Skip to main content

Path Traversal

7701 CVEs technique

Monthly

CVE-2026-52777 PHP CRITICAL POC PATCH GHSA Act Now

PHP object injection in YesWiki's BazaR import feature allows an attacker to reach an unsafe unserialize() sink in tools/bazar/services/CSVManager.php, where attacker-supplied base64 data is deserialized without allowed_classes=false, instantiating arbitrary classes and triggering magic methods (__destruct, and __toString via array_map('strval')). Because the importentries mode lacks CSRF protection (the assigned root cause CWE-352), a remote attacker can host an auto-POSTing HTML page that, when visited by a logged-in wiki admin, drives the deserialization using the admin's session - chaining published Doctrine PHPGGC gadgets into remote code execution on the host. Publicly available exploit code exists demonstrating the object-injection primitive, but no full end-to-end RCE chain is published and this is not confirmed actively exploited (not in CISA KEV).

Deserialization Path Traversal CSRF XSS RCE +1
NVD GitHub
CVE-2026-13492 HIGH This Week

Arbitrary file deletion in the UsersWP WordPress plugin (versions ≤ 1.2.65) lets authenticated Subscriber-level users delete any file on the server, including wp-config.php, which can escalate into full site takeover. The flaw stems from unsanitized directory-traversal sequences in file-field metadata reaching an unlink() call in the upload_file_remove() AJAX handler. Reported by Wordfence with no public exploit identified at time of analysis and no active-exploitation (KEV) listing; an upstream code fix is available.

WordPress Path Traversal
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-59149 MEDIUM PATCH This Month

Path traversal in Mockoon prior to 9.7.0 allows unauthenticated network clients to read arbitrary files from sibling paths outside the configured static serving directory. The vulnerability exists in the `getSafeFilePath` function in `packages/commons-server/src/libs/server/server.ts`, which enforces directory confinement using a bare string-prefix check (`resolvedPath.startsWith(staticBaseDir)`) without a path-separator boundary. Because any path whose absolute form begins with the base directory string - including sibling directories sharing a common prefix - passes this check, crafted `../`-escaped values embedded in request data can escape the sandbox across HTTP sendFile, WebSocket, and callback channels. No public exploit code identified at time of analysis and no CISA KEV listing.

Path Traversal Mockoon
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-59221 HIGH PATCH This Week

Path traversal in Open WebUI's terminal proxy (versions 0.9.6 through 0.9.x, fixed in 0.10.0) lets an authenticated attacker reach files and resources outside the intended proxy scope. The _sanitize_proxy_path routine in backend/open_webui/routers/terminals.py decoded incoming proxy paths exactly eight times, so a nine-times percent-encoded ../ sequence survived normalization and was decoded a final time by the upstream terminal server, defeating the traversal check. No public exploit or CISA KEV listing exists at time of analysis, but the scope-changing CVSS 3.1 score of 7.7 (S:C/C:H) signals meaningful confidentiality impact on the backend terminal component.

Path Traversal Open Webui
NVD GitHub
CVSS 3.1
7.7
EPSS
0.4%
CVE-2026-15204 MEDIUM This Month

Path traversal in the TOTOLINK X5000R router's OpenVPN Export CGI handler exposes arbitrary router filesystem files to remote unauthenticated attackers. The `exportOvpn` function within `/web/cgi-bin/cstecgi.cgi` fails to sanitize user-controlled path input, allowing directory traversal sequences to escape the intended export directory. A public proof-of-concept exists (GitHub: meishigana/CVE, referenced 2026-06-09), and the CVSS 4.0 supplemental metric E:P confirms exploit code is available, elevating practical risk beyond the moderate 5.5 base score.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-14372 HIGH This Week

Arbitrary file deletion in the Bit Form WordPress plugin (all versions through 3.1.1) lets low-privileged authenticated users delete any file on the server via an unsanitized path passed to the deleteFiles function. Because a subscriber-level attacker can remove critical files such as wp-config.php, this path traversal escalates into a full site takeover / remote code execution scenario. Reported by Wordfence with a CVSS of 7.1; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Path Traversal RCE Bit Form Contact Form Payment Forms Multi Step Forms Calculator Custom Form Builder
NVD
CVSS 3.1
7.1
EPSS
0.7%
CVE-2026-47826 HIGH PATCH This Week

Arbitrary file write and information disclosure in the Cloud Foundry BOSH CLI tool (versions prior to v7.10.4) stems from insufficient sanitization of the path key inside blobs.yml, letting a crafted release blob spec escape the intended blobstore directory. When an operator syncs or downloads blobs from a malicious or tampered release, the CLI can write files to attacker-controlled locations on the host and expose sensitive files. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor-assigned CVSS 4.0 base score is 8.5 (High).

Bosh Cli Tool Path Traversal
NVD VulDB
CVSS 4.0
8.5
EPSS
0.3%
CVE-2026-15138 LOW Monitor

Path traversal in tumf mcp-text-editor up to version 1.0.2 allows remote attackers to read, write, or delete files outside the intended directory by supplying manipulated file path arguments to the `_validate_file_path` function in `mcp_text_editor/text_editor.py`. A public exploit has been disclosed (confirmed by VulDB and reflected in the CVSS 4.0 E:P modifier), and the vendor has closed the tracking GitHub issue without explanation, leaving the vulnerability unpatched. The CVSS 4.0 base score of 2.1 reflects limited confidentiality, integrity, and availability impact alongside a required user interaction step.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-39245 MEDIUM This Month

Directory traversal and arbitrary file write in the decompress npm package (versions before 4.2.2) stem from a prefix-confusion flaw in path boundary validation using String.indexOf() at two locations in index.js. An attacker supplying a crafted archive can write files to filesystem directories adjacent to the intended extraction target - for example, escaping /tmp/app into /tmp/app_config - bypassing both the safeMakeDir function and the extraction path validation. This is a confirmed bypass of the prior fix for CVE-2020-12265; no public exploit has been identified at time of analysis and EPSS is low at 0.26% (17th percentile), though the integrity impact is rated high by CVSS.

Path Traversal N A
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.3%
CVE-2026-58192 HIGH PATCH This Week

Unauthenticated arbitrary file/directory deletion in the Appium storage plugin (versions prior to 1.1.6) allows a remote client to recursively delete writable files outside the storage root via the POST /storage/delete endpoint. The handler feeds the user-supplied name into path.join(storageRoot, name) and fs.rimraf() without sanitization, so ../ sequences escape the intended directory. No public exploit was identified at time of analysis, but the fix is straightforward to reverse-engineer from the published patch (commit 5fee017 / PR #22362).

Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-54591 HIGH PATCH This Week

Arbitrary file write in the AsyncSSH Python library (versions prior to 2.23.1) allows a malicious or compromised SSH server to plant files anywhere on an SCP client's filesystem when a user initiates a file-copy operation against it. Because the SCP client trusts server-supplied filenames verbatim, a hostile server can return names containing ../ sequences to escape the intended download directory, enabling code execution or system tampering. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.

Python Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-54590 MEDIUM PATCH This Month

{ENV}) unblocked, enabling escape via Python's Path.expanduser() and _expand_val() expansion. No public exploit has been identified at time of analysis, and CVSS AC:H reflects the prerequisite server-side configuration; however, successful exploitation achieves high integrity impact by enabling authentication with key material from arbitrary filesystem locations.

Python Path Traversal
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-49833 Maven MEDIUM PATCH GHSA This Month

Path traversal via the COAR Notify / Linked Data Notifications (LDN) service in DSpace 8.0-8.3 and 9.0-9.2 allows an authenticated DSpace administrator to reference arbitrary filesystem paths as LDN inbound-pattern templates, causing those files to be read and interpreted as Apache Velocity templates. While no public exploit or active exploitation has been identified, the vulnerability was demonstrated as part of a proven attack chain in which an administrator stages a malicious Velocity payload in a predictable file location and triggers its execution, enabling either sensitive file disclosure or arbitrary Java code execution via Velocity template injection. No special conditions (KEV, public PoC) are confirmed at time of analysis.

Java Path Traversal Tomcat Apache
NVD GitHub
CVSS 3.1
5.5
CVE-2026-49831 Maven MEDIUM PATCH GHSA This Month

Path traversal in DSpace's Curation Task reporter parameter exposes authenticated Collection, Community, and Site Administrators to file write operations at arbitrary server-side paths writable by the DSpace/Tomcat OS user. Affected are DSpace versions through 7.6.6, 8.0-8.3, and 9.0-9.2, where the attack surface widened when web UI access was granted to admin roles beyond CLI-only system administrators. No public exploit or CISA KEV listing exists; the vendor-assigned CVSS 3.1 score of 5.5 (PR:H, A:H) correctly reflects that high-privilege credentials are required but the availability impact from overwriting configuration or binary files can be severe.

Java Path Traversal Denial Of Service Tomcat
NVD GitHub
CVSS 3.1
5.5
CVE-2026-49832 Maven HIGH PATCH GHSA This Week

Remote code execution in DSpace 8.0-8.3 and 9.0-9.2 allows an authenticated administrator to execute arbitrary Java via Velocity templates used to render COAR Notify/LDN messages, using reflection to escape the templating sandbox. Exploitation requires valid DSpace administrator credentials and is most impactful when chained with the related LDN path-traversal flaw (GHSA-9qm4-rh6w-pq5x). No public exploit identified at time of analysis, and CVSS is 8.0 (High).

Path Traversal Code Injection Tomcat RCE Java
NVD GitHub
CVSS 3.1
8.0
CVE-2026-8650 HIGH PATCH This Week

Path traversal in Progress MOVEit Transfer's Admin Settings module (versions before 2025.0.7 and 2025.1.0 before 2025.1.3) lets remote attackers supply relative '../' sequences to read files outside the intended directory, exposing sensitive configuration or system data. The CVSS 3.1 vector scores it 7.5 with confidentiality-only impact (C:H/I:N/A:N) and no listed authentication (PR:N), though the 'Admin Settings' location warrants scrutiny of that claim. No public exploit identified at time of analysis; EPSS is low (0.20%, 10th percentile) and CISA SSVC records no known exploitation.

Path Traversal Moveit Transfer
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-59948 HIGH PATCH This Week

Arbitrary file write in Composer (the PHP dependency manager) before 2.2.29 and 2.10.2 allows a malicious package served from an untrusted, third-party repository to write attacker-controlled files outside the vendor directory and outside the project root during an install or update. The flaw stems from an invalid package name that is not validated before dependency-resolution results are written to disk (CWE-22 path traversal), and no public exploit has been identified at time of analysis. Exploitation requires the victim to have configured a non-default, untrusted repository (not Packagist.org or Private Packagist) and to run composer install/update, so it is not a default-configuration remote attack.

Path Traversal PHP Composer
NVD GitHub VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-59946 MEDIUM PATCH This Month

Path traversal in Composer's binary installation flow allows a malicious PHP package to cause arbitrary host files to be chmod'd world-readable and world-executable. Any user running `composer install`, `composer update`, or `composer require` against a package whose `bin` entry contains `..` path segments is vulnerable - Composer follows the traversal and applies chmod outside the intended package install directory. This is a supply chain attack vector affecting Composer prior to 2.2.29 and 2.10.2; no public exploit or CISA KEV listing is identified at time of analysis, but the impact to developer and CI/CD environments is significant given the confidentiality risk of exposing sensitive host files.

Path Traversal PHP Composer
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-59820 MEDIUM PATCH This Month

Path traversal in LiteLLM's Skills archive extraction enables authenticated users with access to specific LLM API routes to write arbitrary files outside the intended server extraction directory by uploading a crafted ZIP archive containing path traversal entries. Affected versions are all LiteLLM releases prior to 1.83.7-stable; the CPE confirms the entire berriai/litellm product line is in scope. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the integrity and availability impact is rated High in the vendor-provided CVSS 4.0 vector, making this a meaningful risk for any LiteLLM deployment that exposes the Skills upload feature to untrusted authenticated users.

Path Traversal Litellm
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.3%
CVE-2026-59924 PyPI MEDIUM PATCH This Month

Path traversal in Mistune's Include plugin allows reading arbitrary files from the server filesystem when processing attacker-controlled markdown. Applications using md.read() with the Include plugin on markdown content supplied by external users are exposed: a crafted include directive can escape the intended markdown base directory to access any file readable by the running process. No public exploit has been identified at time of analysis, but a vendor-released patch is available in version 3.3.0.

Python Path Traversal Mistune
NVD GitHub
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-53951 HIGH PATCH This Week

Trust-boundary bypass in Copier 9.5.0 through 9.15.1 lets an attacker-controlled template execute arbitrary commands without the usual --trust confirmation. The flaw stems from the trust prefix check using a raw str.startswith on the un-normalized template URL, so a reference that textually begins with a trusted prefix but contains '..' is granted trust while actually resolving to a different template whose tasks/migrations/jinja_extensions then run. No public exploit identified at time of analysis, and it is not in CISA KEV; fixed in 9.15.2.

Path Traversal Copier
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2026-59703 HIGH PATCH This Week

Local file inclusion in Repomix's git clone HTTP endpoint lets unauthenticated remote attackers read arbitrary tracked file contents from git repositories on the server's filesystem. The isValidRemoteValue validation in src/core/git/gitRemoteParse.ts does not reject file:// scheme URLs, so a supplied file:///path/to/repo value is passed directly to git clone. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High) driven by high confidentiality impact with no authentication required.

Authentication Bypass Path Traversal Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-55874 HIGH PATCH This Week

Cross-bucket object disclosure in SeaweedFS S3 API gateway (versions prior to 4.34) allows an authenticated identity scoped to a single bucket to read objects from other buckets by injecting dot-dot (../) path segments into the X-Amz-Copy-Source header of CopyObject and UploadPartCopy requests. Because the gateway performs a server-side copy without normalizing or rejecting traversal segments, the bucket-level access boundary is bypassed. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the fix in 4.34 is confirmed via the vendor security advisory and source commit.

Path Traversal
NVD GitHub
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-55668 MEDIUM PATCH This Month

Symlink-based path traversal in File Browser prior to 2.63.16 allows an authenticated low-privilege user with Create and Modify permissions to write attacker-controlled files outside their designated scope. The flaw resides in ScopedFs, which validates only the nearest existing ancestor of a dangling symlink - leaving it in-scope - and then follows the symlink during file creation, landing the resulting file in an arbitrary location on the underlying filesystem. No public exploit has been identified at time of analysis, but the scope-change characteristic (S:C in the CVSS vector) means successful exploitation extends impact beyond the web application's permission boundary.

Path Traversal
NVD GitHub
CVSS 3.1
6.3
EPSS
0.3%
CVE-2026-14967 LOW Monitor

Path traversal in BBOT's github_workflows module allows a crafted CODE_REPOSITORY URL to write a downloaded artifact outside the operator-configured output directory by bypassing a path-containment check that failed to resolve `..` sequences. Affected versions span all BBOT releases per CPE data, with a fix available via upstream commit. The write primitive is constrained to at most two directory levels above the output location, and the destination is shaped by the operator's own configuration rather than fully attacker-controlled, significantly limiting real-world impact. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal Bbot
NVD GitHub
CVSS 3.1
3.1
EPSS
0.2%
CVE-2026-58654 MEDIUM PATCH This Month

Unrestricted file upload in Grav API Plugin 1.0.0 allows authenticated users to store arbitrary content - including PHP scripts, SVG with embedded JavaScript, and polyglot payloads - via the avatar upload endpoint by supplying a forged client-declared MIME type beginning with 'image/'. The endpoint performs no server-side content inspection and imposes no extension restriction, so malicious files are written to user/accounts/avatars/ with predictable filenames. Immediate exploitation is partially mitigated by an .htaccess rule that returns HTTP 403 on direct access, but the files persist on disk and represent a latent RCE or stored XSS vector if a co-resident path traversal flaw or server misconfiguration bypasses that control. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal XSS PHP RCE File Upload
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-56273 npm MEDIUM PATCH This Month

Path traversal in Flowise's Faiss and SimpleStore vector store implementations allows any holder of a valid API token to write vector store data to arbitrary filesystem locations, creating a practical path to remote code execution or data exfiltration on the hosting server. All Flowise deployments prior to version 3.1.0 are affected when either of these two vector store backends is configured. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the post-authentication exploitation path is low-complexity, making timely patching critical especially in multi-tenant or shared deployments where API tokens are broadly distributed.

Path Traversal RCE
NVD GitHub
CVSS 4.0
4.9
EPSS
0.3%
CVE-2026-53480 LOW PATCH Monitor

Unauthorized file modification in Dell PowerProtect Data Domain allows a high-privileged remote attacker to write files outside the intended restricted directory via path traversal. Affected across multiple release trains spanning versions 7.7.1.0 through 8.7, including LTS2024, LTS2025, and LTS2026 branches. Dell has published advisory DSA-2026-278 addressing this flaw; no public exploit code or active exploitation has been identified at time of analysis.

Dell Path Traversal Data Domain Operating System
NVD
CVSS 3.1
2.7
EPSS
0.3%
CVE-2026-22927 HIGH This Week

Local privilege escalation in Omnissa Workspace ONE Tunnel for Windows lets an authenticated low-privileged local user abuse a path-traversal weakness (CWE-22) to gain higher (likely SYSTEM) privileges on the endpoint. The flaw affects the Windows Tunnel client used for per-app VPN in Workspace ONE managed fleets; no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high across confidentiality, integrity, and availability, but exploitation is confined to attackers who already have a local foothold on the machine.

Privilege Escalation Path Traversal Microsoft Workspace One Tunnel
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-14500 MEDIUM This Month

Unauthenticated arbitrary file read in Bulk Order Update for WooCommerce (versions up to and including 1.6) exposes the first line of any server-side file to remote attackers without credentials. The plugin's AJAX handler bouw_fetch_csv_data() is registered on the wp_ajax_nopriv_ hook - meaning WordPress serves it to unauthenticated users - and passes attacker-controlled filesystem paths directly to fopen()/fgetcsv(), reflecting parsed output in the JSON response. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the attack requires no authentication and no interaction, making it straightforward to exploit against any site with the plugin active.

WordPress Oracle Path Traversal Bulk Order Update For Woocommerce
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-14487 CRITICAL Act Now

Arbitrary file deletion in the Simple Coherent Form WordPress plugin (all versions up to and including 2.4.13) allows unauthenticated attackers to delete any file the web server can reach, and deleting wp-config.php can cascade into full remote code execution. The plugin's two intended access controls are illusory: the scf_get_id_upload endpoint hands a valid scf_upload_file_removal nonce to any anonymous visitor, and the secondary hash check can be reproduced offline because it derives from a salt hardcoded in the plugin source. There is no public exploit identified at time of analysis, but the flaw carries a high 9.1 CVSS and reflects a genuine unauthenticated-network attack path.

WordPress Path Traversal RCE PHP Simple Coherent Form
NVD VulDB
CVSS 3.1
9.1
EPSS
0.7%
CVE-2026-14244 HIGH This Week

Arbitrary file disclosure in the Jssor Slider by jssor.com WordPress plugin (all versions through 3.1.24) lets unauthenticated remote attackers traverse the filesystem via the 'url' parameter and read the contents of any file the web server can access, such as wp-config.php. Wordfence disclosed the flaw and points to the plugin's admin controller code; no public exploit is identified at time of analysis and it is not listed in CISA KEV. EPSS was not provided, but the network-reachable, unauthenticated nature of the bug makes it an attractive scanning target.

WordPress Path Traversal Jssor Slider By Jssor Com
NVD VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-53553 Go HIGH POC GHSA This Week

Path traversal in Goploy's `/deploy/fileDiff` endpoint (versions <=1.17.5) enables any authenticated low-privilege member to read arbitrary files on both the Goploy host and every SFTP-managed remote server registered in the system. The dual file read returns local content in the `srcText` response field and remote server content in `distText`, multiplying the blast radius across all managed deployment targets. Publicly available exploit code exists per the GitHub Security Advisory; this is not listed in CISA KEV, but exploitation conditions are trivially met under default Goploy configuration.

Python Path Traversal Microsoft RCE Docker +1
NVD GitHub
CVSS 3.1
7.7
CVE-2026-55631 HIGH PATCH This Week

Arbitrary file deletion in DataEase (open-source data visualization and analytics platform) before 2.10.24 lets authenticated users delete arbitrary writable files inside the application container via a path traversal in the font management module. The stored fileTransName value is concatenated with the font storage directory and passed unsanitized to FileUtils.deleteFile() when a font record is deleted. No public exploit identified at time of analysis; the CVSS 4.0 base score is 7.2 (VI:H/VA:H), reflecting integrity and availability impact without confidentiality loss.

Path Traversal Dataease
NVD GitHub
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-53481 CRITICAL PATCH Act Now

Path traversal leading to full system compromise affects Dell PowerProtect Data Domain (DD OS) versions 7.7.1.0 through 8.7, plus the LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches. Per the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N), an unauthenticated remote attacker can traverse outside the intended directory to gain unauthorized access and, according to Dell, take complete control of the system. Dell rates this critical (9.8) and its tags note an authentication-bypass characteristic; no public exploit identified at time of analysis and it is not currently in CISA KEV.

Authentication Bypass Dell Path Traversal Powerprotect Data Domain
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-27823 PHP CRITICAL PATCH GHSA Act Now

Remote code execution in EGroupware lets an attacker chain a broken authorization check with an arbitrary file write and an arbitrary file read to fully compromise the server. An authenticated user can forge the participant_role field in a SmallPartMediaRecorder::ajax_upload() request to impersonate a course teacher, then use path traversal to read and overwrite header.inc.php with valid but attacker-controlled PHP, yielding code execution after OPcache refresh or a setup-password change. Where self-registration is enabled the entire chain becomes reachable pre-authentication. No public exploit has been identified, but the advisory documents a complete, reproducible technique.

File Upload Path Traversal RCE PHP
NVD GitHub
CVE-2026-14476 HIGH This Week

Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4. Because ad_gpo_extract_smb_components() fails to sanitize '..' sequences in the gPCFileSysPath LDAP attribute (CWE-23), an actor holding AD GPO management rights can force an SSSD-enrolled host to write attacker-controlled files outside the GPO cache as root, injecting Kerberos configuration to bypass authentication. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Authentication Bypass Red Hat Path Traversal Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +5
NVD VulDB
CVSS 3.1
8.0
EPSS
0.7%
CVE-2026-57871 HIGH This Week

Relative path traversal in the MicroRealEstate file upload functionality lets an authenticated low-privilege user supply crafted filenames containing directory-traversal sequences to write outside the intended upload directory and potentially overwrite system files. All releases through 1.0.0-alpha3 are affected. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 7.1, driven primarily by high availability impact.

Path Traversal File Upload
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-42200 HIGH PATCH This Week

Path traversal leading to remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated user to abuse insufficient filename sanitization in the PostgreSQL initialization-script generator (generate_init_scripts() in app/Actions/Database/StartPostgresql.php) to write files outside the intended directory and execute commands during database init. Any user with sufficient privileges to provision a PostgreSQL resource can escalate to code execution on the Coolify host. No public exploit identified at time of analysis, though the fix commit and security advisory publicly disclose the vulnerable code path.

PostgreSQL Path Traversal PHP Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-14468 HIGH PATCH This Week

Arbitrary file read in HashiCorp Terraform Enterprise allows an authenticated user to escape the intended repository boundary during VCS-based registry module ingestion, pulling files from outside the source repository into a packaged module and downloading them. Because the ingestion process runs with its own filesystem privileges, an attacker can exfiltrate sensitive files (secrets, configuration, tokens) readable by that process. Reported by HashiCorp with no public exploit identified at time of analysis; the CVSS 7.7 (scope-changed) score reflects high confidentiality impact against a self-hosted enterprise platform.

Hashicorp Path Traversal Terraform Enterprise
NVD VulDB
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-54760 PyPI CRITICAL PATCH GHSA Act Now

Server-side file disclosure in Langroid's SQLChatAgent (Python, pip package `langroid` <= 0.65.0) lets an attacker who can influence the agent's LLM-generated SQL bypass the `_validate_query` safety guard and execute PostgreSQL file-read functions such as `pg_read_file`. The default `allow_dangerous_operations=False` blocklist relies on a raw-text regex requiring `pg_...` names to be immediately followed by `(`, which is evaded by quoted identifiers, inline comments, or schema qualification while still parsing as a permitted SELECT. This is a bypass of the earlier CVE-2026-25879 / GHSA-pmch-g965-grmr regex fix; a working reproduction harness is published in the GHSA advisory, though there is no public exploit identified as being used in active attacks and no CISA KEV listing.

PostgreSQL SQLi Python Path Traversal
NVD GitHub
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-53486 npm CRITICAL PATCH GHSA Act Now

Arbitrary file read and write via archive extraction in the Node.js @xhmikosr/decompress library (and the unmaintained upstream decompress package) lets a crafted tar, tar.gz, tar.bz2, or zip archive escape the intended output directory. The flaw combines unchecked hardlink/symlink targets, a broken string-prefix containment check that allows escape into sibling directories, and mode application that preserves setuid/setgid/sticky bits - enabling attackers to read sensitive files, overwrite files outside the target, and plant privileged binaries when extraction runs as root. No public exploit identified at time of analysis, but the closely related upstream CVE-2020-12265 demonstrates the exploitability of this class.

Path Traversal
NVD GitHub
CVSS 3.1
9.1
EPSS
0.6%
CVE-2026-57571 PyPI CRITICAL PATCH Act Now

Arbitrary file write in Crawl4AI (the open-source LLM-friendly web crawler by unclecode) before version 0.9.0 lets a malicious website or download control where crawled files land on disk, and because the file contents are also attacker-controlled this escalates to remote code execution. Both the HTTP crawler path (trusting the response Content-Disposition filename) and the browser crawler path (trusting the download's suggested filename) are affected. CVSS is 9.6 (Critical); no public exploit is identified at time of analysis and it is not listed in CISA KEV, but a fix commit and GHSA advisory are published.

Path Traversal RCE Crawl4ai
NVD GitHub
CVSS 3.1
9.6
EPSS
0.5%
CVE-2026-9181 HIGH This Week

Unauthenticated file disclosure in Esri ArcGIS Server (all versions 12.0 and prior) lets remote attackers read sensitive files by supplying crafted path parameters that escape the intended directory. The flaw is network-reachable with no authentication or user interaction and, per CISA's SSVC framework, is automatable with total technical impact, though no public exploit has been identified and EPSS exploitation probability remains modest at 0.72%. Esri disclosed and patched the issue in its May 2026 ArcGIS security bulletin.

Path Traversal Arcgis Server
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-59196 npm HIGH PATCH This Week

Arbitrary file write via path traversal in pnpm prior to 10.34.4 and 11.7.0 lets a crafted lockfile place or overwrite files outside the intended hoisted node_modules directory when a victim installs dependencies. A malicious pnpm-lock.yaml can supply an alias containing traversal sequences (e.g. ../) to escape the module directory, or use reserved aliases like .bin or .pnpm to clobber pnpm-owned layout, enabling integrity compromise of the install tree. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is remotely deliverable through shared repositories or packages and requires only that a user run an install.

Path Traversal Pnpm
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-59195 npm HIGH PATCH This Week

Arbitrary out-of-tree file/symlink write via path traversal in pnpm before 10.34.4 and 11.8.0 allows a malicious repository to escape node_modules/.pnpm-config by committing a crafted pnpm-lock.yaml whose env-lockfile configDependencies section carries a traversal-shaped package name. When a victim runs pnpm install, pnpm trusts that attacker-controlled name and creates a config-dependency symlink at the derived path, letting an attacker place symlinks outside the intended directory. No public exploit is identified at time of analysis, but exploitation only requires the victim to install dependencies from the poisoned repo (UI:R); CVSS is 8.2 (High) with a scope change.

Path Traversal Pnpm
NVD GitHub
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-59194 npm HIGH PATCH This Week

Arbitrary file deletion in pnpm before 10.34.4 and 11.7.0 allows a malicious project to delete any file reachable by the user when they run 'pnpm patch-remove'. A crafted patch entry escapes the configured patches directory via path traversal (CWE-22), so cloning or installing an attacker-controlled repository and running the patch-remove command destroys files outside the project. No public exploit identified at time of analysis and it is not on CISA KEV; exploitation requires the victim to run the specific command against poisoned configuration.

Path Traversal Pnpm
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-53829 HIGH PATCH This Week

Remote code execution in ownCloud 10 (before 10.15.3) lets an authenticated administrator abuse a relative path traversal weakness to write or reference files outside intended directories and execute arbitrary code on the server. The high-privilege requirement (PR:H) and high attack complexity (AC:H) constrain who can trigger it, but successful exploitation yields full compromise with a scope change beyond the application context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV.

Path Traversal RCE Owncloud 10
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.3%
CVE-2026-59152 PyPI MEDIUM PATCH This Month

Path traversal in LangSmith Client SDK's TracingMiddleware (versions prior to 0.8.18) enables a trust-boundary crossing where any party with LangSmith workspace trace-read access can exfiltrate arbitrary files from servers running the middleware. An attacker sends a crafted HTTP request to a TracingMiddleware-instrumented server, causing it to read a local filesystem path and upload the contents to LangSmith as a trace attachment, which the attacker then retrieves via their workspace access. No public exploit has been identified at time of analysis, but the low complexity and broadly scoped file read make this a meaningful risk for any multi-tenant or contractor-accessible LangSmith deployment.

Path Traversal Langsmith Sdk
NVD GitHub
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-58203 PyPI MEDIUM PATCH This Month

Symlink traversal in pydantic-settings 2.12.0-2.14.1 allows a local low-privileged attacker with write access to the configured secrets directory to read arbitrary files from the host filesystem into application settings when secrets_nested_subdir=True. The same code path also bypasses the secrets_dir_max_size loading cap, undermining an advertised safety control. No public exploit or CISA KEV listing exists; the vendor-released fix is version 2.14.2.

Path Traversal Pydantic Settings
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-7185 MEDIUM PATCH This Month

Path traversal in the T-Systems TAO 2.0 suite - spanning Archivo, MyTAO, Estima, and BuroWeb - allows an authenticated low-privileged attacker to escape the application's intended file scope via crafted paths submitted to web-based file management or upload features, yielding high confidentiality impact. The CVSS 4.0 vector confirms network accessibility with low privileges required and an additional attack prerequisite (AT:P), tempering the otherwise straightforward exploitation profile. A vendor patch is available per INCIBE advisory; no public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal Archivo Mytao Estima Buroweb
NVD
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-24014 PyPI CRITICAL PATCH Act Now

Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can reach the internal DataNode RPC port to smuggle path-traversal sequences in an uploaded Trigger JAR filename, writing files outside the Trigger installation directory with the IoTDB process's privileges. Because the write is attacker-controlled, it can plausibly be escalated to remote code execution by overwriting configuration or startup artifacts. There is no public exploit identified at time of analysis, and the EPSS score is low (0.15%, 4th percentile), consistent with exploitation being gated on an exposed internal port rather than a default-reachable service.

Authentication Bypass Path Traversal Apache Apache Iotdb
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-40047 CRITICAL PATCH Act Now

Argument injection and directory traversal in Apache Camel's camel-docling component (4.15.0 before 4.18.3) let attackers who can influence the CamelDoclingCustomArguments or path-bearing exchange headers inject unintended docling CLI flags and traversal-laden path values into the externally executed docling tool. Because the original DoclingProducer validation relied on a flag denylist and only rejected literal '../' sequences, crafted arguments could reach the subprocess and resolve files outside the intended directory, yielding high confidentiality and integrity impact but no OS command injection (ProcessBuilder uses the list form, so no shell interprets the values). There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; EPSS is low (0.79%, 52nd percentile).

Command Injection Path Traversal Microsoft Apache Apache Camel
NVD VulDB
CVSS 3.1
9.1
EPSS
0.8%
CVE-2026-14783 LOW Monitor

Path traversal in NousResearch hermes-agent 2026.5.29.2 allows low-privilege authenticated remote attackers to read files outside the intended directory by supplying crafted path traversal sequences in the `Name` argument of the `skill_view` function within `tools/skills_tool.py`. Impact is confined to limited confidentiality exposure - no integrity or availability effect - consistent with the CVSS 4.0 score of 2.1 (Low). A public exploit has been disclosed (CVSS E:P), though no active exploitation has been confirmed via CISA KEV.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-59510 HIGH PATCH This Week

Path traversal in AIL Framework's PDF object handling lets an authenticated user read files outside the intended PDF storage directory. The PDF.get_filepath() function joined the configured PDF_FOLDER with an attacker-influenced object identifier without validating the resolved location, so crafted relative traversal sequences or absolute path components could point AIL at arbitrary files readable by the service account, exposing configuration, credentials, or other local secrets. No public exploit identified at time of analysis, and the vendor notes exploitation is only potential because additional errors must be overcome before the traversal executes.

Path Traversal Ail Framework
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-14636 MEDIUM This Month

Path traversal in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows authenticated remote attackers to manipulate filesystem paths via the unsanitized `folder` argument in the Vendor Image Manager's `do_upload_others_images` function. The flaw in `application/modules/vendor/controllers/AddProduct.php` permits directory traversal sequences to redirect file-write operations outside the intended upload directory, resulting in limited integrity and availability impact. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Path Traversal PHP
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-14635 MEDIUM POC PATCH This Month

Path traversal in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap exposes server-side files and upload directories to manipulation via the unsanitized `folder` parameter in the Vendor Multi-Image Endpoint (AddProduct.php), enabling remote attackers to read or write files outside the designated upload path. A public exploit has been released per GitHub Security Advisory GHSA-6whv-r5hm-vcjr and the CVSS 4.0 E:P modifier confirms proof-of-concept availability, with a base score of 6.9 reflecting low-complexity network exploitation. No CISA KEV listing was identified; however, all deployed instances cloned prior to patch commit 2a9497ff are exposed, as this is a rolling-release project with no discrete versioned releases.

Path Traversal PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14628 MEDIUM POC This Month

Path traversal in NousResearch hermes-agent (all versions through 2026.5.16) exposes arbitrary server-side files via the Live Webhook Endpoint's `extract_media` function in `gateway/platforms/base.py`. Remote, unauthenticated attackers can read files outside the intended directory, resulting in low-confidentiality-impact disclosure - potentially exposing configuration files, credentials, or internal data. A public proof-of-concept exploit is available on GitHub; however, this vulnerability has not been listed in CISA KEV, indicating active exploitation is not yet confirmed at time of analysis.

Path Traversal Hermes Agent
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.6%
CVE-2026-49297 PyPI HIGH PATCH This Week

Path traversal in Apache Airflow's Google provider (apache-airflow-providers-google before 22.2.1) lets a principal with write access to a source GCS bucket overwrite arbitrary files on the SFTP server (GCSToSFTPOperator) or the worker host (GCSTimeSpanFileTransformOperator) by crafting a GCS object name containing `..` segments. Because the bucket writer is frequently a lower-trust party than the DAG author (partner uploads, ingest-only service accounts, public-data buckets), exploitation crosses a trust boundary that operators may not have modeled. No public exploit is identified at time of analysis, and CISA SSVC rates exploitation as none, so this is a real but non-default, targeted-risk integrity flaw rather than a mass-exploitable one.

Apache Path Traversal Google Apache Airflow Providers Google
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-58300 MEDIUM PATCH This Month

Absolute path traversal in Microsoft Edge for Android (Chromium-based) prior to version 150.0.4078.48 enables local, unauthenticated information disclosure by allowing crafted paths to escape the application's intended directory scope. The CVSS vector (AV:L/C:H/I:N/A:N) confirms the impact is limited to confidentiality loss on the local device, with no integrity or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Path Traversal Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
5.5
EPSS
0.4%
CVE-2026-58522 MEDIUM PATCH This Month

Relative path traversal in Microsoft Edge for Android (Chromium-based) before version 150.0.4078.48 permits a local, unprivileged attacker to read sensitive files outside the application's intended directory scope, achieving high confidentiality impact with minor integrity exposure. The flaw (CWE-23) stems from insufficient sanitization of relative path sequences in Edge's Android file-handling logic. No public exploit code or active exploitation has been identified at time of analysis, though a vendor patch is available and should be prioritized given the high confidentiality impact rating.

Path Traversal Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
5.5
EPSS
0.3%
CVE-2026-57988 HIGH PATCH This Week

Code execution via relative path traversal in Microsoft Edge (Chromium-based) allows a remote unauthenticated attacker to run arbitrary code when a user is lured into interacting with attacker-controlled content, consistent with the CVSS PR:N/UI:R vector. Rated CVSS 7.1 with high integrity impact (I:H), low availability impact (A:L), and no confidentiality impact (C:N). No public exploit identified at time of analysis (exploit maturity Unproven, E:U) and the CVE is not in CISA KEV, but an official vendor fix is available (RL:O).

Path Traversal Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.1
EPSS
0.5%
CVE-2026-28705 MEDIUM PATCH This Month

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.

Path Traversal Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-41124 MEDIUM PATCH This Month

Path traversal in Dell PowerProtect Data Domain allows a locally authenticated high-privileged attacker to read files outside restricted directories, resulting in information disclosure. Affected deployments span multiple release trains - standard releases 7.7.1.0 through 8.6, LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, and LTS2024 7.13.1.0-7.13.1.70. No public exploit identified at time of analysis; the low CVSS score of 2.3 correctly reflects the high privilege and local access prerequisites that substantially constrain real-world exploitation scope.

Dell Path Traversal Information Disclosure Powerprotect Data Domain
NVD VulDB
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-9725 CRITICAL Act Now

Arbitrary file deletion in the Printcart Web to Print Product Designer for WooCommerce WordPress plugin (versions up to and including 2.5.2) lets unauthenticated attackers delete any file on the server, potentially escalating to remote code execution. The store_design_data() function builds a filesystem path from the attacker-controlled 'nbd_item_key' POST value and the nonce guarding the AJAX action can be freely retrieved by anonymous users, so exploitation needs no login. No public exploit has been identified at time of analysis, but the network-reachable, no-privilege profile makes this a high-priority patch.

WordPress Path Traversal RCE Printcart Web To Print Product Designer For Woocommerce
NVD VulDB
CVSS 3.1
9.1
EPSS
0.7%
CVE-2026-14352 HIGH This Week

Arbitrary file read in the AR for WooCommerce WordPress plugin (all versions through 8.40) lets unauthenticated attackers traverse directories via the 'file' parameter of AJAX-driven secure-download handlers, exposing wp-config.php, credentials, and other sensitive server files. The vulnerability is notable because three independent access controls - nonce validation, AES-256-CBC payload encryption, and a Referer check - each fail on default free installations, collapsing what looks like a defended endpoint into an open file-disclosure primitive. No public exploit identified at time of analysis, but the flaw is trivially reachable and was reported by Wordfence.

WordPress Path Traversal Ar For Woocommerce
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-14327 HIGH This Week

Arbitrary file disclosure in the AR for WordPress plugin (versions up to and including 8.40) lets unauthenticated remote attackers read any file the web server can access via a path-traversal payload in the 'file' parameter of its secure-download handler. Exploitation is gated by a nonce and encryption-key check, but both can be satisfied remotely on default free or unlicensed installations, exposing wp-config.php and other secrets. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the vendor (Wordfence) documents the full unauthenticated bypass path.

WordPress Path Traversal Ar For Wordpress
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-47897 HIGH PATCH This Week

Path traversal in the Apache Lucene.Net.Replicator library (versions 4.8.0-beta00005 through 4.8.0-beta00017) allows a remote, unauthenticated attacker to read files outside the intended index-replication directory by supplying crafted pathnames during index synchronization. The flaw is a CWE-22 restricted-directory bypass confined to file disclosure; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the vendor-supplied CVSS 4.0 base score of 8.9 reflects high confidentiality impact across a scope boundary. Exploitation is gated by high attack complexity and specific attack requirements, making practical abuse less trivial than the raw score suggests.

Path Traversal Apache Lucene Net
NVD
CVSS 4.0
8.9
EPSS
0.4%
CVE-2026-47896 HIGH PATCH This Week

Path traversal (CWE-22) in the Apache Lucene.Net.Replicator library lets remote attackers read files outside the intended index directory by supplying crafted pathnames to the replication service, disclosing arbitrary server-side files. All releases from 4.8.0-beta00005 through 4.8.0-beta00017 are affected, and Apache fixed it in 4.8.0-beta00018. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 4.0 base score of 8.9 (High) reflects unauthenticated network access and high confidentiality impact including a subsequent-system scope change.

Path Traversal Apache Lucene Net
NVD
CVSS 4.0
8.9
EPSS
0.5%
CVE-2026-13054 HIGH This Week

Arbitrary file write in the WatchGuard Fireware OS Management Web UI lets a privileged, authenticated administrator escape the intended directory and write files anywhere on a Firebox appliance's filesystem, per CVSS 4.0 (AV:N/PR:H). This affects Fireware OS across the 11.x, 12.x, and 2025.1-2026.2 branches and can be leveraged to tamper with configuration or system binaries, potentially leading to code execution or device compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Watchguard Fireware Os
NVD VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-54617 Maven CRITICAL GHSA Act Now

Arbitrary file read in GravitLauncher LaunchServer ≤ 5.7.11 lets an unauthenticated remote attacker retrieve any file readable by the server process via a path-traversal in the default-enabled HTTP file server on port 9274. Because the exposed files include the ECDSA key that signs access JWTs (.keys/ecdsa_id), the refresh-token salt, and database credentials, the flaw escalates from information disclosure to a full authentication bypass allowing forged admin tokens. Publicly available exploit code exists (a raw-socket PoC in the advisory); the issue is not listed in CISA KEV and no active exploitation is confirmed.

Path Traversal Authentication Bypass Nginx Java Information Disclosure
NVD GitHub
CVSS 3.1
9.8
CVE-2026-52830 PyPI CRITICAL PATCH GHSA Act Now

Authentication bypass via path traversal in the fast-mcp-telegram MCP server (Python, PyPI package fast-mcp-telegram, master through release 0.19.0) lets a remote client hijack the default Telegram account without a valid bearer token. The SessionFileTokenVerifier blocks the exact reserved token 'telegram' but fails to normalize path separators, so a token like '../fast-mcp-telegram/telegram' resolves back to the default ~/.config/fast-mcp-telegram/telegram.session file and is accepted. A validation proof-of-concept is published in the advisory (publicly available exploit code exists), though there is no public exploit identified in the wild and no CISA KEV listing.

Authentication Bypass Python Path Traversal Microsoft
NVD GitHub
CVSS 3.1
9.4
EPSS
0.4%
CVE-2026-58460 HIGH POC This Week

Arbitrary file overwrite in the react-native-receive-sharing-intent library (ajith-ab) lets a co-resident malicious Android app write attacker-controlled content outside the intended cache directory into the consuming app's private data. The flaw stems from trusting a ContentProvider-supplied _display_name containing dot-dot sequences, enabling overwrite of databases, shared preferences, and cached config. Publicly available exploit code exists (reported by VulnCheck); no active exploitation has been reported in CISA KEV.

Path Traversal React Native Receive Sharing Intent
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-58467 HIGH POC PATCH This Week

Arbitrary file disclosure and PHP local file inclusion in Cockpit CMS before release 364 lets unauthenticated remote attackers read files outside the web root and, on certain server setups, cause the application to include() attacker-chosen .php files. The flaw stems from unvalidated PATH_INFO (derived from REQUEST_URI) being used to build filesystem paths without containment checks. Publicly available exploit code exists; it is not listed in CISA KEV and no EPSS score was provided.

Path Traversal Nginx PHP Cockpit
NVD GitHub
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-49253 npm HIGH PATCH GHSA This Week

Arbitrary file write in electerm via path traversal in its Zmodem and Trzsz file-download handlers lets a malicious SSH server or remote shell overwrite files anywhere the client process can write. When a user accepts an incoming Zmodem (sz/rz) or Trzsz (trz/tsz) transfer, the attacker-supplied filename is passed unsanitized into path.join() with the chosen download directory, so a name like ../../.bashrc escapes that directory. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires the victim to initiate a connection to a hostile server and accept the transfer.

Path Traversal
NVD GitHub
CVSS 3.1
7.1
CVE-2026-49244 Go MEDIUM PATCH NEWS GHSA This Month

Path traversal in SFTPGo's public web-client partial ZIP download endpoint allows unauthenticated remote attackers to read files located outside a browsable share's directory boundary. The flaw exists because the endpoint validated file entries using a raw string prefix check rather than a directory-boundary-aware comparison - a crafted request can escape the share root by supplying paths whose canonical form begins with the shared directory name but resolves to a parent or sibling path. Affected versions prior to v2.7.3 are vulnerable; no public exploit or CISA KEV listing has been identified at time of analysis.

Canonical Path Traversal
NVD GitHub
CVSS 3.1
5.9
CVE-2026-7311 HIGH This Week

Arbitrary file deletion in the TinyPNG (JPEG, PNG & WebP image compression) plugin for WordPress affects all versions through 3.6.13, allowing authenticated attackers with author-level access or higher to delete any file the web server can reach. Because deleting sensitive files such as wp-config.php pushes the site into a fresh-install state, this file-deletion primitive can be escalated to full remote code execution. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but it was disclosed by Wordfence with a clear exploitation path and carries a CVSS 8.1 (High).

WordPress Path Traversal RCE PHP Tinypng Jpeg Png Webp Image Compression
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2026-50180 PyPI HIGH POC PATCH GHSA This Week

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfiltrate files from the PostgreSQL host even under the strict default config (allow_dangerous_operations=False, allowed_statement_types=['SELECT']). The _validate_query blocklist enumerates dangerous functions by exact name and misses the pg_read_file/pg_stat_file/pg_ls_*/pg_current_logfile family (plus MSSQL OPENDATASOURCE and keyword-less SQLite ATTACH), so these SELECT-shaped payloads pass both the statement-type allowlist and the regex blocklist and reach the live SQLAlchemy engine. Publicly available exploit code exists (a working PoC ships in the GHSA advisory); no public exploit identified as actively exploited and this is not in CISA KEV.

PostgreSQL Python Path Traversal Canonical Docker
NVD GitHub
CVSS 4.0
8.7
EPSS
0.7%
CVE-2026-50181 PyPI HIGH POC PATCH GHSA This Week

Path traversal in Langroid's ReadFileTool and WriteFileTool lets a tool caller escape the configured curr_dir workspace boundary by supplying '../' sequences in file_path, because the tools only chdir into curr_dir without resolving and enforcing that the final path stays inside it. Applications that expose these file tools to an LLM agent or user-influenced tool calls can have arbitrary files read or written outside the intended project/sandbox directory, exposing secrets, config, and source files or corrupting files elsewhere on the host. Publicly available exploit code exists (a working PoC is included in the report demonstrating both read and write escapes), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

Python Path Traversal Docker
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-44941 HIGH PATCH This Week

Arbitrary root file write in libzypp before 17.38.12 lets an attacker who can get a victim to add or refresh a malicious software repository overwrite or inject files anywhere on the system as root, because the "keyhint" value in repomd.xml is parsed without rejecting path separators (CWE-23 relative path traversal). Because libzypp performs repository operations with root privileges on SUSE/openSUSE systems, this escalates directly to full host compromise. Publicly available exploit code exists (SSVC=poc); it is not listed in CISA KEV, and EPSS is low (0.49%, 38th percentile), consistent with a targeted rather than mass-exploited flaw.

Path Traversal Libzypp
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-55117 HIGH PATCH This Week

Arbitrary file disclosure in Ubiquiti's UniFi Access Application allows a network-adjacent, unauthenticated attacker to read files on the underlying host via path traversal (CWE-22), carrying a CVSS 8.6 rating driven by a scope change and high confidentiality impact. The flaw was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Ubiquiti Path Traversal Unifi Access Application
NVD
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-55111 HIGH PATCH This Week

Arbitrary file disclosure in Ubiquiti UniFi Protect Floodlight devices lets a network-adjacent attacker read files on the device via path traversal, exposing potentially sensitive local data. The flaw (CWE-22) is remotely reachable without authentication per the CVSS vector (PR:N) and carries high confidentiality impact but no integrity or availability effect. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; Ubiquiti has issued a fix via Security Advisory Bulletin 066.

Ubiquiti Path Traversal Unifi Protect Floodlight
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54406 HIGH PATCH This Week

Privilege escalation via path traversal in self-hosted UniFi Network Application (Ubiquiti's controller software) allows an authenticated, high-privileged attacker with network access to write files outside intended directories and escalate write permissions on the underlying host. The CVSS 3.1 base score is 8.7 with a scope change, reflecting that the flaw lets the application's write capability break out to affect the host system beyond the application's security boundary. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066.

Ubiquiti Path Traversal Unifi Network Application
NVD
CVSS 3.1
8.7
EPSS
0.3%
CVE-2026-54403 HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CWE-22) to reach protected functionality without valid credentials, affecting a broad hardware line including Dream Machines/Routers/Wall, Cloud Gateways/Keys, Express 7, Enterprise Fortress Gateway, and the UniFi OS Server software. The CVSS 8.6 rating is driven by an unauthenticated, low-complexity network vector combined with a scope change (S:C), meaning the compromised authentication boundary exposes managed device data. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the ubiquity of affected consoles makes this a high-priority patch.

Ubiquiti Path Traversal Unifi Os Server Dream Machines Enterprise Fortress Gateway +9
NVD
CVSS 3.1
8.6
EPSS
0.5%
CVE-2026-49779 MEDIUM This Month

Path traversal in the Tax Exempt for WooCommerce plugin (versions <= 1.9.3) by Addify enables authenticated customer-level users to read arbitrary files from the server's filesystem. The vulnerability carries a CVSS 6.5 Medium score with high confidentiality impact, as a low-privileged account (a standard customer/shopper) can traverse directory boundaries to access sensitive files such as wp-config.php containing database credentials. No public exploit code or active CISA KEV listing has been identified at time of analysis.

WordPress Path Traversal Tax Exempt For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13369 HIGH This Week

Arbitrary file read in the Ninja Forms - File Uploads WordPress add-on (versions ≤ 3.3.29) lets unauthenticated remote attackers exfiltrate any file readable by the web server. A client-supplied saveProgress flag causes the process() method to return early, so a raw attacker-controlled 'files' array reaches attach_files() and get_files_for_attachment() without upload validation, path normalization, or database record creation - an attacker-chosen file_path is then passed to wp_mail() as an email attachment guarded only by a file_exists() check. No public exploit has been identified at time of analysis; there is no CISA KEV listing and no EPSS score was supplied.

WordPress Path Traversal Ninja Forms File Uploads
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-9145 MEDIUM This Month

Arbitrary file copy in the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions ≤ 1.5.1) exposes any file readable by the PHP process to unauthenticated network attackers. The `create_entry_el()` function accepts attacker-controlled POST data as a file path and passes it directly to PHP's `copy()`, which transparently accepts both local filesystem paths and remote URLs - enabling server file exfiltration or remote resource staging. Exploitation requires Elementor Pro to be installed and active alongside the vulnerable plugin; no public exploit or CISA KEV listing has been identified at time of analysis, though the unauthenticated network vector and high confidentiality impact make this a credible priority for mixed Elementor Pro deployments.

WordPress Path Traversal PHP Database For Contact Form 7 Wpforms Elementor Forms
NVD VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-13251 HIGH This Week

Arbitrary file disclosure in the Perfmatters WordPress performance plugin (versions ≤ 2.6.4) lets unauthenticated attackers traverse the filesystem via the 's' parameter and read sensitive server files such as wp-config.php. The flaw only surfaces in a specific non-default configuration (Local Google Fonts enabled with pretty permalinks and RSS feed links active), and there is no public exploit identified at time of analysis. Reported by Wordfence with a CVSS of 7.5 (high).

WordPress Path Traversal Google Perfmatters
NVD VulDB
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-14439 CRITICAL PATCH Act Now

Privilege-escalating remote code execution in the Git Service shared by Altium Enterprise Server and Altium 365 lets an authenticated user with basic git access abuse post-clone file-manipulation operations to move arbitrary files outside the repository, plant executable script content, and run code as the Git Service account. On multi-tenant Altium 365 cloud nodes this also created a cross-tenant data-exposure path. No public exploit identified at time of analysis; the CVSS 4.0 score of 9.4 (Critical) reflects full confidentiality, integrity and availability impact with only low privileges required.

Path Traversal RCE
NVD
CVSS 4.0
9.4
EPSS
0.6%
CVE-2026-50163 Go HIGH PATCH GHSA This Week

Arbitrary CWD-file read and inode-tampering in the oras-go v2 content/file tar extractor allows an attacker who controls an OCI artifact to hardlink files from the pulling process's working directory into the extract tree. When a victim runs 'oras pull' (or any Go program using oras-go/v2/content/file) against a malicious layer marked with the io.deis.oras.content.unpack annotation, the flawed ensureLinkPath helper validates a resolved hardlink target but passes the original relative Linkname to os.Link, causing link(2) to resolve it against the process CWD instead of the extract base. Publicly available exploit code exists (detailed PoC and regression test in the advisory); this is not listed in CISA KEV and no active exploitation is confirmed.

Linux Ubuntu Path Traversal Kubernetes
NVD GitHub
CVSS 3.1
7.1
CRITICAL POC PATCH Act Now

PHP object injection in YesWiki's BazaR import feature allows an attacker to reach an unsafe unserialize() sink in tools/bazar/services/CSVManager.php, where attacker-supplied base64 data is deserialized without allowed_classes=false, instantiating arbitrary classes and triggering magic methods (__destruct, and __toString via array_map('strval')). Because the importentries mode lacks CSRF protection (the assigned root cause CWE-352), a remote attacker can host an auto-POSTing HTML page that, when visited by a logged-in wiki admin, drives the deserialization using the admin's session - chaining published Doctrine PHPGGC gadgets into remote code execution on the host. Publicly available exploit code exists demonstrating the object-injection primitive, but no full end-to-end RCE chain is published and this is not confirmed actively exploited (not in CISA KEV).

Deserialization Path Traversal CSRF +3
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Arbitrary file deletion in the UsersWP WordPress plugin (versions ≤ 1.2.65) lets authenticated Subscriber-level users delete any file on the server, including wp-config.php, which can escalate into full site takeover. The flaw stems from unsanitized directory-traversal sequences in file-field metadata reaching an unlink() call in the upload_file_remove() AJAX handler. Reported by Wordfence with no public exploit identified at time of analysis and no active-exploitation (KEV) listing; an upstream code fix is available.

WordPress Path Traversal
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal in Mockoon prior to 9.7.0 allows unauthenticated network clients to read arbitrary files from sibling paths outside the configured static serving directory. The vulnerability exists in the `getSafeFilePath` function in `packages/commons-server/src/libs/server/server.ts`, which enforces directory confinement using a bare string-prefix check (`resolvedPath.startsWith(staticBaseDir)`) without a path-separator boundary. Because any path whose absolute form begins with the base directory string - including sibling directories sharing a common prefix - passes this check, crafted `../`-escaped values embedded in request data can escape the sandbox across HTTP sendFile, WebSocket, and callback channels. No public exploit code identified at time of analysis and no CISA KEV listing.

Path Traversal Mockoon
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Path traversal in Open WebUI's terminal proxy (versions 0.9.6 through 0.9.x, fixed in 0.10.0) lets an authenticated attacker reach files and resources outside the intended proxy scope. The _sanitize_proxy_path routine in backend/open_webui/routers/terminals.py decoded incoming proxy paths exactly eight times, so a nine-times percent-encoded ../ sequence survived normalization and was decoded a final time by the upstream terminal server, defeating the traversal check. No public exploit or CISA KEV listing exists at time of analysis, but the scope-changing CVSS 3.1 score of 7.7 (S:C/C:H) signals meaningful confidentiality impact on the backend terminal component.

Path Traversal Open Webui
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Path traversal in the TOTOLINK X5000R router's OpenVPN Export CGI handler exposes arbitrary router filesystem files to remote unauthenticated attackers. The `exportOvpn` function within `/web/cgi-bin/cstecgi.cgi` fails to sanitize user-controlled path input, allowing directory traversal sequences to escape the intended export directory. A public proof-of-concept exists (GitHub: meishigana/CVE, referenced 2026-06-09), and the CVSS 4.0 supplemental metric E:P confirms exploit code is available, elevating practical risk beyond the moderate 5.5 base score.

Path Traversal
NVD GitHub VulDB
EPSS 1% CVSS 7.1
HIGH This Week

Arbitrary file deletion in the Bit Form WordPress plugin (all versions through 3.1.1) lets low-privileged authenticated users delete any file on the server via an unsanitized path passed to the deleteFiles function. Because a subscriber-level attacker can remove critical files such as wp-config.php, this path traversal escalates into a full site takeover / remote code execution scenario. Reported by Wordfence with a CVSS of 7.1; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Path Traversal RCE +1
NVD
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Arbitrary file write and information disclosure in the Cloud Foundry BOSH CLI tool (versions prior to v7.10.4) stems from insufficient sanitization of the path key inside blobs.yml, letting a crafted release blob spec escape the intended blobstore directory. When an operator syncs or downloads blobs from a malicious or tampered release, the CLI can write files to attacker-controlled locations on the host and expose sensitive files. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor-assigned CVSS 4.0 base score is 8.5 (High).

Bosh Cli Tool Path Traversal
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Path traversal in tumf mcp-text-editor up to version 1.0.2 allows remote attackers to read, write, or delete files outside the intended directory by supplying manipulated file path arguments to the `_validate_file_path` function in `mcp_text_editor/text_editor.py`. A public exploit has been disclosed (confirmed by VulDB and reflected in the CVSS 4.0 E:P modifier), and the vendor has closed the tracking GitHub issue without explanation, leaving the vulnerability unpatched. The CVSS 4.0 base score of 2.1 reflects limited confidentiality, integrity, and availability impact alongside a required user interaction step.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 6.2
MEDIUM This Month

Directory traversal and arbitrary file write in the decompress npm package (versions before 4.2.2) stem from a prefix-confusion flaw in path boundary validation using String.indexOf() at two locations in index.js. An attacker supplying a crafted archive can write files to filesystem directories adjacent to the intended extraction target - for example, escaping /tmp/app into /tmp/app_config - bypassing both the safeMakeDir function and the extraction path validation. This is a confirmed bypass of the prior fix for CVE-2020-12265; no public exploit has been identified at time of analysis and EPSS is low at 0.26% (17th percentile), though the integrity impact is rated high by CVSS.

Path Traversal N A
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Unauthenticated arbitrary file/directory deletion in the Appium storage plugin (versions prior to 1.1.6) allows a remote client to recursively delete writable files outside the storage root via the POST /storage/delete endpoint. The handler feeds the user-supplied name into path.join(storageRoot, name) and fs.rimraf() without sanitization, so ../ sequences escape the intended directory. No public exploit was identified at time of analysis, but the fix is straightforward to reverse-engineer from the published patch (commit 5fee017 / PR #22362).

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Arbitrary file write in the AsyncSSH Python library (versions prior to 2.23.1) allows a malicious or compromised SSH server to plant files anywhere on an SCP client's filesystem when a user initiates a file-copy operation against it. Because the SCP client trusts server-supplied filenames verbatim, a hostile server can return names containing ../ sequences to escape the intended download directory, enabling code execution or system tampering. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.

Python Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

{ENV}) unblocked, enabling escape via Python's Path.expanduser() and _expand_val() expansion. No public exploit has been identified at time of analysis, and CVSS AC:H reflects the prerequisite server-side configuration; however, successful exploitation achieves high integrity impact by enabling authentication with key material from arbitrary filesystem locations.

Python Path Traversal
NVD GitHub VulDB
CVSS 5.5
MEDIUM PATCH This Month

Path traversal via the COAR Notify / Linked Data Notifications (LDN) service in DSpace 8.0-8.3 and 9.0-9.2 allows an authenticated DSpace administrator to reference arbitrary filesystem paths as LDN inbound-pattern templates, causing those files to be read and interpreted as Apache Velocity templates. While no public exploit or active exploitation has been identified, the vulnerability was demonstrated as part of a proven attack chain in which an administrator stages a malicious Velocity payload in a predictable file location and triggers its execution, enabling either sensitive file disclosure or arbitrary Java code execution via Velocity template injection. No special conditions (KEV, public PoC) are confirmed at time of analysis.

Java Path Traversal Tomcat +1
NVD GitHub
CVSS 5.5
MEDIUM PATCH This Month

Path traversal in DSpace's Curation Task reporter parameter exposes authenticated Collection, Community, and Site Administrators to file write operations at arbitrary server-side paths writable by the DSpace/Tomcat OS user. Affected are DSpace versions through 7.6.6, 8.0-8.3, and 9.0-9.2, where the attack surface widened when web UI access was granted to admin roles beyond CLI-only system administrators. No public exploit or CISA KEV listing exists; the vendor-assigned CVSS 3.1 score of 5.5 (PR:H, A:H) correctly reflects that high-privilege credentials are required but the availability impact from overwriting configuration or binary files can be severe.

Java Path Traversal Denial Of Service +1
NVD GitHub
CVSS 8.0
HIGH PATCH This Week

Remote code execution in DSpace 8.0-8.3 and 9.0-9.2 allows an authenticated administrator to execute arbitrary Java via Velocity templates used to render COAR Notify/LDN messages, using reflection to escape the templating sandbox. Exploitation requires valid DSpace administrator credentials and is most impactful when chained with the related LDN path-traversal flaw (GHSA-9qm4-rh6w-pq5x). No public exploit identified at time of analysis, and CVSS is 8.0 (High).

Path Traversal Code Injection Tomcat +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Path traversal in Progress MOVEit Transfer's Admin Settings module (versions before 2025.0.7 and 2025.1.0 before 2025.1.3) lets remote attackers supply relative '../' sequences to read files outside the intended directory, exposing sensitive configuration or system data. The CVSS 3.1 vector scores it 7.5 with confidentiality-only impact (C:H/I:N/A:N) and no listed authentication (PR:N), though the 'Admin Settings' location warrants scrutiny of that claim. No public exploit identified at time of analysis; EPSS is low (0.20%, 10th percentile) and CISA SSVC records no known exploitation.

Path Traversal Moveit Transfer
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Arbitrary file write in Composer (the PHP dependency manager) before 2.2.29 and 2.10.2 allows a malicious package served from an untrusted, third-party repository to write attacker-controlled files outside the vendor directory and outside the project root during an install or update. The flaw stems from an invalid package name that is not validated before dependency-resolution results are written to disk (CWE-22 path traversal), and no public exploit has been identified at time of analysis. Exploitation requires the victim to have configured a non-default, untrusted repository (not Packagist.org or Private Packagist) and to run composer install/update, so it is not a default-configuration remote attack.

Path Traversal PHP Composer
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Path traversal in Composer's binary installation flow allows a malicious PHP package to cause arbitrary host files to be chmod'd world-readable and world-executable. Any user running `composer install`, `composer update`, or `composer require` against a package whose `bin` entry contains `..` path segments is vulnerable - Composer follows the traversal and applies chmod outside the intended package install directory. This is a supply chain attack vector affecting Composer prior to 2.2.29 and 2.10.2; no public exploit or CISA KEV listing is identified at time of analysis, but the impact to developer and CI/CD environments is significant given the confidentiality risk of exposing sensitive host files.

Path Traversal PHP Composer
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Path traversal in LiteLLM's Skills archive extraction enables authenticated users with access to specific LLM API routes to write arbitrary files outside the intended server extraction directory by uploading a crafted ZIP archive containing path traversal entries. Affected versions are all LiteLLM releases prior to 1.83.7-stable; the CPE confirms the entire berriai/litellm product line is in scope. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the integrity and availability impact is rated High in the vendor-provided CVSS 4.0 vector, making this a meaningful risk for any LiteLLM deployment that exposes the Skills upload feature to untrusted authenticated users.

Path Traversal Litellm
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Path traversal in Mistune's Include plugin allows reading arbitrary files from the server filesystem when processing attacker-controlled markdown. Applications using md.read() with the Include plugin on markdown content supplied by external users are exposed: a crafted include directive can escape the intended markdown base directory to access any file readable by the running process. No public exploit has been identified at time of analysis, but a vendor-released patch is available in version 3.3.0.

Python Path Traversal Mistune
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Trust-boundary bypass in Copier 9.5.0 through 9.15.1 lets an attacker-controlled template execute arbitrary commands without the usual --trust confirmation. The flaw stems from the trust prefix check using a raw str.startswith on the un-normalized template URL, so a reference that textually begins with a trusted prefix but contains '..' is granted trust while actually resolving to a different template whose tasks/migrations/jinja_extensions then run. No public exploit identified at time of analysis, and it is not in CISA KEV; fixed in 9.15.2.

Path Traversal Copier
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Local file inclusion in Repomix's git clone HTTP endpoint lets unauthenticated remote attackers read arbitrary tracked file contents from git repositories on the server's filesystem. The isValidRemoteValue validation in src/core/git/gitRemoteParse.ts does not reject file:// scheme URLs, so a supplied file:///path/to/repo value is passed directly to git clone. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High) driven by high confidentiality impact with no authentication required.

Authentication Bypass Path Traversal Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-bucket object disclosure in SeaweedFS S3 API gateway (versions prior to 4.34) allows an authenticated identity scoped to a single bucket to read objects from other buckets by injecting dot-dot (../) path segments into the X-Amz-Copy-Source header of CopyObject and UploadPartCopy requests. Because the gateway performs a server-side copy without normalizing or rejecting traversal segments, the bucket-level access boundary is bypassed. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the fix in 4.34 is confirmed via the vendor security advisory and source commit.

Path Traversal
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Symlink-based path traversal in File Browser prior to 2.63.16 allows an authenticated low-privilege user with Create and Modify permissions to write attacker-controlled files outside their designated scope. The flaw resides in ScopedFs, which validates only the nearest existing ancestor of a dangling symlink - leaving it in-scope - and then follows the symlink during file creation, landing the resulting file in an arbitrary location on the underlying filesystem. No public exploit has been identified at time of analysis, but the scope-change characteristic (S:C in the CVSS vector) means successful exploitation extends impact beyond the web application's permission boundary.

Path Traversal
NVD GitHub
EPSS 0% CVSS 3.1
LOW Monitor

Path traversal in BBOT's github_workflows module allows a crafted CODE_REPOSITORY URL to write a downloaded artifact outside the operator-configured output directory by bypassing a path-containment check that failed to resolve `..` sequences. Affected versions span all BBOT releases per CPE data, with a fix available via upstream commit. The write primitive is constrained to at most two directory levels above the output location, and the destination is shaped by the operator's own configuration rather than fully attacker-controlled, significantly limiting real-world impact. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal Bbot
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unrestricted file upload in Grav API Plugin 1.0.0 allows authenticated users to store arbitrary content - including PHP scripts, SVG with embedded JavaScript, and polyglot payloads - via the avatar upload endpoint by supplying a forged client-declared MIME type beginning with 'image/'. The endpoint performs no server-side content inspection and imposes no extension restriction, so malicious files are written to user/accounts/avatars/ with predictable filenames. Immediate exploitation is partially mitigated by an .htaccess rule that returns HTTP 403 on direct access, but the files persist on disk and represent a latent RCE or stored XSS vector if a co-resident path traversal flaw or server misconfiguration bypasses that control. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal XSS PHP +2
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Path traversal in Flowise's Faiss and SimpleStore vector store implementations allows any holder of a valid API token to write vector store data to arbitrary filesystem locations, creating a practical path to remote code execution or data exfiltration on the hosting server. All Flowise deployments prior to version 3.1.0 are affected when either of these two vector store backends is configured. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the post-authentication exploitation path is low-complexity, making timely patching critical especially in multi-tenant or shared deployments where API tokens are broadly distributed.

Path Traversal RCE
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Unauthorized file modification in Dell PowerProtect Data Domain allows a high-privileged remote attacker to write files outside the intended restricted directory via path traversal. Affected across multiple release trains spanning versions 7.7.1.0 through 8.7, including LTS2024, LTS2025, and LTS2026 branches. Dell has published advisory DSA-2026-278 addressing this flaw; no public exploit code or active exploitation has been identified at time of analysis.

Dell Path Traversal Data Domain Operating System
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Omnissa Workspace ONE Tunnel for Windows lets an authenticated low-privileged local user abuse a path-traversal weakness (CWE-22) to gain higher (likely SYSTEM) privileges on the endpoint. The flaw affects the Windows Tunnel client used for per-app VPN in Workspace ONE managed fleets; no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high across confidentiality, integrity, and availability, but exploitation is confined to attackers who already have a local foothold on the machine.

Privilege Escalation Path Traversal Microsoft +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated arbitrary file read in Bulk Order Update for WooCommerce (versions up to and including 1.6) exposes the first line of any server-side file to remote attackers without credentials. The plugin's AJAX handler bouw_fetch_csv_data() is registered on the wp_ajax_nopriv_ hook - meaning WordPress serves it to unauthenticated users - and passes attacker-controlled filesystem paths directly to fopen()/fgetcsv(), reflecting parsed output in the JSON response. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the attack requires no authentication and no interaction, making it straightforward to exploit against any site with the plugin active.

WordPress Oracle Path Traversal +1
NVD VulDB
EPSS 1% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the Simple Coherent Form WordPress plugin (all versions up to and including 2.4.13) allows unauthenticated attackers to delete any file the web server can reach, and deleting wp-config.php can cascade into full remote code execution. The plugin's two intended access controls are illusory: the scf_get_id_upload endpoint hands a valid scf_upload_file_removal nonce to any anonymous visitor, and the secondary hash check can be reproduced offline because it derives from a salt hardcoded in the plugin source. There is no public exploit identified at time of analysis, but the flaw carries a high 9.1 CVSS and reflects a genuine unauthenticated-network attack path.

WordPress Path Traversal RCE +2
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in the Jssor Slider by jssor.com WordPress plugin (all versions through 3.1.24) lets unauthenticated remote attackers traverse the filesystem via the 'url' parameter and read the contents of any file the web server can access, such as wp-config.php. Wordfence disclosed the flaw and points to the plugin's admin controller code; no public exploit is identified at time of analysis and it is not listed in CISA KEV. EPSS was not provided, but the network-reachable, unauthenticated nature of the bug makes it an attractive scanning target.

WordPress Path Traversal Jssor Slider By Jssor Com
NVD VulDB
CVSS 7.7
HIGH POC This Week

Path traversal in Goploy's `/deploy/fileDiff` endpoint (versions <=1.17.5) enables any authenticated low-privilege member to read arbitrary files on both the Goploy host and every SFTP-managed remote server registered in the system. The dual file read returns local content in the `srcText` response field and remote server content in `distText`, multiplying the blast radius across all managed deployment targets. Publicly available exploit code exists per the GitHub Security Advisory; this is not listed in CISA KEV, but exploitation conditions are trivially met under default Goploy configuration.

Python Path Traversal Microsoft +3
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Arbitrary file deletion in DataEase (open-source data visualization and analytics platform) before 2.10.24 lets authenticated users delete arbitrary writable files inside the application container via a path traversal in the font management module. The stored fileTransName value is concatenated with the font storage directory and passed unsanitized to FileUtils.deleteFile() when a font record is deleted. No public exploit identified at time of analysis; the CVSS 4.0 base score is 7.2 (VI:H/VA:H), reflecting integrity and availability impact without confidentiality loss.

Path Traversal Dataease
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Path traversal leading to full system compromise affects Dell PowerProtect Data Domain (DD OS) versions 7.7.1.0 through 8.7, plus the LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches. Per the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N), an unauthenticated remote attacker can traverse outside the intended directory to gain unauthorized access and, according to Dell, take complete control of the system. Dell rates this critical (9.8) and its tags note an authentication-bypass characteristic; no public exploit identified at time of analysis and it is not currently in CISA KEV.

Authentication Bypass Dell Path Traversal +1
NVD
CRITICAL PATCH Act Now

Remote code execution in EGroupware lets an attacker chain a broken authorization check with an arbitrary file write and an arbitrary file read to fully compromise the server. An authenticated user can forge the participant_role field in a SmallPartMediaRecorder::ajax_upload() request to impersonate a course teacher, then use path traversal to read and overwrite header.inc.php with valid but attacker-controlled PHP, yielding code execution after OPcache refresh or a setup-password change. Where self-registration is enabled the entire chain becomes reachable pre-authentication. No public exploit has been identified, but the advisory documents a complete, reproducible technique.

File Upload Path Traversal RCE +1
NVD GitHub
EPSS 1% CVSS 8.0
HIGH This Week

Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4. Because ad_gpo_extract_smb_components() fails to sanitize '..' sequences in the gPCFileSysPath LDAP attribute (CWE-23), an actor holding AD GPO management rights can force an SSSD-enrolled host to write attacker-controlled files outside the GPO cache as root, injecting Kerberos configuration to bypass authentication. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Authentication Bypass Red Hat Path Traversal +7
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Relative path traversal in the MicroRealEstate file upload functionality lets an authenticated low-privilege user supply crafted filenames containing directory-traversal sequences to write outside the intended upload directory and potentially overwrite system files. All releases through 1.0.0-alpha3 are affected. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 7.1, driven primarily by high availability impact.

Path Traversal File Upload
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Path traversal leading to remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated user to abuse insufficient filename sanitization in the PostgreSQL initialization-script generator (generate_init_scripts() in app/Actions/Database/StartPostgresql.php) to write files outside the intended directory and execute commands during database init. Any user with sufficient privileges to provision a PostgreSQL resource can escalate to code execution on the Coolify host. No public exploit identified at time of analysis, though the fix commit and security advisory publicly disclose the vulnerable code path.

PostgreSQL Path Traversal PHP +1
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Arbitrary file read in HashiCorp Terraform Enterprise allows an authenticated user to escape the intended repository boundary during VCS-based registry module ingestion, pulling files from outside the source repository into a packaged module and downloading them. Because the ingestion process runs with its own filesystem privileges, an attacker can exfiltrate sensitive files (secrets, configuration, tokens) readable by that process. Reported by HashiCorp with no public exploit identified at time of analysis; the CVSS 7.7 (scope-changed) score reflects high confidentiality impact against a self-hosted enterprise platform.

Hashicorp Path Traversal Terraform Enterprise
NVD VulDB
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Server-side file disclosure in Langroid's SQLChatAgent (Python, pip package `langroid` <= 0.65.0) lets an attacker who can influence the agent's LLM-generated SQL bypass the `_validate_query` safety guard and execute PostgreSQL file-read functions such as `pg_read_file`. The default `allow_dangerous_operations=False` blocklist relies on a raw-text regex requiring `pg_...` names to be immediately followed by `(`, which is evaded by quoted identifiers, inline comments, or schema qualification while still parsing as a permitted SELECT. This is a bypass of the earlier CVE-2026-25879 / GHSA-pmch-g965-grmr regex fix; a working reproduction harness is published in the GHSA advisory, though there is no public exploit identified as being used in active attacks and no CISA KEV listing.

PostgreSQL SQLi Python +1
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Arbitrary file read and write via archive extraction in the Node.js @xhmikosr/decompress library (and the unmaintained upstream decompress package) lets a crafted tar, tar.gz, tar.bz2, or zip archive escape the intended output directory. The flaw combines unchecked hardlink/symlink targets, a broken string-prefix containment check that allows escape into sibling directories, and mode application that preserves setuid/setgid/sticky bits - enabling attackers to read sensitive files, overwrite files outside the target, and plant privileged binaries when extraction runs as root. No public exploit identified at time of analysis, but the closely related upstream CVE-2020-12265 demonstrates the exploitability of this class.

Path Traversal
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Arbitrary file write in Crawl4AI (the open-source LLM-friendly web crawler by unclecode) before version 0.9.0 lets a malicious website or download control where crawled files land on disk, and because the file contents are also attacker-controlled this escalates to remote code execution. Both the HTTP crawler path (trusting the response Content-Disposition filename) and the browser crawler path (trusting the download's suggested filename) are affected. CVSS is 9.6 (Critical); no public exploit is identified at time of analysis and it is not listed in CISA KEV, but a fix commit and GHSA advisory are published.

Path Traversal RCE Crawl4ai
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Unauthenticated file disclosure in Esri ArcGIS Server (all versions 12.0 and prior) lets remote attackers read sensitive files by supplying crafted path parameters that escape the intended directory. The flaw is network-reachable with no authentication or user interaction and, per CISA's SSVC framework, is automatable with total technical impact, though no public exploit has been identified and EPSS exploitation probability remains modest at 0.72%. Esri disclosed and patched the issue in its May 2026 ArcGIS security bulletin.

Path Traversal Arcgis Server
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file write via path traversal in pnpm prior to 10.34.4 and 11.7.0 lets a crafted lockfile place or overwrite files outside the intended hoisted node_modules directory when a victim installs dependencies. A malicious pnpm-lock.yaml can supply an alias containing traversal sequences (e.g. ../) to escape the module directory, or use reserved aliases like .bin or .pnpm to clobber pnpm-owned layout, enabling integrity compromise of the install tree. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is remotely deliverable through shared repositories or packages and requires only that a user run an install.

Path Traversal Pnpm
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Arbitrary out-of-tree file/symlink write via path traversal in pnpm before 10.34.4 and 11.8.0 allows a malicious repository to escape node_modules/.pnpm-config by committing a crafted pnpm-lock.yaml whose env-lockfile configDependencies section carries a traversal-shaped package name. When a victim runs pnpm install, pnpm trusts that attacker-controlled name and creates a config-dependency symlink at the derived path, letting an attacker place symlinks outside the intended directory. No public exploit is identified at time of analysis, but exploitation only requires the victim to install dependencies from the poisoned repo (UI:R); CVSS is 8.2 (High) with a scope change.

Path Traversal Pnpm
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file deletion in pnpm before 10.34.4 and 11.7.0 allows a malicious project to delete any file reachable by the user when they run 'pnpm patch-remove'. A crafted patch entry escapes the configured patches directory via path traversal (CWE-22), so cloning or installing an attacker-controlled repository and running the patch-remove command destroys files outside the project. No public exploit identified at time of analysis and it is not on CISA KEV; exploitation requires the victim to run the specific command against poisoned configuration.

Path Traversal Pnpm
NVD GitHub
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Remote code execution in ownCloud 10 (before 10.15.3) lets an authenticated administrator abuse a relative path traversal weakness to write or reference files outside intended directories and execute arbitrary code on the server. The high-privilege requirement (PR:H) and high attack complexity (AC:H) constrain who can trigger it, but successful exploitation yields full compromise with a scope change beyond the application context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV.

Path Traversal RCE Owncloud 10
NVD GitHub VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Path traversal in LangSmith Client SDK's TracingMiddleware (versions prior to 0.8.18) enables a trust-boundary crossing where any party with LangSmith workspace trace-read access can exfiltrate arbitrary files from servers running the middleware. An attacker sends a crafted HTTP request to a TracingMiddleware-instrumented server, causing it to read a local filesystem path and upload the contents to LangSmith as a trace attachment, which the attacker then retrieves via their workspace access. No public exploit has been identified at time of analysis, but the low complexity and broadly scoped file read make this a meaningful risk for any multi-tenant or contractor-accessible LangSmith deployment.

Path Traversal Langsmith Sdk
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Symlink traversal in pydantic-settings 2.12.0-2.14.1 allows a local low-privileged attacker with write access to the configured secrets directory to read arbitrary files from the host filesystem into application settings when secrets_nested_subdir=True. The same code path also bypasses the secrets_dir_max_size loading cap, undermining an advertised safety control. No public exploit or CISA KEV listing exists; the vendor-released fix is version 2.14.2.

Path Traversal Pydantic Settings
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Path traversal in the T-Systems TAO 2.0 suite - spanning Archivo, MyTAO, Estima, and BuroWeb - allows an authenticated low-privileged attacker to escape the application's intended file scope via crafted paths submitted to web-based file management or upload features, yielding high confidentiality impact. The CVSS 4.0 vector confirms network accessibility with low privileges required and an additional attack prerequisite (AT:P), tempering the otherwise straightforward exploitation profile. A vendor patch is available per INCIBE advisory; no public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal Archivo Mytao +2
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can reach the internal DataNode RPC port to smuggle path-traversal sequences in an uploaded Trigger JAR filename, writing files outside the Trigger installation directory with the IoTDB process's privileges. Because the write is attacker-controlled, it can plausibly be escalated to remote code execution by overwriting configuration or startup artifacts. There is no public exploit identified at time of analysis, and the EPSS score is low (0.15%, 4th percentile), consistent with exploitation being gated on an exposed internal port rather than a default-reachable service.

Authentication Bypass Path Traversal Apache +1
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Argument injection and directory traversal in Apache Camel's camel-docling component (4.15.0 before 4.18.3) let attackers who can influence the CamelDoclingCustomArguments or path-bearing exchange headers inject unintended docling CLI flags and traversal-laden path values into the externally executed docling tool. Because the original DoclingProducer validation relied on a flag denylist and only rejected literal '../' sequences, crafted arguments could reach the subprocess and resolve files outside the intended directory, yielding high confidentiality and integrity impact but no OS command injection (ProcessBuilder uses the list form, so no shell interprets the values). There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; EPSS is low (0.79%, 52nd percentile).

Command Injection Path Traversal Microsoft +2
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Path traversal in NousResearch hermes-agent 2026.5.29.2 allows low-privilege authenticated remote attackers to read files outside the intended directory by supplying crafted path traversal sequences in the `Name` argument of the `skill_view` function within `tools/skills_tool.py`. Impact is confined to limited confidentiality exposure - no integrity or availability effect - consistent with the CVSS 4.0 score of 2.1 (Low). A public exploit has been disclosed (CVSS E:P), though no active exploitation has been confirmed via CISA KEV.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Path traversal in AIL Framework's PDF object handling lets an authenticated user read files outside the intended PDF storage directory. The PDF.get_filepath() function joined the configured PDF_FOLDER with an attacker-influenced object identifier without validating the resolved location, so crafted relative traversal sequences or absolute path components could point AIL at arbitrary files readable by the service account, exposing configuration, credentials, or other local secrets. No public exploit identified at time of analysis, and the vendor notes exploitation is only potential because additional errors must be overcome before the traversal executes.

Path Traversal Ail Framework
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Path traversal in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows authenticated remote attackers to manipulate filesystem paths via the unsanitized `folder` argument in the Vendor Image Manager's `do_upload_others_images` function. The flaw in `application/modules/vendor/controllers/AddProduct.php` permits directory traversal sequences to redirect file-write operations outside the intended upload directory, resulting in limited integrity and availability impact. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Path Traversal PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Path traversal in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap exposes server-side files and upload directories to manipulation via the unsanitized `folder` parameter in the Vendor Multi-Image Endpoint (AddProduct.php), enabling remote attackers to read or write files outside the designated upload path. A public exploit has been released per GitHub Security Advisory GHSA-6whv-r5hm-vcjr and the CVSS 4.0 E:P modifier confirms proof-of-concept availability, with a base score of 6.9 reflecting low-complexity network exploitation. No CISA KEV listing was identified; however, all deployed instances cloned prior to patch commit 2a9497ff are exposed, as this is a rolling-release project with no discrete versioned releases.

Path Traversal PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Path traversal in NousResearch hermes-agent (all versions through 2026.5.16) exposes arbitrary server-side files via the Live Webhook Endpoint's `extract_media` function in `gateway/platforms/base.py`. Remote, unauthenticated attackers can read files outside the intended directory, resulting in low-confidentiality-impact disclosure - potentially exposing configuration files, credentials, or internal data. A public proof-of-concept exploit is available on GitHub; however, this vulnerability has not been listed in CISA KEV, indicating active exploitation is not yet confirmed at time of analysis.

Path Traversal Hermes Agent
NVD VulDB GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Path traversal in Apache Airflow's Google provider (apache-airflow-providers-google before 22.2.1) lets a principal with write access to a source GCS bucket overwrite arbitrary files on the SFTP server (GCSToSFTPOperator) or the worker host (GCSTimeSpanFileTransformOperator) by crafting a GCS object name containing `..` segments. Because the bucket writer is frequently a lower-trust party than the DAG author (partner uploads, ingest-only service accounts, public-data buckets), exploitation crosses a trust boundary that operators may not have modeled. No public exploit is identified at time of analysis, and CISA SSVC rates exploitation as none, so this is a real but non-default, targeted-risk integrity flaw rather than a mass-exploitable one.

Apache Path Traversal Google +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Absolute path traversal in Microsoft Edge for Android (Chromium-based) prior to version 150.0.4078.48 enables local, unauthenticated information disclosure by allowing crafted paths to escape the application's intended directory scope. The CVSS vector (AV:L/C:H/I:N/A:N) confirms the impact is limited to confidentiality loss on the local device, with no integrity or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Path Traversal Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Relative path traversal in Microsoft Edge for Android (Chromium-based) before version 150.0.4078.48 permits a local, unprivileged attacker to read sensitive files outside the application's intended directory scope, achieving high confidentiality impact with minor integrity exposure. The flaw (CWE-23) stems from insufficient sanitization of relative path sequences in Edge's Android file-handling logic. No public exploit code or active exploitation has been identified at time of analysis, though a vendor patch is available and should be prioritized given the high confidentiality impact rating.

Path Traversal Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 7.1
HIGH PATCH This Week

Code execution via relative path traversal in Microsoft Edge (Chromium-based) allows a remote unauthenticated attacker to run arbitrary code when a user is lured into interacting with attacker-controlled content, consistent with the CVSS PR:N/UI:R vector. Rated CVSS 7.1 with high integrity impact (I:H), low availability impact (A:L), and no confidentiality impact (C:N). No public exploit identified at time of analysis (exploit maturity Unproven, E:U) and the CVE is not in CISA KEV, but an official vendor fix is available (RL:O).

Path Traversal Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.

Path Traversal Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Path traversal in Dell PowerProtect Data Domain allows a locally authenticated high-privileged attacker to read files outside restricted directories, resulting in information disclosure. Affected deployments span multiple release trains - standard releases 7.7.1.0 through 8.6, LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, and LTS2024 7.13.1.0-7.13.1.70. No public exploit identified at time of analysis; the low CVSS score of 2.3 correctly reflects the high privilege and local access prerequisites that substantially constrain real-world exploitation scope.

Dell Path Traversal Information Disclosure +1
NVD VulDB
EPSS 1% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the Printcart Web to Print Product Designer for WooCommerce WordPress plugin (versions up to and including 2.5.2) lets unauthenticated attackers delete any file on the server, potentially escalating to remote code execution. The store_design_data() function builds a filesystem path from the attacker-controlled 'nbd_item_key' POST value and the nonce guarding the AJAX action can be freely retrieved by anonymous users, so exploitation needs no login. No public exploit has been identified at time of analysis, but the network-reachable, no-privilege profile makes this a high-priority patch.

WordPress Path Traversal RCE +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file read in the AR for WooCommerce WordPress plugin (all versions through 8.40) lets unauthenticated attackers traverse directories via the 'file' parameter of AJAX-driven secure-download handlers, exposing wp-config.php, credentials, and other sensitive server files. The vulnerability is notable because three independent access controls - nonce validation, AES-256-CBC payload encryption, and a Referer check - each fail on default free installations, collapsing what looks like a defended endpoint into an open file-disclosure primitive. No public exploit identified at time of analysis, but the flaw is trivially reachable and was reported by Wordfence.

WordPress Path Traversal Ar For Woocommerce
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in the AR for WordPress plugin (versions up to and including 8.40) lets unauthenticated remote attackers read any file the web server can access via a path-traversal payload in the 'file' parameter of its secure-download handler. Exploitation is gated by a nonce and encryption-key check, but both can be satisfied remotely on default free or unlicensed installations, exposing wp-config.php and other secrets. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the vendor (Wordfence) documents the full unauthenticated bypass path.

WordPress Path Traversal Ar For Wordpress
NVD
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Path traversal in the Apache Lucene.Net.Replicator library (versions 4.8.0-beta00005 through 4.8.0-beta00017) allows a remote, unauthenticated attacker to read files outside the intended index-replication directory by supplying crafted pathnames during index synchronization. The flaw is a CWE-22 restricted-directory bypass confined to file disclosure; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the vendor-supplied CVSS 4.0 base score of 8.9 reflects high confidentiality impact across a scope boundary. Exploitation is gated by high attack complexity and specific attack requirements, making practical abuse less trivial than the raw score suggests.

Path Traversal Apache Lucene Net
NVD
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Path traversal (CWE-22) in the Apache Lucene.Net.Replicator library lets remote attackers read files outside the intended index directory by supplying crafted pathnames to the replication service, disclosing arbitrary server-side files. All releases from 4.8.0-beta00005 through 4.8.0-beta00017 are affected, and Apache fixed it in 4.8.0-beta00018. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 4.0 base score of 8.9 (High) reflects unauthenticated network access and high confidentiality impact including a subsequent-system scope change.

Path Traversal Apache Lucene Net
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Arbitrary file write in the WatchGuard Fireware OS Management Web UI lets a privileged, authenticated administrator escape the intended directory and write files anywhere on a Firebox appliance's filesystem, per CVSS 4.0 (AV:N/PR:H). This affects Fireware OS across the 11.x, 12.x, and 2025.1-2026.2 branches and can be leveraged to tamper with configuration or system binaries, potentially leading to code execution or device compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Watchguard Fireware Os
NVD VulDB
CVSS 9.8
CRITICAL Act Now

Arbitrary file read in GravitLauncher LaunchServer ≤ 5.7.11 lets an unauthenticated remote attacker retrieve any file readable by the server process via a path-traversal in the default-enabled HTTP file server on port 9274. Because the exposed files include the ECDSA key that signs access JWTs (.keys/ecdsa_id), the refresh-token salt, and database credentials, the flaw escalates from information disclosure to a full authentication bypass allowing forged admin tokens. Publicly available exploit code exists (a raw-socket PoC in the advisory); the issue is not listed in CISA KEV and no active exploitation is confirmed.

Path Traversal Authentication Bypass Nginx +2
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Authentication bypass via path traversal in the fast-mcp-telegram MCP server (Python, PyPI package fast-mcp-telegram, master through release 0.19.0) lets a remote client hijack the default Telegram account without a valid bearer token. The SessionFileTokenVerifier blocks the exact reserved token 'telegram' but fails to normalize path separators, so a token like '../fast-mcp-telegram/telegram' resolves back to the default ~/.config/fast-mcp-telegram/telegram.session file and is accepted. A validation proof-of-concept is published in the advisory (publicly available exploit code exists), though there is no public exploit identified in the wild and no CISA KEV listing.

Authentication Bypass Python Path Traversal +1
NVD GitHub
EPSS 0% CVSS 7.0
HIGH POC This Week

Arbitrary file overwrite in the react-native-receive-sharing-intent library (ajith-ab) lets a co-resident malicious Android app write attacker-controlled content outside the intended cache directory into the consuming app's private data. The flaw stems from trusting a ContentProvider-supplied _display_name containing dot-dot sequences, enabling overwrite of databases, shared preferences, and cached config. Publicly available exploit code exists (reported by VulnCheck); no active exploitation has been reported in CISA KEV.

Path Traversal React Native Receive Sharing Intent
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Arbitrary file disclosure and PHP local file inclusion in Cockpit CMS before release 364 lets unauthenticated remote attackers read files outside the web root and, on certain server setups, cause the application to include() attacker-chosen .php files. The flaw stems from unvalidated PATH_INFO (derived from REQUEST_URI) being used to build filesystem paths without containment checks. Publicly available exploit code exists; it is not listed in CISA KEV and no EPSS score was provided.

Path Traversal Nginx PHP +1
NVD GitHub
CVSS 7.1
HIGH PATCH This Week

Arbitrary file write in electerm via path traversal in its Zmodem and Trzsz file-download handlers lets a malicious SSH server or remote shell overwrite files anywhere the client process can write. When a user accepts an incoming Zmodem (sz/rz) or Trzsz (trz/tsz) transfer, the attacker-supplied filename is passed unsanitized into path.join() with the chosen download directory, so a name like ../../.bashrc escapes that directory. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires the victim to initiate a connection to a hostile server and accept the transfer.

Path Traversal
NVD GitHub
CVSS 5.9
MEDIUM PATCH This Month

Path traversal in SFTPGo's public web-client partial ZIP download endpoint allows unauthenticated remote attackers to read files located outside a browsable share's directory boundary. The flaw exists because the endpoint validated file entries using a raw string prefix check rather than a directory-boundary-aware comparison - a crafted request can escape the share root by supplying paths whose canonical form begins with the shared directory name but resolves to a parent or sibling path. Affected versions prior to v2.7.3 are vulnerable; no public exploit or CISA KEV listing has been identified at time of analysis.

Canonical Path Traversal
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

Arbitrary file deletion in the TinyPNG (JPEG, PNG & WebP image compression) plugin for WordPress affects all versions through 3.6.13, allowing authenticated attackers with author-level access or higher to delete any file the web server can reach. Because deleting sensitive files such as wp-config.php pushes the site into a fresh-install state, this file-deletion primitive can be escalated to full remote code execution. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but it was disclosed by Wordfence with a clear exploitation path and carries a CVSS 8.1 (High).

WordPress Path Traversal RCE +2
NVD
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfiltrate files from the PostgreSQL host even under the strict default config (allow_dangerous_operations=False, allowed_statement_types=['SELECT']). The _validate_query blocklist enumerates dangerous functions by exact name and misses the pg_read_file/pg_stat_file/pg_ls_*/pg_current_logfile family (plus MSSQL OPENDATASOURCE and keyword-less SQLite ATTACH), so these SELECT-shaped payloads pass both the statement-type allowlist and the regex blocklist and reach the live SQLAlchemy engine. Publicly available exploit code exists (a working PoC ships in the GHSA advisory); no public exploit identified as actively exploited and this is not in CISA KEV.

PostgreSQL Python Path Traversal +2
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Path traversal in Langroid's ReadFileTool and WriteFileTool lets a tool caller escape the configured curr_dir workspace boundary by supplying '../' sequences in file_path, because the tools only chdir into curr_dir without resolving and enforcing that the final path stays inside it. Applications that expose these file tools to an LLM agent or user-influenced tool calls can have arbitrary files read or written outside the intended project/sandbox directory, exposing secrets, config, and source files or corrupting files elsewhere on the host. Publicly available exploit code exists (a working PoC is included in the report demonstrating both read and write escapes), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

Python Path Traversal Docker
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary root file write in libzypp before 17.38.12 lets an attacker who can get a victim to add or refresh a malicious software repository overwrite or inject files anywhere on the system as root, because the "keyhint" value in repomd.xml is parsed without rejecting path separators (CWE-23 relative path traversal). Because libzypp performs repository operations with root privileges on SUSE/openSUSE systems, this escalates directly to full host compromise. Publicly available exploit code exists (SSVC=poc); it is not listed in CISA KEV, and EPSS is low (0.49%, 38th percentile), consistent with a targeted rather than mass-exploited flaw.

Path Traversal Libzypp
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Arbitrary file disclosure in Ubiquiti's UniFi Access Application allows a network-adjacent, unauthenticated attacker to read files on the underlying host via path traversal (CWE-22), carrying a CVSS 8.6 rating driven by a scope change and high confidentiality impact. The flaw was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Ubiquiti Path Traversal Unifi Access Application
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Arbitrary file disclosure in Ubiquiti UniFi Protect Floodlight devices lets a network-adjacent attacker read files on the device via path traversal, exposing potentially sensitive local data. The flaw (CWE-22) is remotely reachable without authentication per the CVSS vector (PR:N) and carries high confidentiality impact but no integrity or availability effect. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; Ubiquiti has issued a fix via Security Advisory Bulletin 066.

Ubiquiti Path Traversal Unifi Protect Floodlight
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation via path traversal in self-hosted UniFi Network Application (Ubiquiti's controller software) allows an authenticated, high-privileged attacker with network access to write files outside intended directories and escalate write permissions on the underlying host. The CVSS 3.1 base score is 8.7 with a scope change, reflecting that the flaw lets the application's write capability break out to affect the host system beyond the application's security boundary. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066.

Ubiquiti Path Traversal Unifi Network Application
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CWE-22) to reach protected functionality without valid credentials, affecting a broad hardware line including Dream Machines/Routers/Wall, Cloud Gateways/Keys, Express 7, Enterprise Fortress Gateway, and the UniFi OS Server software. The CVSS 8.6 rating is driven by an unauthenticated, low-complexity network vector combined with a scope change (S:C), meaning the compromised authentication boundary exposes managed device data. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the ubiquity of affected consoles makes this a high-priority patch.

Ubiquiti Path Traversal Unifi Os Server +11
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Path traversal in the Tax Exempt for WooCommerce plugin (versions <= 1.9.3) by Addify enables authenticated customer-level users to read arbitrary files from the server's filesystem. The vulnerability carries a CVSS 6.5 Medium score with high confidentiality impact, as a low-privileged account (a standard customer/shopper) can traverse directory boundaries to access sensitive files such as wp-config.php containing database credentials. No public exploit code or active CISA KEV listing has been identified at time of analysis.

WordPress Path Traversal Tax Exempt For Woocommerce
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file read in the Ninja Forms - File Uploads WordPress add-on (versions ≤ 3.3.29) lets unauthenticated remote attackers exfiltrate any file readable by the web server. A client-supplied saveProgress flag causes the process() method to return early, so a raw attacker-controlled 'files' array reaches attach_files() and get_files_for_attachment() without upload validation, path normalization, or database record creation - an attacker-chosen file_path is then passed to wp_mail() as an email attachment guarded only by a file_exists() check. No public exploit has been identified at time of analysis; there is no CISA KEV listing and no EPSS score was supplied.

WordPress Path Traversal Ninja Forms File Uploads
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Arbitrary file copy in the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions ≤ 1.5.1) exposes any file readable by the PHP process to unauthenticated network attackers. The `create_entry_el()` function accepts attacker-controlled POST data as a file path and passes it directly to PHP's `copy()`, which transparently accepts both local filesystem paths and remote URLs - enabling server file exfiltration or remote resource staging. Exploitation requires Elementor Pro to be installed and active alongside the vulnerable plugin; no public exploit or CISA KEV listing has been identified at time of analysis, though the unauthenticated network vector and high confidentiality impact make this a credible priority for mixed Elementor Pro deployments.

WordPress Path Traversal PHP +1
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in the Perfmatters WordPress performance plugin (versions ≤ 2.6.4) lets unauthenticated attackers traverse the filesystem via the 's' parameter and read sensitive server files such as wp-config.php. The flaw only surfaces in a specific non-default configuration (Local Google Fonts enabled with pretty permalinks and RSS feed links active), and there is no public exploit identified at time of analysis. Reported by Wordfence with a CVSS of 7.5 (high).

WordPress Path Traversal Google +1
NVD VulDB
EPSS 1% CVSS 9.4
CRITICAL PATCH Act Now

Privilege-escalating remote code execution in the Git Service shared by Altium Enterprise Server and Altium 365 lets an authenticated user with basic git access abuse post-clone file-manipulation operations to move arbitrary files outside the repository, plant executable script content, and run code as the Git Service account. On multi-tenant Altium 365 cloud nodes this also created a cross-tenant data-exposure path. No public exploit identified at time of analysis; the CVSS 4.0 score of 9.4 (Critical) reflects full confidentiality, integrity and availability impact with only low privileges required.

Path Traversal RCE
NVD
CVSS 7.1
HIGH PATCH This Week

Arbitrary CWD-file read and inode-tampering in the oras-go v2 content/file tar extractor allows an attacker who controls an OCI artifact to hardlink files from the pulling process's working directory into the extract tree. When a victim runs 'oras pull' (or any Go program using oras-go/v2/content/file) against a malicious layer marked with the io.deis.oras.content.unpack annotation, the flawed ensureLinkPath helper validates a resolved hardlink target but passes the original relative Linkname to os.Link, causing link(2) to resolve it against the process CWD instead of the extract base. Publicly available exploit code exists (detailed PoC and regression test in the advisory); this is not listed in CISA KEV and no active exploitation is confirmed.

Linux Ubuntu Path Traversal +1
NVD GitHub
Prev Page 2 of 86 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy