc/, /etc/, /run/secrets/, and other system directories as searchable note content, making them accessible to other workspace users including those with limited privileges. A proof-of-concept has been published demonstrating import of /proc/1/ and /run/secrets/, and when chained with separate SQL injection vulnerabilities in the renderSprig template function, non-admin users can retrieve imported secrets without additional privileges.

Path Traversal SQLi Docker Suse
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-32749 Go HIGH PATCH This Week

Path traversal in Python and Docker import endpoints allows authenticated administrators to write files to arbitrary filesystem locations by injecting directory traversal sequences in multipart upload filenames, potentially enabling remote code execution through placement of malicious files in executable paths. The vulnerability affects the POST /api/import/importSY and POST /api/import/importZipMd endpoints which fail to sanitize user-supplied filenames before constructing file write paths. No patch is currently available.

Python Docker Path Traversal Suse
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-32747 Go MEDIUM PATCH This Month

Administrative users of Docker and PostgreSQL deployments can exploit an incomplete path validation in the `POST /api/file/globalCopyFiles` endpoint to copy sensitive files like container environment variables and Docker secrets from restricted locations (`/proc/`, `/run/secrets/`) into the workspace, where they become readable via standard file APIs. The vulnerability stems from reliance on a blocklist-based validation mechanism that fails to prevent access to these critical system paths. Since no patch is currently available, organizations should restrict administrative access to the affected API endpoint until an update is released.

Docker PostgreSQL Path Traversal Suse
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-66687 HIGH This Week

Doom Launcher 3.8.1.0 is vulnerable to Directory Traversal due to missing file path validation during the extraction of game files

Path Traversal
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32262 PHP MEDIUM PATCH This Month

Path traversal in Craft CMS AssetsController allows authenticated users with replaceFiles permission to delete arbitrary files on local filesystems by injecting directory traversal sequences into the targetFilename parameter, potentially affecting files across multiple volumes sharing the same filesystem root. The vulnerability exists because user input is processed by deleteFile() before proper sanitization is applied. Users should upgrade to Craft 4.17.5 or 5.9.11 to resolve this issue.

Path Traversal
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4233 LOW POC Monitor

Path traversal in ThingsGateway 12's /api/file/download endpoint allows authenticated users to read arbitrary files through manipulation of the fileName parameter. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

Path Traversal Thingsgateway
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4222 LOW POC Monitor

A path traversal vulnerability exists in SSCMS versions up to 7.4.0 within the PathUtils.RemoveParentPath function of the plugin download API endpoint (/api/admin/plugins/install/actions/download). An authenticated administrator with high privileges can manipulate the path argument to traverse the file system and access or modify files outside the intended directory, potentially leading to information disclosure or system compromise. The vulnerability has public proof-of-concept code available, though the CVSS score of 3.8 is relatively low due to the requirement for authenticated administrative access, making this a lower-priority but still exploitable issue in environments where admin credentials may be compromised.

Path Traversal Sscms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-21005 HIGH This Week

A path traversal vulnerability in Smart Switch (CVSS 7.1) that allows adjacent attackers. High severity vulnerability requiring prompt remediation.

Path Traversal Smart Switch
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-21001 MEDIUM This Month

Galaxy Store versions prior to 4.6.03.8 contain a path traversal vulnerability that enables local attackers to create files with Galaxy Store privileges. This could allow an attacker with local access to escalate their capabilities by writing malicious files in unintended locations. No patch is currently available for this issue.

Path Traversal Galaxy Store
NVD
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-21000 HIGH This Week

Galaxy Store versions prior to 4.6.03.8 contain an access control flaw that enables local attackers to create files with elevated Galaxy Store privileges. This vulnerability affects local users on affected devices and could allow privilege escalation or persistence mechanisms. No patch is currently available.

Path Traversal Galaxy Store
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2016-20025 HIGH POC This Week

Privilege escalation vulnerability in ZKTeco ZKAccess Professional 3.5.3 (Build 0005) where authenticated users can modify executable files due to insecure permissions, allowing them to replace binaries with malicious code and gain elevated privileges. Multiple public exploits are available (exploit-db, PacketStorm) making this a high-risk vulnerability for organizations using this access control software, despite no current KEV listing or EPSS data.

Privilege Escalation Path Traversal Information Disclosure Zkteco Zkaccess Professional
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-32719 MEDIUM This Month

AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import functionality that fails to validate file paths during ZIP extraction. An authenticated attacker with high privileges can craft a malicious ZIP file containing path traversal sequences that, when imported via the community hub, extract files outside the intended directory and achieve arbitrary code execution on the server. While the CVSS score is moderate (4.2) due to high privilege requirements and user interaction, the vulnerability enables code execution and should be addressed promptly.

Path Traversal RCE AI / ML Anything Llm
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-32709 MEDIUM This Month

An unauthenticated path traversal vulnerability in PX4 Autopilot's MAVLink FTP implementation (CWE-22) allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on flight controller filesystems without authentication or privilege requirements. Affected versions are prior to 1.17.0-rc2, impacting both NuttX-based flight controllers and POSIX targets (Linux companion computers and SITL simulation environments). Attackers with network access to MAVLink communication channels can exploit this vulnerability to compromise flight controller integrity, extract sensitive configuration data, or inject malicious firmware.

Path Traversal Px4 Autopilot
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2493 HIGH Act Now

IceWarp collaboration platform contains an unauthenticated directory traversal vulnerability that allows remote attackers to read sensitive files from the server. The flaw exists in HTTP request handling, enabling access to configuration files, user data, and potentially email contents stored on the server.

Path Traversal Information Disclosure Icewarp
NVD
CVSS 3.0
7.5
EPSS
10.3%
CVE-2026-3839 HIGH This Week

Critical authentication bypass vulnerability in Unraid's auth-request.php file that allows remote attackers to gain unauthorized access without credentials through path traversal exploitation. The vulnerability affects all versions of Unraid (CPE indicates no version restrictions) and can be exploited over the network with low complexity, potentially compromising system confidentiality, integrity, and availability. No KEV listing or EPSS data was provided, suggesting this may be a recently disclosed vulnerability without known active exploitation.

Authentication Bypass PHP Path Traversal Unraid
NVD VulDB
CVSS 3.0
7.3
EPSS
0.3%
CVE-2026-3838 HIGH This Week

Critical path traversal vulnerability in Unraid's update.php file that allows authenticated remote attackers to execute arbitrary code as root. The vulnerability affects all versions of Unraid (per CPE data) and was discovered by Zero Day Initiative (ZDI-CAN-28951). With a CVSS score of 8.8 and requiring only low privileges, this represents a severe risk for Unraid installations.

PHP Path Traversal RCE Unraid
NVD VulDB
CVSS 3.0
8.8
EPSS
1.6%
CVE-2026-30853 MEDIUM PATCH This Month

Arbitrary file write vulnerability in Calibre's RocketBook input plugin enables attackers to write files to any location accessible by the Calibre process when a user opens or converts a malicious .rb file. The path traversal flaw affects versions prior to 9.5.0 and represents an unpatched instance of the same vulnerability class previously fixed in the PDB reader component. Local attackers can leverage this to corrupt files, modify configuration, or potentially achieve code execution depending on file system permissions.

Path Traversal Calibre Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-30914 Go HIGH PATCH This Week

SFTPGo versions prior to 2.7.1 contain a path normalization vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) that allows authenticated attackers to bypass folder-level permissions and escape Virtual Folder boundaries through crafted file paths. An attacker with valid credentials can exploit this authorization bypass to access files and directories beyond their intended scope. The vulnerability has been patched in version 2.7.1 with strict edge-level path normalization, and while no public POC or KEV status has been disclosed, the CVSS 5.3 (network-accessible, low complexity) and requirement for prior authentication suggest this is a real but moderate-priority issue.

Canonical Path Traversal Suse
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-4092 npm HIGH POC PATCH This Week

Remote code execution in Clasp versions below 3.2.0 allows unauthenticated attackers to execute arbitrary code by uploading Google Apps Script projects with specially crafted filenames that exploit path traversal weaknesses. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires minimal user interaction and affects Google's Clasp tooling across all configurations.

Path Traversal RCE Google
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
1.0%
CVE-2026-31886 Go CRITICAL PATCH Act Now

Path traversal via dagRunId in DAG execution endpoints.

Python Authentication Bypass Denial Of Service Path Traversal Docker +1
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-66249 Maven MEDIUM PATCH This Month

Apache Livy versions 0.3.0 through 0.8.x contain a path traversal vulnerability (CWE-22) that allows authenticated attackers to bypass directory restrictions and access files outside intended whitelist boundaries. The vulnerability only manifests when the 'livy.file.local-dir-whitelist' configuration parameter is set to a non-default value, enabling attackers with valid credentials to read, write, or execute arbitrary files on the server. With a CVSS score of 6.3 (moderate severity) reflecting the requirement for authenticated access and limited impact scope, this vulnerability warrants prioritization for organizations using Livy in multi-tenant or untrusted user environments.

Path Traversal Apache Apache Livy
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-32415 MEDIUM This Month

Squeeze versions 1.7.7 and earlier contain a path traversal vulnerability that allows authenticated attackers to access files outside the intended directory through manipulated file paths. An attacker with valid credentials could leverage this flaw to read sensitive files on the affected system, though code execution and data modification are not possible.

Path Traversal Squeeze
NVD VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-23942 MEDIUM PATCH This Month

The Erlang OTP ssh_sftpd module contains a path traversal vulnerability in the is_within_root/2 function that uses string prefix matching instead of proper path component validation to verify if accessed paths are within the configured root directory. An authenticated SFTP user can exploit this to access sibling directories sharing a common name prefix with the root directory (for example, if root is /home/user1, accessing /home/user10 or /home/user1_backup would succeed when it should fail). This vulnerability affects OTP versions 17.0 through 28.4.1 with corresponding SSH versions 3.0.1 through 5.5.1, with no confirmed active exploitation in the wild (KEV status not indicated as actively exploited) but with a moderate CVSS score of 5.3 reflecting the requirement for prior authentication.

Path Traversal Otp
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-32274 PyPI HIGH PATCH This Week

Arbitrary file write in Black (the Python code formatter) before 26.3.1 lets an attacker who controls the value of the --python-cell-magics option place cache files at attacker-chosen filesystem locations via path traversal. The unsanitized option value is embedded directly into the computed cache filename, so a value such as '../../../tmp/pwned' escapes the cache directory and overwrites or creates files elsewhere. No public exploit is identified at time of analysis, EPSS is very low (0.02%), and the issue is not in CISA KEV; practical risk is confined to environments that feed untrusted input into Black's command-line options.

Path Traversal Python Black
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-32232 Cargo PATCH Monitor

### Summary Workspace boundary enforcement currently has three related bypass risks. This issue tracks fixing all three in one pull request. ### Details #### R1 - Dangling Symlink Component Bypass - What happens: Path validation can miss dangling symlink components during traversal checks. - Why it matters: A symlink that is unresolved at validation time can later resolve to an external location. - Impact: Read and write operations may escape workspace boundaries. - Affected area: src/security/path.rs (check_symlink_escape). #### R2 - TOCTOU Between Validation and Use - What happens: The path is validated first, then used later for filesystem operations. - Why it matters: A concurrent filesystem change can swap path components after validation but before open/write. - Impact: Race-based workspace escape is possible. - Affected area: Filesystem and file-consuming tools that call validate_path_in_workspace before I/O. #### R3 - Hardlink Alias Bypass - What happens: A file inside workspace can be a hardlink to an inode outside the intended workspace trust boundary. - Why it matters: Prefix and symlink checks can pass while data access still mutates or reads external content. - Impact: Policy bypass for read/write operations. - Affected area: Any tool that reads or writes via validated paths. #### Risk Matrix | ID | Risk | Severity | Likelihood | Impact | |---|---|---|---|---| | R1 | Dangling symlink component bypass | High | Medium | Workspace boundary escape for read/write | | R2 | Validate/use TOCTOU race | High | Medium | Race-based boundary escape during file I/O | | R3 | Hardlink alias bypass | Medium | Low-Medium | External inode read/write through in-workspace path | ### PoC #### R1 - Dangling symlink component bypass 1. Create a symlink inside workspace pointing to a missing target. 2. Validate a path traversing that symlink. 3. Create the target directory outside workspace after validation. 4. Perform file operation and observe potential boundary escape if not fail-closed. #### R2 - TOCTOU between validation and use 1. Validate a candidate in-workspace path. 2. Before open/write, replace an intermediate component with a link to external location. 3. Continue with the file operation. 4. Observe boundary escape if operation trusts only stale validation result. #### R3 - Hardlink alias bypass 1. Place a hardlink inside workspace that points to an external inode. 2. Validate the in-workspace hardlink path. 3. Read or write through this path. 4. Observe external inode access through a path that appears in-scope. ### Impacts Unauthorized cross path boundary ## Credit [@zpbrent](https://github.com/zpbrent) ### Patch [f50c17e11ae3e2d40c96730abac41974ef2ee2a8](https://github.com/qhkm/zeptoclaw/commit/f50c17e11ae3e2d40c96730abac41974ef2ee2a8)

Path Traversal Race Condition
NVD GitHub
EPSS
0.1%
CVE-2025-66955 MEDIUM This Month

CVE-2025-66955 is a security vulnerability (CVSS 6.5) that allows remote authenticated users. Remediation should follow standard vulnerability management procedures.

Information Disclosure Path Traversal Live
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32140 HIGH This Week

Remote code execution in Dataease prior to version 2.10.20 allows authenticated attackers to execute arbitrary code by manipulating the IniFile parameter to load malicious JDBC configuration files through the Redshift driver. An attacker with valid credentials can exploit the aggressive configuration file discovery mechanism to inject dangerous JDBC properties and gain complete system compromise. No patch is currently available, leaving affected deployments vulnerable to this high-severity attack vector.

RCE Path Traversal Dataease
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-32116 PyPI HIGH PATCH This Week

Magic Wormhole versions 0.21.0 through 0.22.x allow malicious senders to overwrite arbitrary files on a receiver's system during file transfer operations, potentially compromising SSH keys and shell configuration files. This path traversal vulnerability (CWE-22) requires the attacker to control the sending side of the transfer and affects any user receiving files from an untrusted source. No patch is currently available for this HIGH severity vulnerability.

Path Traversal Magic Wormhole
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-28793 npm HIGH POC PATCH This Week

High severity vulnerability in TinaCMS. The TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory.

Path Traversal Tinacms Cli
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-28792 npm CRITICAL POC PATCH Act Now

TinaCMS CLI dev server combines a permissive CORS policy (Access-Control-Allow-Origin: *) with path traversal to enable drive-by attacks. A remote attacker can enumerate, write, and delete files on a developer's machine simply by having them visit a malicious webpage. PoC available.

Path Traversal Tinacms Cli
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-28791 npm HIGH PATCH This Week

High severity vulnerability in TinaCMS. ## Affected Package

Path Traversal Tinacms Cli
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-24125 npm MEDIUM PATCH This Month

Medium severity vulnerability in TinaCMS. ### Description

Path Traversal Tinacms Graphql
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-4044 LOW Monitor

A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. [CVSS 3.8 LOW]

PHP Path Traversal
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-3954 MEDIUM This Month

OpenBMB XAgent 1.0.0 contains a path traversal vulnerability in the workspace router that allows unauthenticated remote attackers to manipulate the file_name parameter and access or modify arbitrary files on the system. Public exploit code is available for this vulnerability, which affects the integrity and availability of the application. The vendor has not yet released a patch despite early notification of the issue.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2019-25480 HIGH POC This Week

ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. [CVSS 7.5 HIGH]

PHP RCE Path Traversal File Upload
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2019-25471 CRITICAL POC Act Now

Arbitrary file upload in FileThingie 2.5.7 via ZIP archives. PoC available.

PHP File Upload Path Traversal
NVD GitHub Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2019-25465 HIGH POC This Week

Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by exploiting directory listing in the cgi-bin directory. [CVSS 7.5 HIGH]

Path Traversal
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-20162 MEDIUM This Month

Stored XSS via path traversal in Splunk Enterprise and Cloud Platform allows low-privileged users to inject malicious JavaScript into Views, compromising any user who visits the affected page. An attacker must socially engineer a victim into initiating the malicious request, but no special privileges or user interaction beyond initial page load is required. Affected versions include Splunk Enterprise below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, with no patch currently available.

XSS Path Traversal Splunk Splunk Cloud Platform
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-30234 MEDIUM This Month

OpenProject versions prior to 17.2.0 allow authenticated users with BCF import permissions to read arbitrary files from the server through path traversal in crafted .bcf archive uploads. An attacker can manipulate the Snapshot field in markup.bcf to reference absolute or traversal paths (such as /etc/passwd), enabling unauthorized file disclosure within the application's read permissions. This vulnerability requires valid project member credentials and no patch is currently available.

Path Traversal Openproject
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27897 CRITICAL Act Now

Path traversal in Vociferous speech-to-text tool before 4.4.2. CVSS 10.0.

Path Traversal Vociferous
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-3013 HIGH This Week

Coppermine Photo Gallery in versions 1.6.09 through 1.6.27 is vulnerable to path traversal.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-32061 npm MEDIUM PATCH This Month

OpenClaw versions before 2026.2.17 allow privileged users with config modification access to read arbitrary files on the system through path traversal in the $include directive. An attacker in this position can exploit absolute paths, directory traversal sequences, or symlinks to access sensitive data like API keys and credentials that the OpenClaw process can read. No patch is currently available for this medium-severity vulnerability.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-32060 npm HIGH PATCH This Week

OpenClaw versions before 2026.2.14 allow authenticated attackers to bypass filesystem restrictions in the apply_patch function through path traversal, enabling arbitrary file write and deletion operations outside the intended workspace. The vulnerability requires an authenticated user but no additional user interaction, and affects systems with apply_patch enabled without sandbox containment. No patch is currently available.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-21360 MEDIUM This Month

Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 contain a path traversal vulnerability that allows high-privileged attackers to bypass security controls and access files outside intended directories. The vulnerability requires administrative credentials but no user interaction for exploitation, potentially exposing sensitive data. No patch is currently available for affected versions.

Adobe Path Traversal Commerce B2b Commerce Magento
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-31817 Go HIGH POC PATCH This Week

Arbitrary file write in OliveTin prior to 3000.11.2 allows authenticated attackers to write files to arbitrary filesystem locations via path traversal in the UniqueTrackingId parameter when the saveLogs feature is enabled. The vulnerability enables denial of service and potential system compromise through log file manipulation. Public exploit code exists and no patch is currently available.

Path Traversal Olivetin Suse
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-28807 HIGH GHSA This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding.

Path Traversal Wisp
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-30952 npm HIGH PATCH This Week

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. versions up to 10.25.0 is affected by path traversal.

Path Traversal Liquidjs
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27825 PyPI CRITICAL PATCH Act Now

MCP Atlassian server has a path traversal vulnerability enabling unauthorized access to Confluence and Jira data outside the intended scope.

Atlassian Path Traversal RCE
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-30973 npm MEDIUM PATCH This Month

Appium's ZIP extraction function in @appium/support versions prior to 7.0.6 fails to properly enforce path traversal protections, allowing attackers to extract malicious ZIP files that write arbitrary files outside the intended directory. The vulnerability stems from an Error object that is created but never thrown, enabling Zip Slip attacks across all JavaScript-based extraction operations. An attacker can exploit this by crafting a malicious ZIP archive to overwrite sensitive files on systems using affected versions.

Path Traversal Appium Support
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30958 HIGH POC This Week

Unauthenticated path traversal in OneUptime versions before 10.0.21 allows remote attackers to read arbitrary files from the server via the /workflow/docs/:componentName endpoint, which fails to sanitize user input before passing it to file operations. Public exploit code exists for this vulnerability, affecting all users of vulnerable versions without authentication requirements. Upgrade to version 10.0.21 or later to remediate.

Path Traversal Oneuptime
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-30942 MEDIUM This Month

Flare versions before 1.7.3 contain a path traversal vulnerability in the avatar endpoint that allows authenticated users to read arbitrary files from the application container by exploiting unsanitized filename parameters. Any user with login access, including self-registered accounts on instances with open registration enabled (default configuration), can enumerate and retrieve sensitive files accessible to the Node.js process. The vulnerability requires authentication but poses a significant confidentiality risk on publicly accessible Flare instances without registration restrictions.

Path Traversal Flare Red Hat
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-2741 Maven LOW PATCH Monitor

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 versions up to 14.14.0 is affected by path traversal.

Node.js Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-23907 Maven MEDIUM PATCH This Month

Apache PDFBox versions 2.0.24-2.0.35 and 3.0.0-3.0.6 contain a path traversal vulnerability in the ExtractEmbeddedFiles example that allows attackers to write files outside the intended extraction directory by manipulating embedded file names. Organizations that have integrated this example code into production systems are at risk of unauthorized file writes on the host system. No patch is currently available, requiring developers to manually implement path validation to ensure extracted files remain within the designated directory.

Apache Path Traversal Pdfbox Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-54659 MEDIUM This Month

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] vulnerability in Fortinet FortiSOAR Agent Communication Bridge 1.1.0, FortiSOAR Agent Communication Bridge 1.0 all versions may allow an unauthenticated attacker to read files accessible to the fortisoar user on a system where the agent is deployed, via sending a crafted request to the agent port. [CVSS 5.8 MEDIUM]

Fortinet Path Traversal
NVD VulDB
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-3585 HIGH This Week

The Events Calendar (WordPress plugin) versions up to 6.15.17 is affected by path traversal (CVSS 7.5).

WordPress Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.23 allow authenticated users with sandbox access to bypass workspace restrictions through a path traversal flaw in the apply_patch tool, enabling arbitrary file modification on the system. The vulnerability stems from inconsistent validation of mounted paths outside the workspace directory, permitting attackers to write to writable mounts beyond the intended sandbox boundaries. No patch is currently available for this MEDIUM severity issue.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper path sanitization in OpenEMR's DICOM export feature prior to version 8.0.0.2 allows authenticated users with DICOM permissions to write arbitrary files outside the intended directory through path traversal sequences. An attacker could exploit this to place malicious PHP files within the web root, potentially achieving remote code execution. The vulnerability requires valid credentials but poses significant risk to systems containing sensitive healthcare data.

PHP RCE Path Traversal
NVD GitHub VulDB
EPSS 3% CVSS 8.1
HIGH PATCH This Week

Path traversal in Apple and Kubernetes DAG management APIs allows authenticated attackers to access arbitrary files outside the intended directory by injecting URL-encoded forward slashes into file name parameters on GET, DELETE, RENAME, and EXECUTE endpoints. The vulnerability affects systems where a previous patch (CVE-2026-27598) only secured the CREATE endpoint while leaving other API functions unprotected. An attacker with valid credentials can read, modify, or execute unintended DAG files on the affected system.

Path Traversal Apple Kubernetes +2
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrary files anywhere on the host system, leading to remote code execution. The vulnerability affects Langflow version 1.7.3 and earlier, where the multipart upload filename bypasses security checks due to missing boundary containment in the LocalStorageService layer. A proof-of-concept exploit is publicly available demonstrating successful arbitrary file write outside the intended user directory.

RCE Python Docker +2
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Arbitrary file deletion in PHP CloneSite plugin allows authenticated attackers to bypass path validation and remove critical files via path traversal in the deleteDump parameter, causing denial of service or facilitating privilege escalation attacks. An attacker with valid clone credentials can leverage unvalidated input passed directly to unlink() to delete arbitrary files including configuration.php and other security-critical application files. No patch is currently available for this vulnerability.

PHP Denial Of Service Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can stream any private or paid video in PHP, Oracle, and Apple applications through a path traversal vulnerability in the HLS streaming endpoint. The flaw exploits a split-oracle condition where authorization validation and file access use different parsing logic on the videoDirectory parameter, allowing attackers to bypass authentication checks while accessing unauthorized content. No patch is currently available for this high-severity vulnerability.

PHP Path Traversal Oracle +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

PyMuPDF versions up to 1.26.5 allow unauthenticated remote attackers to write arbitrary files to the system through path traversal in the embedded get function. This vulnerability enables denial of service attacks and potential system compromise without requiring authentication or user interaction. No patch is currently available.

Path Traversal PyMuPDF
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

The ThemeGoods Photography WordPress theme through version 7.7.5 permits authenticated administrators to upload arbitrary files with path traversal capabilities, enabling remote code execution and complete site compromise. While the CVSS score of 7.2 indicates high severity, the requirement for high-privileged admin credentials (PR:H) significantly constrains real-world exploitability. The EPSS score of 0.04% (12th percentile) suggests minimal likelihood of active exploitation, with no public exploit code identified at time of analysis.

Path Traversal File Upload
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL POC Act Now

A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attackers to access arbitrary files on the underlying system and manipulate them to gain account access. This vulnerability affects Ubiquiti's UniFi Network Application with a maximum CVSS score of 10.0, indicating critical severity with network-based exploitation requiring no user interaction or privileges. The vulnerability was reported through HackerOne, suggesting responsible disclosure, though current exploitation status in the wild is not confirmed.

Path Traversal Ubiquiti
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Nginx's path traversal vulnerability enables unauthenticated remote attackers to bypass proxy routing controls and access unintended backend resources by exploiting improper normalization of encoded path sequences. The flaw allows attackers to reach protected endpoints and administrative interfaces that should be restricted through the proxy's access controls. A patch is available for this high-severity issue with a CVSS score of 7.5.

Path Traversal Nginx
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The `listFiles.json.php` endpoint in AVideo accepts an unsanitized POST parameter `path` and passes it directly to PHP's `glob()` function without restricting traversal to an allowed base directory, enabling authenticated uploaders to enumerate `.mp4` files anywhere on the server filesystem. An attacker with the standard `canUpload` permission can discover private, premium, or access-controlled video files stored outside the intended upload directory by supplying arbitrary absolute paths, revealing both filenames and full filesystem paths that may aid further exploitation. A proof-of-concept is available demonstrating traversal from the web root to arbitrary locations such as `/var/private/premium-content/` and the root filesystem.

Path Traversal PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

NLTK downloader contains a path traversal vulnerability that allows remote attackers to write arbitrary files to any location on the filesystem when a user downloads packages from a malicious server. Attackers controlling a remote XML index server can inject path traversal sequences (../) into package metadata to overwrite critical system files including /etc/passwd or SSH authorized_keys. A working proof-of-concept exploit exists demonstrating arbitrary file creation at /tmp/test_file.zip via malicious server and client script.

Python Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

A arbitrary file access vulnerability in the test connection function of backend database management in wgcloud (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A path traversal vulnerability in /ftl/web/setup.cgi in Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote authenticated users to read arbitrary files from the filesystem via crafted values in the...

Path Traversal
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc extraction process that allows arbitrary file writes. The vulnerability stems from unsafe use of tarfile.extractall without proper path validation, enabling attackers to craft malicious tar.gz files with directory traversal sequences or absolute paths to write files outside the intended extraction directory. This poses critical risk in multi-tenant environments and can lead to remote code execution, with a CVSS score of 8.1 and confirmed exploit details available via Huntr.

RCE Path Traversal Mlflow Mlflow
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

The Tekton Pipelines git resolver contains a path traversal vulnerability allowing authenticated tenants to read arbitrary files from the resolver pod's filesystem via the pathInRepo parameter. Affected products include github.com/tektoncd/pipeline versions 1.0.0 through 1.10.0 across multiple release branches. The vulnerability enables credential exfiltration and privilege escalation from namespace-scoped access to cluster-wide secret reading capabilities. A proof-of-concept was provided by the vulnerability reporter Oleh Konko.

Path Traversal Privilege Escalation Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Docker's IsSensitivePath() function uses an incomplete denylist that fails to restrict access to sensitive directories including /opt, /usr, /home, /mnt, and /media, allowing authenticated users with high privileges to read arbitrary files outside the intended workspace through the globalCopyFiles and importStdMd endpoints. An attacker with administrative credentials could exploit this path traversal vulnerability to access sensitive configuration files and data from other users or mounted volumes. No patch is currently available for this medium-severity issue.

Path Traversal Docker Suse
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A NULL pointer dereference vulnerability in free5GC v4.0.1's UDM (Unified Data Management) service allows remote attackers to crash the service via a crafted POST request to the /sdm-subscriptions endpoint containing path traversal sequences and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go fails to validate pointers before dereferencing, causing complete service disruption requiring manual restart. All deployments of free5GC v4.0.1 utilizing UDM HTTP callback functionality are affected, and a patch is available via PR free5gc/udm#78.

Denial Of Service Null Pointer Dereference Path Traversal +1
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

A path traversal vulnerability in A Path Traversal vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.

Microsoft Path Traversal Denial Of Service +2
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authenticated Control Panel users can read arbitrary JSON, YAML, and CSV files from the server by manipulating the filename parameter in the fieldtype endpoint, resulting in unauthorized information disclosure. The vulnerability requires valid authentication credentials and affects versions prior to 5.73.14 and 6.7.0. No patch is currently available for affected deployments.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Path traversal in Allure report generator for Jenkins allows unauthenticated attackers to read arbitrary files from the host system by crafting malicious test result files with specially crafted attachment paths. The vulnerability stems from insufficient path validation when processing attachments during report generation, enabling sensitive files to be included in generated reports. A patch is not currently available.

Jenkins Path Traversal Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments.

Path Traversal Node.js CSRF +5
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

The pkgutil.get_data() function in CPython fails to properly validate the resource argument, enabling path traversal attacks that allow unauthorized information disclosure. This vulnerability affects CPython across multiple versions and could permit attackers to read arbitrary files from the system where Python code is executing. A patch is available from the Python Software Foundation, and the vulnerability has been documented with proof-of-concept references in the official CPython repository.

Path Traversal Cpython
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation bypass vulnerability that allows local attackers with low privileges to circumvent allowed-root and blocked-path security checks through symlinked parent directories combined with non-existent leaf paths. An attacker can craft bind source paths that appear to reside within permitted sandbox roots but resolve outside sandbox boundaries once missing path components are created, effectively weakening the sandbox's bind-source isolation enforcement. A patch is available from the vendor, and exploitation requires local access with standard user privileges, making this a practical threat in multi-tenant or shared-system environments.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability that allows authenticated attackers to read arbitrary files from the host system through the sendAttachment and setGroupIcon message actions when sandboxRoot configuration is unset. An attacker with valid credentials can exploit path traversal to hydrate media from absolute file paths, gaining unauthorized access to sensitive files accessible by the OpenClaw runtime user. A patch is available from the vendor, and this vulnerability has been tracked in the ENISA EUVD database (EUVD-2026-12732) with confirmed GitHub security advisory and commit-level patch information.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

OpenClaw contains a path traversal vulnerability in the Feishu media download functionality where untrusted media key values are directly interpolated into temporary file paths without sanitization. OpenClaw versions prior to 2026.2.19 are affected, allowing remote unauthenticated attackers to write arbitrary files within the process permissions by using directory traversal sequences in media keys. No public evidence of active exploitation (KEV) or public proof-of-concept exists at this time, though the high CVSS score of 8.2 reflects the network-accessible attack vector and lack of authentication requirements.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Local file disclosure in the Ray Dashboard (default TCP port 8265) of the Ray distributed-computing framework affects all releases prior to 2.8.1, where the static file handler fails to sanitize user-supplied paths. Remote attackers can submit directory-traversal sequences to read arbitrary files outside the intended static directory, exposing source code, configuration, and credentials. Publicly available exploit code exists (reported by VulnCheck), though EPSS estimates exploitation probability at only 0.07% (20th percentile) and the issue is not listed in CISA KEV.

Path Traversal Ray
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauthenticated root code execution by exploiting insecure file permissions in the cluster synchronization protocol. An attacker with cluster node access can overwrite the manager's configuration file to inject malicious commands that are subsequently executed with root privileges by the logcollector service. This vulnerability affects multi-node Wazuh deployments and has no available patch.

RCE Privilege Escalation Path Traversal +1
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Agent Zero 0.9.7-10's get_abs_path function in python/helpers/files.py is vulnerable to path traversal, allowing authenticated remote attackers to access files outside intended directories with limited confidentiality impact. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.

Path Traversal Python
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW Monitor

A vulnerability was identified in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433.

Path Traversal Java
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

The DTrace dtprobed component contains a path traversal vulnerability (CWE-22) that allows local attackers with limited privileges to create arbitrary files on the system by supplying crafted USDT provider names. This vulnerability affects Oracle Linux 8, 9, and 10, and while it carries a CVSS score of 5.5, the EPSS score of 0.01% (percentile 2%) indicates very low exploitation probability in the wild, with no evidence of active exploitation or public proof-of-concept code.

Path Traversal
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Path traversal in the webserver's archive extraction function allows unauthenticated remote attackers to write files outside the intended directory by crafting malicious tar archives, due to incomplete path validation in the sanitizeArchivePath function. The vulnerability affects the download command's decompression functionality and could enable arbitrary file placement on the system. A patch is available.

Path Traversal Suse
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Remote unauthenticated attackers can read arbitrary server files in ZwickRoell Test Data Management versions before 3.0.8 by exploiting a path traversal flaw in the node_upgrade_srv.js endpoint's firmware parameter. The vulnerability enables direct access to sensitive system files including credentials, configuration data, and source code without authentication. Despite the high CVSS score (8.7), the low EPSS probability (0.06%, 17th percentile) indicates minimal automated exploitation activity, though the unauthenticated network attack vector and low complexity make this readily exploitable if discovered by adversaries targeting industrial testing infrastructure.

Path Traversal Information Disclosure Test Data Management
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Path traversal in the `extractor` CLI tool and `extract.DumpOTelCollector` library function allows attackers to write files outside the intended extraction directory by exploiting an incomplete path validation check in the `sanitizeArchivePath` function. A maliciously crafted tar archive can bypass the prefix check and place arbitrary files on the system when processed. A patch is available to address the missing trailing path separator validation.

Path Traversal Suse
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal in the resourcePatchHandler allows authenticated users with Create or Rename permissions to bypass access control rules by injecting path traversal sequences (`..\`) into PATCH requests, since validation occurs before path normalization. An attacker can exploit this to copy or rename files to restricted directories that should be protected by administrator-configured deny rules. No patch is currently available.

Path Traversal Suse
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

SiYuan Note contains an unrestricted path traversal vulnerability in the POST /api/import/importStdMd endpoint that allows authenticated administrators to recursively import arbitrary files from the host filesystem into the workspace database without any validation or blocklisting. Affected versions of SiYuan (pkg:go/github.com_siyuan-note_siyuan) allow admin users to permanently store sensitive files such as /proc/, /etc/, /run/secrets/, and other system directories as searchable note content, making them accessible to other workspace users including those with limited privileges. A proof-of-concept has been published demonstrating import of /proc/1/ and /run/secrets/, and when chained with separate SQL injection vulnerabilities in the renderSprig template function, non-admin users can retrieve imported secrets without additional privileges.

Path Traversal SQLi Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Path traversal in Python and Docker import endpoints allows authenticated administrators to write files to arbitrary filesystem locations by injecting directory traversal sequences in multipart upload filenames, potentially enabling remote code execution through placement of malicious files in executable paths. The vulnerability affects the POST /api/import/importSY and POST /api/import/importZipMd endpoints which fail to sanitize user-supplied filenames before constructing file write paths. No patch is currently available.

Python Docker Path Traversal +1
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Administrative users of Docker and PostgreSQL deployments can exploit an incomplete path validation in the `POST /api/file/globalCopyFiles` endpoint to copy sensitive files like container environment variables and Docker secrets from restricted locations (`/proc/`, `/run/secrets/`) into the workspace, where they become readable via standard file APIs. The vulnerability stems from reliance on a blocklist-based validation mechanism that fails to prevent access to these critical system paths. Since no patch is currently available, organizations should restrict administrative access to the affected API endpoint until an update is released.

Docker PostgreSQL Path Traversal +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Doom Launcher 3.8.1.0 is vulnerable to Directory Traversal due to missing file path validation during the extraction of game files

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Path traversal in Craft CMS AssetsController allows authenticated users with replaceFiles permission to delete arbitrary files on local filesystems by injecting directory traversal sequences into the targetFilename parameter, potentially affecting files across multiple volumes sharing the same filesystem root. The vulnerability exists because user input is processed by deleteFile() before proper sanitization is applied. Users should upgrade to Craft 4.17.5 or 5.9.11 to resolve this issue.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in ThingsGateway 12's /api/file/download endpoint allows authenticated users to read arbitrary files through manipulation of the fileName parameter. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

Path Traversal Thingsgateway
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A path traversal vulnerability exists in SSCMS versions up to 7.4.0 within the PathUtils.RemoveParentPath function of the plugin download API endpoint (/api/admin/plugins/install/actions/download). An authenticated administrator with high privileges can manipulate the path argument to traverse the file system and access or modify files outside the intended directory, potentially leading to information disclosure or system compromise. The vulnerability has public proof-of-concept code available, though the CVSS score of 3.8 is relatively low due to the requirement for authenticated administrative access, making this a lower-priority but still exploitable issue in environments where admin credentials may be compromised.

Path Traversal Sscms
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

A path traversal vulnerability in Smart Switch (CVSS 7.1) that allows adjacent attackers. High severity vulnerability requiring prompt remediation.

Path Traversal Smart Switch
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Galaxy Store versions prior to 4.6.03.8 contain a path traversal vulnerability that enables local attackers to create files with Galaxy Store privileges. This could allow an attacker with local access to escalate their capabilities by writing malicious files in unintended locations. No patch is currently available for this issue.

Path Traversal Galaxy Store
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Galaxy Store versions prior to 4.6.03.8 contain an access control flaw that enables local attackers to create files with elevated Galaxy Store privileges. This vulnerability affects local users on affected devices and could allow privilege escalation or persistence mechanisms. No patch is currently available.

Path Traversal Galaxy Store
NVD
EPSS 0% CVSS 8.7
HIGH POC This Week

Privilege escalation vulnerability in ZKTeco ZKAccess Professional 3.5.3 (Build 0005) where authenticated users can modify executable files due to insecure permissions, allowing them to replace binaries with malicious code and gain elevated privileges. Multiple public exploits are available (exploit-db, PacketStorm) making this a high-risk vulnerability for organizations using this access control software, despite no current KEV listing or EPSS data.

Privilege Escalation Path Traversal Information Disclosure +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 4.2
MEDIUM This Month

AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import functionality that fails to validate file paths during ZIP extraction. An authenticated attacker with high privileges can craft a malicious ZIP file containing path traversal sequences that, when imported via the community hub, extract files outside the intended directory and achieve arbitrary code execution on the server. While the CVSS score is moderate (4.2) due to high privilege requirements and user interaction, the vulnerability enables code execution and should be addressed promptly.

Path Traversal RCE AI / ML +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

An unauthenticated path traversal vulnerability in PX4 Autopilot's MAVLink FTP implementation (CWE-22) allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on flight controller filesystems without authentication or privilege requirements. Affected versions are prior to 1.17.0-rc2, impacting both NuttX-based flight controllers and POSIX targets (Linux companion computers and SITL simulation environments). Attackers with network access to MAVLink communication channels can exploit this vulnerability to compromise flight controller integrity, extract sensitive configuration data, or inject malicious firmware.

Path Traversal Px4 Autopilot
NVD GitHub
EPSS 10% CVSS 7.5
HIGH Act Now

IceWarp collaboration platform contains an unauthenticated directory traversal vulnerability that allows remote attackers to read sensitive files from the server. The flaw exists in HTTP request handling, enabling access to configuration files, user data, and potentially email contents stored on the server.

Path Traversal Information Disclosure Icewarp
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Critical authentication bypass vulnerability in Unraid's auth-request.php file that allows remote attackers to gain unauthorized access without credentials through path traversal exploitation. The vulnerability affects all versions of Unraid (CPE indicates no version restrictions) and can be exploited over the network with low complexity, potentially compromising system confidentiality, integrity, and availability. No KEV listing or EPSS data was provided, suggesting this may be a recently disclosed vulnerability without known active exploitation.

Authentication Bypass PHP Path Traversal +1
NVD VulDB
EPSS 2% CVSS 8.8
HIGH This Week

Critical path traversal vulnerability in Unraid's update.php file that allows authenticated remote attackers to execute arbitrary code as root. The vulnerability affects all versions of Unraid (per CPE data) and was discovered by Zero Day Initiative (ZDI-CAN-28951). With a CVSS score of 8.8 and requiring only low privileges, this represents a severe risk for Unraid installations.

PHP Path Traversal RCE +1
NVD VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Arbitrary file write vulnerability in Calibre's RocketBook input plugin enables attackers to write files to any location accessible by the Calibre process when a user opens or converts a malicious .rb file. The path traversal flaw affects versions prior to 9.5.0 and represents an unpatched instance of the same vulnerability class previously fixed in the PDB reader component. Local attackers can leverage this to corrupt files, modify configuration, or potentially achieve code execution depending on file system permissions.

Path Traversal Calibre Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

SFTPGo versions prior to 2.7.1 contain a path normalization vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) that allows authenticated attackers to bypass folder-level permissions and escape Virtual Folder boundaries through crafted file paths. An attacker with valid credentials can exploit this authorization bypass to access files and directories beyond their intended scope. The vulnerability has been patched in version 2.7.1 with strict edge-level path normalization, and while no public POC or KEV status has been disclosed, the CVSS 5.3 (network-accessible, low complexity) and requirement for prior authentication suggest this is a real but moderate-priority issue.

Canonical Path Traversal Suse
NVD GitHub VulDB
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

Remote code execution in Clasp versions below 3.2.0 allows unauthenticated attackers to execute arbitrary code by uploading Google Apps Script projects with specially crafted filenames that exploit path traversal weaknesses. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires minimal user interaction and affects Google's Clasp tooling across all configurations.

Path Traversal RCE Google
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Path traversal via dagRunId in DAG execution endpoints.

Python Authentication Bypass Denial Of Service +3
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Apache Livy versions 0.3.0 through 0.8.x contain a path traversal vulnerability (CWE-22) that allows authenticated attackers to bypass directory restrictions and access files outside intended whitelist boundaries. The vulnerability only manifests when the 'livy.file.local-dir-whitelist' configuration parameter is set to a non-default value, enabling attackers with valid credentials to read, write, or execute arbitrary files on the server. With a CVSS score of 6.3 (moderate severity) reflecting the requirement for authenticated access and limited impact scope, this vulnerability warrants prioritization for organizations using Livy in multi-tenant or untrusted user environments.

Path Traversal Apache Apache Livy
NVD VulDB
EPSS 0% CVSS 5.0
MEDIUM This Month

Squeeze versions 1.7.7 and earlier contain a path traversal vulnerability that allows authenticated attackers to access files outside the intended directory through manipulated file paths. An attacker with valid credentials could leverage this flaw to read sensitive files on the affected system, though code execution and data modification are not possible.

Path Traversal Squeeze
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The Erlang OTP ssh_sftpd module contains a path traversal vulnerability in the is_within_root/2 function that uses string prefix matching instead of proper path component validation to verify if accessed paths are within the configured root directory. An authenticated SFTP user can exploit this to access sibling directories sharing a common name prefix with the root directory (for example, if root is /home/user1, accessing /home/user10 or /home/user1_backup would succeed when it should fail). This vulnerability affects OTP versions 17.0 through 28.4.1 with corresponding SSH versions 3.0.1 through 5.5.1, with no confirmed active exploitation in the wild (KEV status not indicated as actively exploited) but with a moderate CVSS score of 5.3 reflecting the requirement for prior authentication.

Path Traversal Otp
NVD VulDB GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Arbitrary file write in Black (the Python code formatter) before 26.3.1 lets an attacker who controls the value of the --python-cell-magics option place cache files at attacker-chosen filesystem locations via path traversal. The unsanitized option value is embedded directly into the computed cache filename, so a value such as '../../../tmp/pwned' escapes the cache directory and overwrites or creates files elsewhere. No public exploit is identified at time of analysis, EPSS is very low (0.02%), and the issue is not in CISA KEV; practical risk is confined to environments that feed untrusted input into Black's command-line options.

Path Traversal Python Black
NVD GitHub VulDB
EPSS 0%
PATCH Monitor

### Summary Workspace boundary enforcement currently has three related bypass risks. This issue tracks fixing all three in one pull request. ### Details #### R1 - Dangling Symlink Component Bypass - What happens: Path validation can miss dangling symlink components during traversal checks. - Why it matters: A symlink that is unresolved at validation time can later resolve to an external location. - Impact: Read and write operations may escape workspace boundaries. - Affected area: src/security/path.rs (check_symlink_escape). #### R2 - TOCTOU Between Validation and Use - What happens: The path is validated first, then used later for filesystem operations. - Why it matters: A concurrent filesystem change can swap path components after validation but before open/write. - Impact: Race-based workspace escape is possible. - Affected area: Filesystem and file-consuming tools that call validate_path_in_workspace before I/O. #### R3 - Hardlink Alias Bypass - What happens: A file inside workspace can be a hardlink to an inode outside the intended workspace trust boundary. - Why it matters: Prefix and symlink checks can pass while data access still mutates or reads external content. - Impact: Policy bypass for read/write operations. - Affected area: Any tool that reads or writes via validated paths. #### Risk Matrix | ID | Risk | Severity | Likelihood | Impact | |---|---|---|---|---| | R1 | Dangling symlink component bypass | High | Medium | Workspace boundary escape for read/write | | R2 | Validate/use TOCTOU race | High | Medium | Race-based boundary escape during file I/O | | R3 | Hardlink alias bypass | Medium | Low-Medium | External inode read/write through in-workspace path | ### PoC #### R1 - Dangling symlink component bypass 1. Create a symlink inside workspace pointing to a missing target. 2. Validate a path traversing that symlink. 3. Create the target directory outside workspace after validation. 4. Perform file operation and observe potential boundary escape if not fail-closed. #### R2 - TOCTOU between validation and use 1. Validate a candidate in-workspace path. 2. Before open/write, replace an intermediate component with a link to external location. 3. Continue with the file operation. 4. Observe boundary escape if operation trusts only stale validation result. #### R3 - Hardlink alias bypass 1. Place a hardlink inside workspace that points to an external inode. 2. Validate the in-workspace hardlink path. 3. Read or write through this path. 4. Observe external inode access through a path that appears in-scope. ### Impacts Unauthorized cross path boundary ## Credit [@zpbrent](https://github.com/zpbrent) ### Patch [f50c17e11ae3e2d40c96730abac41974ef2ee2a8](https://github.com/qhkm/zeptoclaw/commit/f50c17e11ae3e2d40c96730abac41974ef2ee2a8)

Path Traversal Race Condition
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

CVE-2025-66955 is a security vulnerability (CVSS 6.5) that allows remote authenticated users. Remediation should follow standard vulnerability management procedures.

Information Disclosure Path Traversal Live
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in Dataease prior to version 2.10.20 allows authenticated attackers to execute arbitrary code by manipulating the IniFile parameter to load malicious JDBC configuration files through the Redshift driver. An attacker with valid credentials can exploit the aggressive configuration file discovery mechanism to inject dangerous JDBC properties and gain complete system compromise. No patch is currently available, leaving affected deployments vulnerable to this high-severity attack vector.

RCE Path Traversal Dataease
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Magic Wormhole versions 0.21.0 through 0.22.x allow malicious senders to overwrite arbitrary files on a receiver's system during file transfer operations, potentially compromising SSH keys and shell configuration files. This path traversal vulnerability (CWE-22) requires the attacker to control the sending side of the transfer and affects any user receiving files from an untrusted source. No patch is currently available for this HIGH severity vulnerability.

Path Traversal Magic Wormhole
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH POC PATCH This Week

High severity vulnerability in TinaCMS. The TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory.

Path Traversal Tinacms Cli
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL POC PATCH Act Now

TinaCMS CLI dev server combines a permissive CORS policy (Access-Control-Allow-Origin: *) with path traversal to enable drive-by attacks. A remote attacker can enumerate, write, and delete files on a developer's machine simply by having them visit a malicious webpage. PoC available.

Path Traversal Tinacms Cli
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

High severity vulnerability in TinaCMS. ## Affected Package

Path Traversal Tinacms Cli
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Medium severity vulnerability in TinaCMS. ### Description

Path Traversal Tinacms Graphql
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. [CVSS 3.8 LOW]

PHP Path Traversal
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

OpenBMB XAgent 1.0.0 contains a path traversal vulnerability in the workspace router that allows unauthenticated remote attackers to manipulate the file_name parameter and access or modify arbitrary files on the system. Public exploit code is available for this vulnerability, which affects the integrity and availability of the application. The vendor has not yet released a patch despite early notification of the issue.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. [CVSS 7.5 HIGH]

PHP RCE Path Traversal +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Arbitrary file upload in FileThingie 2.5.7 via ZIP archives. PoC available.

PHP File Upload Path Traversal
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by exploiting directory listing in the cgi-bin directory. [CVSS 7.5 HIGH]

Path Traversal
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Stored XSS via path traversal in Splunk Enterprise and Cloud Platform allows low-privileged users to inject malicious JavaScript into Views, compromising any user who visits the affected page. An attacker must socially engineer a victim into initiating the malicious request, but no special privileges or user interaction beyond initial page load is required. Affected versions include Splunk Enterprise below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, with no patch currently available.

XSS Path Traversal Splunk +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

OpenProject versions prior to 17.2.0 allow authenticated users with BCF import permissions to read arbitrary files from the server through path traversal in crafted .bcf archive uploads. An attacker can manipulate the Snapshot field in markup.bcf to reference absolute or traversal paths (such as /etc/passwd), enabling unauthorized file disclosure within the application's read permissions. This vulnerability requires valid project member credentials and no patch is currently available.

Path Traversal Openproject
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Path traversal in Vociferous speech-to-text tool before 4.4.2. CVSS 10.0.

Path Traversal Vociferous
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Coppermine Photo Gallery in versions 1.6.09 through 1.6.27 is vulnerable to path traversal.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.17 allow privileged users with config modification access to read arbitrary files on the system through path traversal in the $include directive. An attacker in this position can exploit absolute paths, directory traversal sequences, or symlinks to access sensitive data like API keys and credentials that the OpenClaw process can read. No patch is currently available for this medium-severity vulnerability.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

OpenClaw versions before 2026.2.14 allow authenticated attackers to bypass filesystem restrictions in the apply_patch function through path traversal, enabling arbitrary file write and deletion operations outside the intended workspace. The vulnerability requires an authenticated user but no additional user interaction, and affects systems with apply_patch enabled without sandbox containment. No patch is currently available.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 contain a path traversal vulnerability that allows high-privileged attackers to bypass security controls and access files outside intended directories. The vulnerability requires administrative credentials but no user interaction for exploitation, potentially exposing sensitive data. No patch is currently available for affected versions.

Adobe Path Traversal Commerce B2b +2
NVD
EPSS 0% CVSS 8.5
HIGH POC PATCH This Week

Arbitrary file write in OliveTin prior to 3000.11.2 allows authenticated attackers to write files to arbitrary filesystem locations via path traversal in the UniqueTrackingId parameter when the saveLogs feature is enabled. The vulnerability enables denial of service and potential system compromise through log file manipulation. Public exploit code exists and no patch is currently available.

Path Traversal Olivetin Suse
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding.

Path Traversal Wisp
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. versions up to 10.25.0 is affected by path traversal.

Path Traversal Liquidjs
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

MCP Atlassian server has a path traversal vulnerability enabling unauthorized access to Confluence and Jira data outside the intended scope.

Atlassian Path Traversal RCE
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Appium's ZIP extraction function in @appium/support versions prior to 7.0.6 fails to properly enforce path traversal protections, allowing attackers to extract malicious ZIP files that write arbitrary files outside the intended directory. The vulnerability stems from an Error object that is created but never thrown, enabling Zip Slip attacks across all JavaScript-based extraction operations. An attacker can exploit this by crafting a malicious ZIP archive to overwrite sensitive files on systems using affected versions.

Path Traversal Appium Support
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH POC This Week

Unauthenticated path traversal in OneUptime versions before 10.0.21 allows remote attackers to read arbitrary files from the server via the /workflow/docs/:componentName endpoint, which fails to sanitize user input before passing it to file operations. Public exploit code exists for this vulnerability, affecting all users of vulnerable versions without authentication requirements. Upgrade to version 10.0.21 or later to remediate.

Path Traversal Oneuptime
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Flare versions before 1.7.3 contain a path traversal vulnerability in the avatar endpoint that allows authenticated users to read arbitrary files from the application container by exploiting unsanitized filename parameters. Any user with login access, including self-registered accounts on instances with open registration enabled (default configuration), can enumerate and retrieve sensitive files accessible to the Node.js process. The vulnerability requires authentication but poses a significant confidentiality risk on publicly accessible Flare instances without registration restrictions.

Path Traversal Flare Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 versions up to 14.14.0 is affected by path traversal.

Node.js Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Apache PDFBox versions 2.0.24-2.0.35 and 3.0.0-3.0.6 contain a path traversal vulnerability in the ExtractEmbeddedFiles example that allows attackers to write files outside the intended extraction directory by manipulating embedded file names. Organizations that have integrated this example code into production systems are at risk of unauthorized file writes on the host system. No patch is currently available, requiring developers to manually implement path validation to ensure extracted files remain within the designated directory.

Apache Path Traversal Pdfbox +2
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM This Month

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] vulnerability in Fortinet FortiSOAR Agent Communication Bridge 1.1.0, FortiSOAR Agent Communication Bridge 1.0 all versions may allow an unauthenticated attacker to read files accessible to the fortisoar user on a system where the agent is deployed, via sending a crafted request to the agent port. [CVSS 5.8 MEDIUM]

Fortinet Path Traversal
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

The Events Calendar (WordPress plugin) versions up to 6.15.17 is affected by path traversal (CVSS 7.5).

WordPress Path Traversal
NVD
Prev Page 15 of 86 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy