Path Traversal
Monthly
Zed code editor versions prior to 0.224.4 contain a path traversal vulnerability in ZIP extraction that fails to sanitize malicious filenames, allowing attackers to write files outside the intended sandbox directory through crafted extension archives. Public exploit code exists for this vulnerability. An attacker can exploit this by distributing a malicious extension that, when installed, deposits files in arbitrary locations on the affected system.
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that file paths provided in the files argument were within the repository boundaries.
Authenticated users in LORIS 24.0.0 through 28.0.0 can exploit a path traversal vulnerability to read arbitrary configuration files containing hardcoded database and service credentials. An attacker with valid application access and appropriate permissions can leverage publicly available source code to easily craft requests that expose these sensitive files, potentially enabling lateral movement to backend systems. No patch is currently available for affected versions.
Remote code execution in LORIS neuroimaging platform allows authenticated users with sufficient privileges to bypass path traversal protections and upload malicious files to arbitrary server locations. An attacker can leverage the uploaded file to achieve code execution on the underlying system, though read-only server configurations may prevent actual execution. The vulnerability affects versions prior to 26.0.5, 27.0.2, and 28.0.0, with no patch currently available.
Path traversal in feiyuchuixue sz-boot-parent versions up to 1.3.2-beta allows authenticated remote attackers to read arbitrary files by manipulating the templateName parameter in the /api/admin/common/download/templates endpoint. Public exploit code exists for this vulnerability. Users should upgrade to version 1.3.3-beta or later, which implements proper path validation checks.
The Dart and Flutter SDKs provide software development kits for the Dart programming language. [CVSS 7.5 HIGH]
Path traversal in basic-ftp Node.js FTP client library before 5.2.0 allows malicious FTP servers to write files outside the intended download directory. PoC and patch available.
Path traversal in Octopus Deploy allows removing files and file contents on the host through API manipulation. Enables data destruction on the deployment server.
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool. [CVSS 4.6 MEDIUM]
Arbitrary file write vulnerability in Data Master ADM versions 4.1.0-4.3.3.ROF1 and 5.0.0-5.1.2.RE51 allows remote or man-in-the-middle attackers to bypass filename sanitization in FTP backup operations and place malicious files outside the intended directory. An attacker can exploit this path traversal flaw to overwrite critical system files and potentially execute code with elevated privileges. No patch is currently available, and exploitation requires moderate attack complexity but no user interaction.
Path traversal in Lanscope Endpoint Manager Sub-Manager Server version 9.4.7.3 and earlier allows access to files outside restricted directories on managed endpoints.
Path traversal and extension bypass in Flask-Reuploaded file upload library. Allows uploading files with arbitrary extensions to arbitrary directories. PoC and patch available.
Arbitrary file write via path traversal in the Rollup JavaScript module bundler lets an attacker who can influence build inputs write or overwrite files anywhere the build process can reach, escalating to persistent remote code execution by clobbering system or user configuration files. Affected are 4.x releases before 4.59.0 (and the 2.x/3.x lines before 2.80.0 and 3.30.0), where insecure output filename sanitization permits `../` traversal through CLI named inputs, manual chunk aliases, or malicious plugins. Publicly available exploit code exists (GitHub Security Advisory GHSA-mw96-cpmx-2vgc), though no public exploit is identified as active in-the-wild use; EPSS is modest at 0.62% (70th percentile).
Bit7z versions prior to 4.0.11 contain a path traversal vulnerability that allows arbitrary file writes outside the intended extraction directory when processing malicious archives through relative paths, absolute paths, or symbolic links. Applications using bit7z to extract untrusted archives are affected, enabling attackers to overwrite critical files with the privileges of the extraction process. Public exploit code exists for this vulnerability.
Fiber web framework versions 3.0.0 and earlier on Windows contain a path traversal vulnerability that allows remote attackers to bypass static file middleware protections and read arbitrary files from the server. Public exploit code exists for this vulnerability, which affects applications using the vulnerable Fiber versions. The issue has been patched in Fiber v3.1.0.
Path traversal in Linksys MR9600 and MX4200 firmware allows attackers with physical access to mount arbitrary USB drive partitions into the file system, potentially enabling root-level code execution. Public exploit code exists for this vulnerability, and no patch is currently available. Affected versions include MR9600 1.0.4.205530 and MX4200 1.0.13.210200.
Remote code execution in MindsDB prior to version 25.9.1.1 allows authenticated attackers to bypass file upload restrictions through path traversal in the /api/files endpoint. An attacker can exploit insufficient filename validation to write arbitrary files to any location on the server, achieving command execution. Public exploit code exists for this vulnerability.
A vulnerability was determined in MuYuCMS 2.7. Affected is the function delete_dir_file of the file application/admin/controller/Template.php of the component Template Management Page. [CVSS 3.8 LOW]
HummerRisk versions up to 1.5.0 contain a path traversal vulnerability in the archive extraction functionality that allows authenticated remote attackers to read and write arbitrary files on the system. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects the extractTarGZ and extractZip functions in the common utilities library.
Local file disclosure in ImageMagick before 7.1.2-15 and 6.9.13-40 lets attackers bypass the path security policy (policy-secure.xml) using directory traversal, reading files a rule such as `/etc/*` was meant to block. Because the policy matcher evaluates the raw, unnormalized filename string before the OS resolves it, a traversal sequence slips past the deny rule while the kernel still opens the real sensitive file. No public exploit is identified at time of analysis and EPSS is very low (0.04%), but the bug undermines a control specifically deployed to harden image-processing pipelines that handle untrusted input.
Path traversal in Dinky up to version 1.2.5 allows authenticated remote attackers to access arbitrary files on the system through manipulation of the projectName parameter in the GitRepository component. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can exploit this to read sensitive files or potentially escalate privileges within Java-based Dinky deployments.
Traccar GPS tracking system through version 6.11.1 allows authenticated users to conduct arbitrary file writes by setting device identifiers to absolute paths, which bypass path validation during image uploads. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with device management privileges could write files outside the intended media directory, potentially compromising system integrity.
Path traversal in Dromara UJCMS 101.2 Template Handler allows authenticated remote attackers to manipulate the deleteDirectory function and access files outside intended directories. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. The attack requires valid credentials but can be executed remotely with minimal complexity.
Path traversal in the pictureDelete function of feng_ha_ha/megagao ssm-erp and production_ssm allows authenticated remote attackers to manipulate the picName parameter and access arbitrary files on the system. Public exploit code exists for this vulnerability. No patch is currently available, and the developers have not responded to the disclosure.
Path traversal in the FileServiceImpl.deleteFile function of feng_ha_ha/megagao ssm-erp and production_ssm allows authenticated attackers to manipulate file deletion operations remotely. Public exploit code exists for this vulnerability, and the developer has not yet addressed the reported issue. An attacker with valid credentials could delete or access arbitrary files on the affected system.
Arbitrary host file exfiltration from Cloud Hypervisor VMM versions 34.0-50.0. CVSS 10.0. Patch available.
Arbitrary file read vulnerability in GetSimple CMS affects all versions through its Uploaded Files feature, allowing unauthenticated remote attackers to access sensitive files on affected systems. Public exploit code exists for this vulnerability, and no patch is currently available. The high-severity flaw (CVSS 7.5) poses a significant confidentiality risk to all GetSimple CMS deployments.
Remote code execution in the MLflow Tracking Server allows unauthenticated attackers (PR:N) to abuse the artifact handler's path processing to read or write files outside the intended artifact root and ultimately run code as the server's service account. The flaw is a CWE-22 path traversal in artifact file-path handling reachable over the network with low complexity. No public exploit is identified at time of analysis, but the EPSS score of 15.58% (95th percentile) signals notably elevated near-term exploitation likelihood for an MLOps component frequently exposed on internal and cloud networks.
ADB Explorer through version 0.9.26020 fails to validate user-supplied directory paths, enabling local attackers to trigger recursive deletion of arbitrary filesystem directories including critical system and user folders. An attacker can exploit this by crafting a malicious shortcut or script that launches the application with a sensitive path argument, causing permanent data loss when the application processes the ClearDrag() function at startup or exit. Any user tricked into launching ADB Explorer via a weaponized shortcut or batch file faces complete loss of targeted directories such as Documents or user profile folders.
Spring Data Geode's snapshot import feature on Windows systems is vulnerable to path traversal attacks that enable attackers to write arbitrary files outside the intended extraction directory. Remote attackers can exploit this vulnerability without authentication to potentially overwrite critical system or application files. No patch is currently available.
Authenticated attackers can traverse directory restrictions in Mitchell Bennis Simple File List versions up to 6.1.15 to read files outside intended directories, requiring valid credentials but no user interaction. This path traversal vulnerability impacts confidentiality but not system integrity or availability, with no patch currently available.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 7.5 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 8.6 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 7.7 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 8.6 HIGH]
primersoftware Primer MyData for Woocommerce primer-mydata contains a security vulnerability (CVSS 5.3).
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Murtaza Bhurgri Woo File Dropzone woo-file-dropzone allows Path Traversal.This issue affects Woo File Dropzone: from n/a through <= 1.1.7. [CVSS 7.7 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 100plugins Open User Map open-user-map allows Path Traversal.This issue affects Open User Map: from n/a through <= 1.4.16. [CVSS 6.5 MEDIUM]
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal.
This vulnerability allows authenticated attackers to read an arbitrary file by changing a filepath parameter into an internal system path. [CVSS 6.5 MEDIUM]
Calibre versions 9.2.1 and below allow authenticated users to write arbitrary files with any extension to any writable location via path traversal in PDB file readers, potentially enabling code execution or system compromise through file overwriting. The vulnerability affects both 132-byte and 202-byte PDB header variants and silently overwrites existing files without warning. Public exploit code exists and patches are available in version 9.3.0 and later.
Remote code execution in Calibre 9.2.1 and earlier allows authenticated users to write arbitrary files via a path traversal flaw in the extract_pictures() function that fails to properly sanitize directory traversal sequences. On Windows systems, attackers can exploit this to write malicious payloads to the Startup folder, achieving code execution upon the next user login. Public exploit code exists for this vulnerability, and a patch is available in version 9.3.0.
Remote code execution in Music Assistant Server 2.6.3 and below enables unauthenticated network-adjacent attackers to execute arbitrary code through path traversal in the playlist update API, which fails to enforce file extension restrictions and allows writing malicious Python files to site-packages. The vulnerability is particularly critical because affected containers typically run as root, amplifying the impact of successful exploitation. No patch is currently available, leaving installations at risk until an upgrade to version 2.7.0 or later is performed.
OpenClaw versions 2026.1.12 through 2026.2.13 contain a path traversal vulnerability in the browser download helper that allows authenticated users with CLI access or valid gateway RPC tokens to write files outside the intended temporary downloads directory. An attacker with these credentials can exploit unsanitized output paths to place arbitrary files on the system. Version 2026.2.13 and later contain the fix.
OpenClaw versions prior to 2026.2.14 allow authenticated users to read arbitrary files from the Gateway host through path traversal in the browser tool's upload functionality. An attacker with valid Gateway credentials and browser tool permissions can supply absolute or traversal paths to bypass file access restrictions and access sensitive files. This vulnerability requires authentication and browser tool enablement but presents a high confidentiality risk to affected deployments.
OpenClaw's Feishu extension prior to version 2026.2.14 improperly handles `mediaUrl` parameters by treating attacker-controlled values as local filesystem paths, enabling unauthorized file read access. An attacker who can influence tool calls through direct manipulation or prompt injection could exfiltrate sensitive files like `/etc/passwd`. This high-severity path traversal vulnerability (CWE-22) is resolved in version 2026.2.14 and later, which implements proper access controls and routes media loading through hardened helpers.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText™ XM Fax allows Path Traversal. The vulnerability could allow an attacker to arbitrarily disclose content of files on the local filesystem. [CVSS 7.5 HIGH]
Penpot before version 2.13.2 contains a path traversal vulnerability in the font creation endpoint that allows authenticated users with team edit permissions to read arbitrary files from the server filesystem. By supplying local file paths such as `/etc/passwd` as font data, attackers can retrieve sensitive files including system configuration, application secrets, and credentials. Public exploit code exists for this vulnerability, which could enable further server compromise depending on the Penpot process permissions.
Arbitrary file read and server-side request forgery in Hyland Alfresco Transformation Service (and the underlying Alfresco Transform Core, including 5.3.0-alpha1) allow unauthenticated remote attackers to read arbitrary files and coerce the server into making outbound requests via absolute path traversal. Hyland has published a coordinated security advisory (CVE-2026-26337/26338/26339). No public exploit has been identified at time of analysis and the EPSS probability is low (0.12%), but the network-facing, unauthenticated nature makes this a meaningful exposure for internet-reachable transform components.
Unauthenticated remote file read in Echo web framework versions 5.0.0-5.0.2 on Windows allows attackers to traverse outside the static root directory and access arbitrary files via backslash path sequences in requests. The vulnerability stems from improper path normalization where path.Clean() does not treat backslashes as separators, but the underlying os.Open() call on Windows does, enabling directory traversal. Public exploit code exists for this medium-severity vulnerability, though a patch is available in version 5.0.3.
Dell Unisphere for PowerMax 10.2 contains a relative path traversal flaw that allows authenticated remote attackers to modify critical system files without user interaction. The vulnerability affects systems with low-privileged user accounts and carries high integrity and availability impact, though no patch is currently available. With an EPSS score of 0.1%, exploitation likelihood remains low despite the HIGH severity rating.
Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests
Path traversal in CyreneAdmin's image handler endpoint allows authenticated attackers to read arbitrary files on the server through manipulation of the Avatar parameter. The vulnerability affects versions up to 1.3.0 and requires valid user credentials to exploit, limiting the attack surface to authenticated users. Public exploit code exists and no patch is currently available.
Tsinghua Unigroup Electronic Archives System 3.2.210802 contains a path traversal vulnerability in the download functionality that allows authenticated remote attackers to read arbitrary files on the affected system. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires valid credentials but no user interaction, making it accessible to any authenticated user with network access.
Path traversal in Tsinghua Unigroup Electronic Archives System 3.2.210802 allows authenticated remote attackers to read arbitrary files through manipulation of the path parameter in the /Search/Subject/downLoad function. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires valid credentials but no user interaction, making it a practical risk for organizations using this system.
gSOAP 2.8 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP path traversal techniques. [CVSS 7.5 HIGH]
Crystal Live HTTP Server 6.01 contains a directory traversal vulnerability that allows remote attackers to access system files by manipulating URL path segments. [CVSS 7.5 HIGH]
Unauthenticated attackers can read arbitrary files from InvoicePlane servers through path traversal in the Guest controller's file retrieval function, potentially exposing database credentials and other sensitive configuration data. This vulnerability affects InvoicePlane versions up to 1.6.3 and has public exploit code available. Version 1.6.4 resolves the issue.
Directory traversal in Rack versions prior to 2.2.22, 3.1.20, and 3.2.5 allows unauthenticated remote attackers to list directories outside the configured root by exploiting a string prefix matching flaw in path validation. An attacker can craft requests with path traversal sequences to enumerate sensitive directories if the target path shares a common prefix with the configured root directory. Public exploit code exists for this vulnerability.
In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the "admin" or "power" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. [CVSS 3.5 LOW]
Path traversal vulnerability in the AMR Printer Management 1.01 Beta web service, which allows remote attackers to read arbitrary files from the underlying Windows system by using specially crafted path traversal sequences in requests directed to the web management service.
Arbitrary file deletion in WP-DownloadManager plugin versions up to 1.69 allows high-privileged WordPress administrators to bypass path validation and remove critical system files through directory traversal in the file deletion parameter. Deletion of essential files like wp-config.php can result in remote code execution or complete site compromise. No patch is currently available.
The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. [CVSS 2.7 LOW]
Path traversal in Blossom up to version 1.17.1 file upload functionality allows authenticated remote attackers to access arbitrary files on affected systems. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Arbitrary file deletion in Dell Avamar Server and Virtual Edition versions before 19.10 SP1 with CHF338912 stems from improper path traversal validation in the security module. High-privileged remote attackers can exploit this vulnerability to delete files on affected systems, though no patch is currently available.
Dell Avamar, versions prior to 19.12 with patch 338905, contains an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. [CVSS 6.5 MEDIUM]
Dell Avamar, versions prior to 19.12 with patch 338905, contains an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. [CVSS 4.7 MEDIUM]
Path traversal in Rocket TRUfusion Enterprise through 7.10.5 via /axis2/services endpoint allows authenticated attackers to read and write arbitrary files on the host. EPSS 0.32%.
Path traversal in ZenTao's editor component (versions up to 21.7.8) allows authenticated attackers to manipulate the filePath parameter and access files outside intended directories. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems vulnerable to unauthorized file access and potential information disclosure.
ZenTao versions up to 21.7.8 contain a path traversal vulnerability in the backup handler that allows authenticated attackers to manipulate file parameters and access or delete arbitrary files on the affected system. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed remotely without user interaction.
Arbitrary PHP code execution in the Flexi Product Slider and Grid for WooCommerce WordPress plugin through version 1.0.5 allows authenticated contributors to exploit unsanitized file path parameters in the flexipsg_carousel shortcode to include and execute arbitrary files on the server. The vulnerability requires an attacker with Contributor-level access or above to create posts containing malicious shortcodes, but carries high risk due to lack of input validation on the theme parameter enabling local file inclusion attacks. No patch is currently available for this vulnerability.
The BFG Tools - Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. [CVSS 4.9 MEDIUM]
Authenticated users in lakeFS prior to version 1.77.0 can exploit path traversal vulnerabilities in the local block adapter to read and write files outside their intended storage boundaries by bypassing insufficient prefix validation checks. An attacker with valid credentials can manipulate object identifiers and path sequences to access sibling directories and storage namespaces they should not have access to. A patch is available in version 1.77.0 and later.
Path traversal in Tandoor Recipes prior to 2.5.1 allows authenticated users with import permissions to read arbitrary files from the server by manipulating file paths during recipe import operations. An attacker could access sensitive system files like /etc/passwd or application configuration files, potentially leading to full system compromise. Public exploit code exists for this vulnerability.
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. [CVSS 7.5 HIGH]
Zip slip to RCE in MojoPortal CMS v2.9.0.1 via /DesignTools/SkinList.aspx. Malicious ZIP archives write files outside extraction directory, enabling code execution. CVSS 10.0.
Bullwark Momentum Series JAWS 1.0 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP request paths. [CVSS 7.5 HIGH]
Arbitrary local file disclosure in Crawl4AI's Docker API (versions before 0.8.0) lets unauthenticated remote attackers read any file on the server by supplying file:// URLs to the /execute_js, /screenshot, /pdf, and /html endpoints. Because the API validates no scheme, an attacker can exfiltrate /etc/passwd, /etc/shadow, application config, and process environment via /proc/self/environ - directly exposing credentials and API keys. Publicly documented in GitHub advisory GHSA-vx9w-5cx4-9796 with a working request example; no public exploit identified as active exploitation, and EPSS is low (0.06%, 19th percentile).
An unauthenticated attacker can exploit this vulnerability by manipulating URL to achieve arbitrary file read access.This issue affects Valmet DNA Web Tools: C2022 and older. [CVSS 7.5 HIGH]
Arbitrary file write vulnerability in Apple's macOS, iOS, iPadOS, and Safari resulting from improper path handling logic allows remote attackers to write files without authentication or user interaction. Affected versions include macOS Tahoe 26.3 and earlier, macOS Sonoma 14.8.4 and earlier, iOS 18.7.5 and earlier, and Safari 26.3 and earlier. No patch is currently available for this high-severity vulnerability.
Improper path validation in Apple's macOS, iOS, and visionOS allows local attackers to bypass directory access restrictions and read sensitive user data through crafted file paths. An authenticated user with local access can exploit this parsing weakness without user interaction to access confidential information. No patch is currently available for this vulnerability.
Improper path validation in macOS and visionOS allows local attackers with user interaction to read sensitive user data through directory path manipulation. The vulnerability affects macOS Sequoia 15.7.3 and earlier, macOS Sonoma 14.8.3 and earlier, macOS Tahoe 26.2 and earlier, and visionOS 26.2 and earlier. No patch is currently available.
Local privilege escalation in Apple macOS, iOS, and iPadOS through improper path validation allows authenticated attackers to gain root privileges on affected devices. The vulnerability requires local access and user interaction is not required, making it exploitable by malicious applications already present on the system. No patch is currently available for this high-severity flaw affecting multiple Apple operating systems.
Improper path validation in macOS (Sequoia 15.7.3 and earlier, Tahoe 26.2 and earlier, Sonoma 14.8.3 and earlier) permits local authenticated users to escalate privileges to root through a malicious application. This path traversal vulnerability (CWE-22) has a CVSS score of 7.8 and currently lacks a publicly available patch.
A path handling issue was addressed with improved validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5. [CVSS 5.5 MEDIUM]
A path handling issue was addressed with improved logic. This issue is fixed in macOS Sonoma 14.8.4. [CVSS 5.5 MEDIUM]
Outline versions prior to 1.4.0 fail to validate attachment file paths during JSON import, allowing authenticated attackers with high privileges to traverse the directory structure and read arbitrary files from the server. Public exploit code exists for this path traversal vulnerability, and no patch is currently available for affected deployments.
Voyager 1.3.0 contains a directory traversal vulnerability that allows attackers to access sensitive system files by manipulating the asset path parameter. Attackers can exploit the path parameter in /admin/voyager-assets to read arbitrary files like /etc/passwd and .env configuration files. [CVSS 7.5 HIGH]
Directory traversal vulnerability in OpenSatKit 2.2.1 allows attackers to gain access to sensitive information or delete arbitrary files via crafted value to the FileUtil_GetFileInfo function. [CVSS 7.5 HIGH]
Path traversal in nanotar npm package through 0.2.0. The parseTar() and parseTarGzip() functions allow attackers to write files outside the extraction directory.
Zed code editor versions prior to 0.224.4 contain a path traversal vulnerability in ZIP extraction that fails to sanitize malicious filenames, allowing attackers to write files outside the intended sandbox directory through crafted extension archives. Public exploit code exists for this vulnerability. An attacker can exploit this by distributing a malicious extension that, when installed, deposits files in arbitrary locations on the affected system.
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that file paths provided in the files argument were within the repository boundaries.
Authenticated users in LORIS 24.0.0 through 28.0.0 can exploit a path traversal vulnerability to read arbitrary configuration files containing hardcoded database and service credentials. An attacker with valid application access and appropriate permissions can leverage publicly available source code to easily craft requests that expose these sensitive files, potentially enabling lateral movement to backend systems. No patch is currently available for affected versions.
Remote code execution in LORIS neuroimaging platform allows authenticated users with sufficient privileges to bypass path traversal protections and upload malicious files to arbitrary server locations. An attacker can leverage the uploaded file to achieve code execution on the underlying system, though read-only server configurations may prevent actual execution. The vulnerability affects versions prior to 26.0.5, 27.0.2, and 28.0.0, with no patch currently available.
Path traversal in feiyuchuixue sz-boot-parent versions up to 1.3.2-beta allows authenticated remote attackers to read arbitrary files by manipulating the templateName parameter in the /api/admin/common/download/templates endpoint. Public exploit code exists for this vulnerability. Users should upgrade to version 1.3.3-beta or later, which implements proper path validation checks.
The Dart and Flutter SDKs provide software development kits for the Dart programming language. [CVSS 7.5 HIGH]
Path traversal in basic-ftp Node.js FTP client library before 5.2.0 allows malicious FTP servers to write files outside the intended download directory. PoC and patch available.
Path traversal in Octopus Deploy allows removing files and file contents on the host through API manipulation. Enables data destruction on the deployment server.
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool. [CVSS 4.6 MEDIUM]
Arbitrary file write vulnerability in Data Master ADM versions 4.1.0-4.3.3.ROF1 and 5.0.0-5.1.2.RE51 allows remote or man-in-the-middle attackers to bypass filename sanitization in FTP backup operations and place malicious files outside the intended directory. An attacker can exploit this path traversal flaw to overwrite critical system files and potentially execute code with elevated privileges. No patch is currently available, and exploitation requires moderate attack complexity but no user interaction.
Path traversal in Lanscope Endpoint Manager Sub-Manager Server version 9.4.7.3 and earlier allows access to files outside restricted directories on managed endpoints.
Path traversal and extension bypass in Flask-Reuploaded file upload library. Allows uploading files with arbitrary extensions to arbitrary directories. PoC and patch available.
Arbitrary file write via path traversal in the Rollup JavaScript module bundler lets an attacker who can influence build inputs write or overwrite files anywhere the build process can reach, escalating to persistent remote code execution by clobbering system or user configuration files. Affected are 4.x releases before 4.59.0 (and the 2.x/3.x lines before 2.80.0 and 3.30.0), where insecure output filename sanitization permits `../` traversal through CLI named inputs, manual chunk aliases, or malicious plugins. Publicly available exploit code exists (GitHub Security Advisory GHSA-mw96-cpmx-2vgc), though no public exploit is identified as active in-the-wild use; EPSS is modest at 0.62% (70th percentile).
Bit7z versions prior to 4.0.11 contain a path traversal vulnerability that allows arbitrary file writes outside the intended extraction directory when processing malicious archives through relative paths, absolute paths, or symbolic links. Applications using bit7z to extract untrusted archives are affected, enabling attackers to overwrite critical files with the privileges of the extraction process. Public exploit code exists for this vulnerability.
Fiber web framework versions 3.0.0 and earlier on Windows contain a path traversal vulnerability that allows remote attackers to bypass static file middleware protections and read arbitrary files from the server. Public exploit code exists for this vulnerability, which affects applications using the vulnerable Fiber versions. The issue has been patched in Fiber v3.1.0.
Path traversal in Linksys MR9600 and MX4200 firmware allows attackers with physical access to mount arbitrary USB drive partitions into the file system, potentially enabling root-level code execution. Public exploit code exists for this vulnerability, and no patch is currently available. Affected versions include MR9600 1.0.4.205530 and MX4200 1.0.13.210200.
Remote code execution in MindsDB prior to version 25.9.1.1 allows authenticated attackers to bypass file upload restrictions through path traversal in the /api/files endpoint. An attacker can exploit insufficient filename validation to write arbitrary files to any location on the server, achieving command execution. Public exploit code exists for this vulnerability.
A vulnerability was determined in MuYuCMS 2.7. Affected is the function delete_dir_file of the file application/admin/controller/Template.php of the component Template Management Page. [CVSS 3.8 LOW]
HummerRisk versions up to 1.5.0 contain a path traversal vulnerability in the archive extraction functionality that allows authenticated remote attackers to read and write arbitrary files on the system. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects the extractTarGZ and extractZip functions in the common utilities library.
Local file disclosure in ImageMagick before 7.1.2-15 and 6.9.13-40 lets attackers bypass the path security policy (policy-secure.xml) using directory traversal, reading files a rule such as `/etc/*` was meant to block. Because the policy matcher evaluates the raw, unnormalized filename string before the OS resolves it, a traversal sequence slips past the deny rule while the kernel still opens the real sensitive file. No public exploit is identified at time of analysis and EPSS is very low (0.04%), but the bug undermines a control specifically deployed to harden image-processing pipelines that handle untrusted input.
Path traversal in Dinky up to version 1.2.5 allows authenticated remote attackers to access arbitrary files on the system through manipulation of the projectName parameter in the GitRepository component. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can exploit this to read sensitive files or potentially escalate privileges within Java-based Dinky deployments.
Traccar GPS tracking system through version 6.11.1 allows authenticated users to conduct arbitrary file writes by setting device identifiers to absolute paths, which bypass path validation during image uploads. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with device management privileges could write files outside the intended media directory, potentially compromising system integrity.
Path traversal in Dromara UJCMS 101.2 Template Handler allows authenticated remote attackers to manipulate the deleteDirectory function and access files outside intended directories. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. The attack requires valid credentials but can be executed remotely with minimal complexity.
Path traversal in the pictureDelete function of feng_ha_ha/megagao ssm-erp and production_ssm allows authenticated remote attackers to manipulate the picName parameter and access arbitrary files on the system. Public exploit code exists for this vulnerability. No patch is currently available, and the developers have not responded to the disclosure.
Path traversal in the FileServiceImpl.deleteFile function of feng_ha_ha/megagao ssm-erp and production_ssm allows authenticated attackers to manipulate file deletion operations remotely. Public exploit code exists for this vulnerability, and the developer has not yet addressed the reported issue. An attacker with valid credentials could delete or access arbitrary files on the affected system.
Arbitrary host file exfiltration from Cloud Hypervisor VMM versions 34.0-50.0. CVSS 10.0. Patch available.
Arbitrary file read vulnerability in GetSimple CMS affects all versions through its Uploaded Files feature, allowing unauthenticated remote attackers to access sensitive files on affected systems. Public exploit code exists for this vulnerability, and no patch is currently available. The high-severity flaw (CVSS 7.5) poses a significant confidentiality risk to all GetSimple CMS deployments.
Remote code execution in the MLflow Tracking Server allows unauthenticated attackers (PR:N) to abuse the artifact handler's path processing to read or write files outside the intended artifact root and ultimately run code as the server's service account. The flaw is a CWE-22 path traversal in artifact file-path handling reachable over the network with low complexity. No public exploit is identified at time of analysis, but the EPSS score of 15.58% (95th percentile) signals notably elevated near-term exploitation likelihood for an MLOps component frequently exposed on internal and cloud networks.
ADB Explorer through version 0.9.26020 fails to validate user-supplied directory paths, enabling local attackers to trigger recursive deletion of arbitrary filesystem directories including critical system and user folders. An attacker can exploit this by crafting a malicious shortcut or script that launches the application with a sensitive path argument, causing permanent data loss when the application processes the ClearDrag() function at startup or exit. Any user tricked into launching ADB Explorer via a weaponized shortcut or batch file faces complete loss of targeted directories such as Documents or user profile folders.
Spring Data Geode's snapshot import feature on Windows systems is vulnerable to path traversal attacks that enable attackers to write arbitrary files outside the intended extraction directory. Remote attackers can exploit this vulnerability without authentication to potentially overwrite critical system or application files. No patch is currently available.
Authenticated attackers can traverse directory restrictions in Mitchell Bennis Simple File List versions up to 6.1.15 to read files outside intended directories, requiring valid credentials but no user interaction. This path traversal vulnerability impacts confidentiality but not system integrity or availability, with no patch currently available.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 7.5 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 8.6 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 7.7 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 8.6 HIGH]
primersoftware Primer MyData for Woocommerce primer-mydata contains a security vulnerability (CVSS 5.3).
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Murtaza Bhurgri Woo File Dropzone woo-file-dropzone allows Path Traversal.This issue affects Woo File Dropzone: from n/a through <= 1.1.7. [CVSS 7.7 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 100plugins Open User Map open-user-map allows Path Traversal.This issue affects Open User Map: from n/a through <= 1.4.16. [CVSS 6.5 MEDIUM]
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal.
This vulnerability allows authenticated attackers to read an arbitrary file by changing a filepath parameter into an internal system path. [CVSS 6.5 MEDIUM]
Calibre versions 9.2.1 and below allow authenticated users to write arbitrary files with any extension to any writable location via path traversal in PDB file readers, potentially enabling code execution or system compromise through file overwriting. The vulnerability affects both 132-byte and 202-byte PDB header variants and silently overwrites existing files without warning. Public exploit code exists and patches are available in version 9.3.0 and later.
Remote code execution in Calibre 9.2.1 and earlier allows authenticated users to write arbitrary files via a path traversal flaw in the extract_pictures() function that fails to properly sanitize directory traversal sequences. On Windows systems, attackers can exploit this to write malicious payloads to the Startup folder, achieving code execution upon the next user login. Public exploit code exists for this vulnerability, and a patch is available in version 9.3.0.
Remote code execution in Music Assistant Server 2.6.3 and below enables unauthenticated network-adjacent attackers to execute arbitrary code through path traversal in the playlist update API, which fails to enforce file extension restrictions and allows writing malicious Python files to site-packages. The vulnerability is particularly critical because affected containers typically run as root, amplifying the impact of successful exploitation. No patch is currently available, leaving installations at risk until an upgrade to version 2.7.0 or later is performed.
OpenClaw versions 2026.1.12 through 2026.2.13 contain a path traversal vulnerability in the browser download helper that allows authenticated users with CLI access or valid gateway RPC tokens to write files outside the intended temporary downloads directory. An attacker with these credentials can exploit unsanitized output paths to place arbitrary files on the system. Version 2026.2.13 and later contain the fix.
OpenClaw versions prior to 2026.2.14 allow authenticated users to read arbitrary files from the Gateway host through path traversal in the browser tool's upload functionality. An attacker with valid Gateway credentials and browser tool permissions can supply absolute or traversal paths to bypass file access restrictions and access sensitive files. This vulnerability requires authentication and browser tool enablement but presents a high confidentiality risk to affected deployments.
OpenClaw's Feishu extension prior to version 2026.2.14 improperly handles `mediaUrl` parameters by treating attacker-controlled values as local filesystem paths, enabling unauthorized file read access. An attacker who can influence tool calls through direct manipulation or prompt injection could exfiltrate sensitive files like `/etc/passwd`. This high-severity path traversal vulnerability (CWE-22) is resolved in version 2026.2.14 and later, which implements proper access controls and routes media loading through hardened helpers.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText™ XM Fax allows Path Traversal. The vulnerability could allow an attacker to arbitrarily disclose content of files on the local filesystem. [CVSS 7.5 HIGH]
Penpot before version 2.13.2 contains a path traversal vulnerability in the font creation endpoint that allows authenticated users with team edit permissions to read arbitrary files from the server filesystem. By supplying local file paths such as `/etc/passwd` as font data, attackers can retrieve sensitive files including system configuration, application secrets, and credentials. Public exploit code exists for this vulnerability, which could enable further server compromise depending on the Penpot process permissions.
Arbitrary file read and server-side request forgery in Hyland Alfresco Transformation Service (and the underlying Alfresco Transform Core, including 5.3.0-alpha1) allow unauthenticated remote attackers to read arbitrary files and coerce the server into making outbound requests via absolute path traversal. Hyland has published a coordinated security advisory (CVE-2026-26337/26338/26339). No public exploit has been identified at time of analysis and the EPSS probability is low (0.12%), but the network-facing, unauthenticated nature makes this a meaningful exposure for internet-reachable transform components.
Unauthenticated remote file read in Echo web framework versions 5.0.0-5.0.2 on Windows allows attackers to traverse outside the static root directory and access arbitrary files via backslash path sequences in requests. The vulnerability stems from improper path normalization where path.Clean() does not treat backslashes as separators, but the underlying os.Open() call on Windows does, enabling directory traversal. Public exploit code exists for this medium-severity vulnerability, though a patch is available in version 5.0.3.
Dell Unisphere for PowerMax 10.2 contains a relative path traversal flaw that allows authenticated remote attackers to modify critical system files without user interaction. The vulnerability affects systems with low-privileged user accounts and carries high integrity and availability impact, though no patch is currently available. With an EPSS score of 0.1%, exploitation likelihood remains low despite the HIGH severity rating.
Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests
Path traversal in CyreneAdmin's image handler endpoint allows authenticated attackers to read arbitrary files on the server through manipulation of the Avatar parameter. The vulnerability affects versions up to 1.3.0 and requires valid user credentials to exploit, limiting the attack surface to authenticated users. Public exploit code exists and no patch is currently available.
Tsinghua Unigroup Electronic Archives System 3.2.210802 contains a path traversal vulnerability in the download functionality that allows authenticated remote attackers to read arbitrary files on the affected system. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires valid credentials but no user interaction, making it accessible to any authenticated user with network access.
Path traversal in Tsinghua Unigroup Electronic Archives System 3.2.210802 allows authenticated remote attackers to read arbitrary files through manipulation of the path parameter in the /Search/Subject/downLoad function. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires valid credentials but no user interaction, making it a practical risk for organizations using this system.
gSOAP 2.8 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP path traversal techniques. [CVSS 7.5 HIGH]
Crystal Live HTTP Server 6.01 contains a directory traversal vulnerability that allows remote attackers to access system files by manipulating URL path segments. [CVSS 7.5 HIGH]
Unauthenticated attackers can read arbitrary files from InvoicePlane servers through path traversal in the Guest controller's file retrieval function, potentially exposing database credentials and other sensitive configuration data. This vulnerability affects InvoicePlane versions up to 1.6.3 and has public exploit code available. Version 1.6.4 resolves the issue.
Directory traversal in Rack versions prior to 2.2.22, 3.1.20, and 3.2.5 allows unauthenticated remote attackers to list directories outside the configured root by exploiting a string prefix matching flaw in path validation. An attacker can craft requests with path traversal sequences to enumerate sensitive directories if the target path shares a common prefix with the configured root directory. Public exploit code exists for this vulnerability.
In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the "admin" or "power" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. [CVSS 3.5 LOW]
Path traversal vulnerability in the AMR Printer Management 1.01 Beta web service, which allows remote attackers to read arbitrary files from the underlying Windows system by using specially crafted path traversal sequences in requests directed to the web management service.
Arbitrary file deletion in WP-DownloadManager plugin versions up to 1.69 allows high-privileged WordPress administrators to bypass path validation and remove critical system files through directory traversal in the file deletion parameter. Deletion of essential files like wp-config.php can result in remote code execution or complete site compromise. No patch is currently available.
The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. [CVSS 2.7 LOW]
Path traversal in Blossom up to version 1.17.1 file upload functionality allows authenticated remote attackers to access arbitrary files on affected systems. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Arbitrary file deletion in Dell Avamar Server and Virtual Edition versions before 19.10 SP1 with CHF338912 stems from improper path traversal validation in the security module. High-privileged remote attackers can exploit this vulnerability to delete files on affected systems, though no patch is currently available.
Dell Avamar, versions prior to 19.12 with patch 338905, contains an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. [CVSS 6.5 MEDIUM]
Dell Avamar, versions prior to 19.12 with patch 338905, contains an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. [CVSS 4.7 MEDIUM]
Path traversal in Rocket TRUfusion Enterprise through 7.10.5 via /axis2/services endpoint allows authenticated attackers to read and write arbitrary files on the host. EPSS 0.32%.
Path traversal in ZenTao's editor component (versions up to 21.7.8) allows authenticated attackers to manipulate the filePath parameter and access files outside intended directories. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems vulnerable to unauthorized file access and potential information disclosure.
ZenTao versions up to 21.7.8 contain a path traversal vulnerability in the backup handler that allows authenticated attackers to manipulate file parameters and access or delete arbitrary files on the affected system. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed remotely without user interaction.
Arbitrary PHP code execution in the Flexi Product Slider and Grid for WooCommerce WordPress plugin through version 1.0.5 allows authenticated contributors to exploit unsanitized file path parameters in the flexipsg_carousel shortcode to include and execute arbitrary files on the server. The vulnerability requires an attacker with Contributor-level access or above to create posts containing malicious shortcodes, but carries high risk due to lack of input validation on the theme parameter enabling local file inclusion attacks. No patch is currently available for this vulnerability.
The BFG Tools - Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. [CVSS 4.9 MEDIUM]
Authenticated users in lakeFS prior to version 1.77.0 can exploit path traversal vulnerabilities in the local block adapter to read and write files outside their intended storage boundaries by bypassing insufficient prefix validation checks. An attacker with valid credentials can manipulate object identifiers and path sequences to access sibling directories and storage namespaces they should not have access to. A patch is available in version 1.77.0 and later.
Path traversal in Tandoor Recipes prior to 2.5.1 allows authenticated users with import permissions to read arbitrary files from the server by manipulating file paths during recipe import operations. An attacker could access sensitive system files like /etc/passwd or application configuration files, potentially leading to full system compromise. Public exploit code exists for this vulnerability.
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. [CVSS 7.5 HIGH]
Zip slip to RCE in MojoPortal CMS v2.9.0.1 via /DesignTools/SkinList.aspx. Malicious ZIP archives write files outside extraction directory, enabling code execution. CVSS 10.0.
Bullwark Momentum Series JAWS 1.0 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP request paths. [CVSS 7.5 HIGH]
Arbitrary local file disclosure in Crawl4AI's Docker API (versions before 0.8.0) lets unauthenticated remote attackers read any file on the server by supplying file:// URLs to the /execute_js, /screenshot, /pdf, and /html endpoints. Because the API validates no scheme, an attacker can exfiltrate /etc/passwd, /etc/shadow, application config, and process environment via /proc/self/environ - directly exposing credentials and API keys. Publicly documented in GitHub advisory GHSA-vx9w-5cx4-9796 with a working request example; no public exploit identified as active exploitation, and EPSS is low (0.06%, 19th percentile).
An unauthenticated attacker can exploit this vulnerability by manipulating URL to achieve arbitrary file read access.This issue affects Valmet DNA Web Tools: C2022 and older. [CVSS 7.5 HIGH]
Arbitrary file write vulnerability in Apple's macOS, iOS, iPadOS, and Safari resulting from improper path handling logic allows remote attackers to write files without authentication or user interaction. Affected versions include macOS Tahoe 26.3 and earlier, macOS Sonoma 14.8.4 and earlier, iOS 18.7.5 and earlier, and Safari 26.3 and earlier. No patch is currently available for this high-severity vulnerability.
Improper path validation in Apple's macOS, iOS, and visionOS allows local attackers to bypass directory access restrictions and read sensitive user data through crafted file paths. An authenticated user with local access can exploit this parsing weakness without user interaction to access confidential information. No patch is currently available for this vulnerability.
Improper path validation in macOS and visionOS allows local attackers with user interaction to read sensitive user data through directory path manipulation. The vulnerability affects macOS Sequoia 15.7.3 and earlier, macOS Sonoma 14.8.3 and earlier, macOS Tahoe 26.2 and earlier, and visionOS 26.2 and earlier. No patch is currently available.
Local privilege escalation in Apple macOS, iOS, and iPadOS through improper path validation allows authenticated attackers to gain root privileges on affected devices. The vulnerability requires local access and user interaction is not required, making it exploitable by malicious applications already present on the system. No patch is currently available for this high-severity flaw affecting multiple Apple operating systems.
Improper path validation in macOS (Sequoia 15.7.3 and earlier, Tahoe 26.2 and earlier, Sonoma 14.8.3 and earlier) permits local authenticated users to escalate privileges to root through a malicious application. This path traversal vulnerability (CWE-22) has a CVSS score of 7.8 and currently lacks a publicly available patch.
A path handling issue was addressed with improved validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5. [CVSS 5.5 MEDIUM]
A path handling issue was addressed with improved logic. This issue is fixed in macOS Sonoma 14.8.4. [CVSS 5.5 MEDIUM]
Outline versions prior to 1.4.0 fail to validate attachment file paths during JSON import, allowing authenticated attackers with high privileges to traverse the directory structure and read arbitrary files from the server. Public exploit code exists for this path traversal vulnerability, and no patch is currently available for affected deployments.
Voyager 1.3.0 contains a directory traversal vulnerability that allows attackers to access sensitive system files by manipulating the asset path parameter. Attackers can exploit the path parameter in /admin/voyager-assets to read arbitrary files like /etc/passwd and .env configuration files. [CVSS 7.5 HIGH]
Directory traversal vulnerability in OpenSatKit 2.2.1 allows attackers to gain access to sensitive information or delete arbitrary files via crafted value to the FileUtil_GetFileInfo function. [CVSS 7.5 HIGH]
Path traversal in nanotar npm package through 0.2.0. The parseTar() and parseTarGzip() functions allow attackers to write files outside the extraction directory.