Skip to main content

Path Traversal

7721 CVEs technique

Monthly

CVE-2024-40646 HIGH This Week

Vertex is a management tool for PT (Private Tracker) users to manage streaming and watching videos. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Vertex
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-42679 MEDIUM This Month

Path traversal in the Classified Listing WordPress plugin (versions through 5.3.8) enables authenticated low-privileged users to download arbitrary files from the server filesystem. The vulnerability, reported by Patchstack as an arbitrary file download flaw, exposes full confidentiality impact (C:H) with no integrity or availability consequence, meaning attackers can exfiltrate sensitive server files - including wp-config.php, credentials, or private data - but cannot modify or destroy them. No active exploitation is confirmed and no public exploit code has been identified at time of analysis.

Path Traversal Classified Listing
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8643 PyPI MEDIUM PATCH This Month

Path traversal during wheel installation in pip allows a malicious package's console_scripts or gui_scripts entry point names to be written outside the intended scripts directory. All pip versions are listed as affected (CPE covers wildcard versions), and exploitation requires a victim to run pip install on a specially crafted package - making this a supply chain attack vector. No public exploit code is identified at time of analysis, no KEV listing exists, and a vendor fix is available upstream via PR #14000, though no specific patched release version is independently confirmed from available intelligence.

Path Traversal Pip
NVD GitHub VulDB
CVSS 4.0
4.1
EPSS
0.0%
CVE-2026-47425 LIB MEDIUM PATCH GHSA This Month

Arbitrary file write via path traversal in rattler's noarch:python entry-point installer allows a malicious conda package to write executable files outside the install prefix on both Unix and Windows. Any user of rattler < 0.43.2, pixi < 0.69.0, or rattler-build < 0.65.0 who installs a crafted noarch:python package is affected - no special configuration or flag opt-in is required. The attacker-controlled file is written with mode 0o775 on Unix or as a copied launcher .exe on Windows, enabling code execution when the entry-point is subsequently invoked. No public exploit code is identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Microsoft Path Traversal Python
NVD GitHub
EPSS
0.1%
CVE-2026-40548 MEDIUM This Month

Unrestricted file upload in SOPlanning's backup import functionality (versions 1.55 and below) allows an authenticated high-privilege attacker to smuggle a malicious PHP script inside a crafted ZIP archive alongside a legitimate user.csv file, bypassing extension validation entirely. This vulnerability is materially escalated when chained with CVE-2026-40547 (Path Traversal in the same product), which redirects extraction to a web-accessible directory, converting an upload flaw into full server-side remote code execution. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the exploitation chain is technically straightforward once administrative credentials are held.

File Upload PHP Path Traversal
NVD
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-40547 MEDIUM This Month

Path traversal in SOPlanning 1.55 and below exposes backup endpoints to arbitrary file read and execution, allowing a high-privilege authenticated attacker to construct payloads that traverse directories and interact with files previously stored via the backup functionality. The standalone vulnerability's PR:H authentication barrier is critically undermined by a companion flaw, CVE-2026-40543 (Missing Authorization), which removes authorization enforcement on backup file access entirely - enabling any unauthenticated user to read backup files. The combined exploit chain elevates practical risk well above what the standalone CVSS 6.4 score implies, with downstream High impacts across Confidentiality, Integrity, and Availability. No public exploit or CISA KEV listing has been identified at time of analysis.

Path Traversal
NVD
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-10213 LOW POC Monitor

Path traversal in AstrBot 4.23.6 allows authenticated remote attackers to manipulate the Name parameter of the /api/skills/delete API endpoint to escape the intended directory boundary, enabling unauthorized deletion or corruption of arbitrary files on the host system. The CVSS vector (C:N/I:L/A:L) confirms no confidentiality exposure but meaningful integrity and availability impact. A public proof-of-concept exploit is available on GitHub; the vendor did not respond to responsible disclosure, and no patch has been released at time of analysis.

Path Traversal Astrbot
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2018-25421 HIGH POC This Week

Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2018-25408 HIGH POC This Week

The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-48711 Awaiting Data

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/30. ist] oss-security mailing list - 2026/05/30 CVE-2026-48827: Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git (Thomas Wolf <twolf@...che.org>) CVE-2025-70116: NULL Pointer Dereference in GPAC/MP4Box via gf_media_map_esd on truncated MP4 input (Alexander <shvedov@....com>) CVE-2026-47187, CVE-2026-48711: sshfs <= 3.7.5 symlink escape (local file read/write) and ssh argument injection (local… (Abhinav Agarwal <abhinavagarwal1996@gma…) 3 messages Powered by blists - more mailing lists Please check out the Open Source Software Security Wiki , which is counterpart to this mailing list . Confused about

Apache Denial Of Service Path Traversal
NVD
EPSS
0.0%
CVE-2026-48827 Maven HIGH PATCH GHSA This Week

Path traversal in the org.apache.sshd:sshd-git component of Apache MINA SSHD allows authenticated remote attackers to read files outside the intended Git repository directory by supplying crafted path references over SSH. The flaw was disclosed pre-NVD on the oss-security mailing list on 2026-05-30 by Apache maintainer Thomas Wolf, with no public exploit identified at time of analysis and no CISA KEV listing.

Apache Path Traversal Denial Of Service Suse Red Hat
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-47187 Awaiting Data

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/30. month] [year] [list] oss-security mailing list - 2026/05/30 CVE-2026-48827: Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git (Thomas Wolf <twolf@...che.org>) CVE-2025-70116: NULL Pointer Dereference in GPAC/MP4Box via gf_media_map_esd on truncated MP4 input (Alexander <shvedov@....com>) CVE-2026-47187, CVE-2026-48711: sshfs <= 3.7.5 symlink escape (local file read/write) and ssh argument injection (local… (Abhinav Agarwal <abhinavagarwal1996@gma…) 3 messages Powered by blists - more mailing lists Please check out the Open Source Software Security Wiki , which is counterpart to this mailing list

Apache Denial Of Service Path Traversal
NVD
EPSS
0.0%
CVE-2026-47397 PyPI HIGH PATCH GHSA This Week

Arbitrary file write in PraisonAI <= 4.6.39 enables remote attackers to plant attacker-controlled files at arbitrary filesystem paths when a victim uses the Python API to crawl attacker-hosted web content. The flaw stems from write_file.py skipping path validation whenever workspace=None, which is the default state in production, and is triggered indirectly via hidden HTML metadata that PraisonAI agents interpret as legitimate instructions. No public exploit identified at time of analysis beyond the detailed PoC included in the GitHub Security Advisory (GHSA-hvhp-v2gc-268q).

Path Traversal Python
NVD GitHub
EPSS
0.1%
CVE-2026-47394 PyPI HIGH PATCH GHSA This Week

Unauthenticated arbitrary file read in PraisonAI's MCP server (pip/PraisonAI <= 4.6.39) allows remote callers to retrieve any file readable by the host user via the praisonai.workflow.show, praisonai.workflow.validate, and praisonai.deploy.validate tool handlers. The flaw is an incomplete fix for CVE-2026-44336: a hardening helper was applied to the rules.* tools but not to these adjacent workflow/deploy handlers, and the dispatcher still forwards unvalidated kwargs to handlers. Publicly available exploit code exists (working proof-of-concept in the advisory); no public exploit identified at time of analysis as a packaged exploit, but the advisory itself ships a runnable PoC.

Docker PostgreSQL Path Traversal Python
NVD GitHub
EPSS
0.1%
CVE-2026-47121 MEDIUM GHSA This Month

Intermediate-symlink traversal in Sparkle's binary delta apply pipeline allows a holder of a compromised EdDSA signing key to achieve arbitrary file write at the privilege level of the AppInstaller process - root for system-domain installs. The flaw exists in SUBinaryDeltaApply.m, which only inspects the immediate parent directory for symlink status rather than all intermediate path components; a .delta archive item can first plant a symlink (e.g., pointing to /Library/LaunchDaemons) and a second item can then write through it via fopen(), which follows kernel-resolved symlinks unconditionally. A fully functional proof-of-concept demonstrating LaunchDaemon persistence installation is detailed in GHSA-hg88-v3cw-3qrh, though it requires a valid EdDSA signature, meaning public exploit utility is gated on signing key possession. No vendor-released patch has been identified at time of analysis.

Path Traversal
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-40425 MEDIUM PATCH CISA This Month

Authenticated administrator access on the Danelec MacGregor Voyage Data Recorder (VDR) G4E web interface permits direct editing of sensitive authentication files, including the ability to overwrite the root password. The CVSS vector (AV:A/AC:L/PR:H/UI:N) confirms exploitation requires both adjacent network positioning and existing high-privilege credentials, meaning this is not a remotely exploitable unauthenticated attack path. Reported by ICS-CERT under advisory ICSA-26-148-01 as a maritime OT device concern, no public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Path Traversal Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45668 CRITICAL PATCH Act Now

Remote code execution in TriliumNext Trilium Notes desktop client prior to 0.102.2 allows attackers to achieve arbitrary code execution by tricking a user into importing a malicious ZIP archive with safe import enabled. The flaw chains a #docName path traversal (CWE-22) with stored XSS, and the Electron renderer's nodeIntegration=true setting elevates the XSS into full host RCE. No public exploit identified at time of analysis, but the vendor advisory describes a complete working chain and the CVSS 4.0 score of 9.3 reflects subsequent-system impact.

XSS Path Traversal Trilium
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-10108 PyPI HIGH PATCH GHSA This Week

{file_path:path} endpoint. The flaw stems from comparing an attacker-controlled absolute path against the music base path without a trailing separator, so sibling directories sharing the base name's prefix are reachable. No public exploit identified at time of analysis, but the upstream commit publicly discloses the exact bypass technique.

Path Traversal Xiaomusic
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-44829 Go HIGH PATCH GHSA This Week

Zip slip path traversal in Gotenberg through version 8.32.0 allows remote unauthenticated attackers to plant files outside the extraction directory on Windows hosts that unzip multi-output API responses. Because Gotenberg runs on Linux containers, its filepath.Base sanitisation never strips Windows-style backslashes from uploaded multipart filenames, so a crafted name like '..\..\..\Windows\System32\evil.pdf' is preserved verbatim as a zip entry name and honoured by Windows extractors (7-Zip, WinRAR, .NET ZipFile, Explorer). A working publicly available exploit code exists in the GHSA advisory; the issue is not present in CISA KEV and no EPSS score was provided.

Docker Microsoft Path Traversal Python
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39276 HIGH This Week

Authenticated remote code execution in Emlog Pro v2.6.9 stems from a path traversal flaw in the template upload feature that lets administrators write arbitrary PHP files outside the intended template directory. Attackers leverage crafted ZIP archives containing '../' sequences in member filenames to overwrite default template files or drop new PHP payloads inside the active template, yielding code execution under the web server account. No public exploit identified at time of analysis, but a vulnerability report repository on GitHub demonstrates the issue.

PHP Path Traversal
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2018-25393 HIGH POC This Week

Navigate CMS 2.8.5 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by injecting directory traversal sequences in the id parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-45661 CRITICAL Act Now

Authenticated path traversal in Dokploy v0.26.5 and earlier (CWE-22) enables arbitrary file write during application deployment, escalating to remote code execution when the affected instance uses the remote server deployment feature. With a CVSS 9.9 score reflecting scope change and full CIA impact, any user with deployment privileges can drop cron jobs onto remote hosts to fully compromise them, bypassing container isolation. No public exploit identified at time of analysis, though the vendor's own GHSA-66v7-g3fh-47h3 advisory characterizes the chain as critical.

RCE Path Traversal Dokploy
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-10075 MEDIUM This Month

Absolute Path Traversal in DreamMaker (developed by Interinfo) allows unauthenticated remote attackers to enumerate file names under arbitrary filesystem paths on the host. The vulnerability stems from CWE-36 (Absolute Path Traversal) and is exploitable over the network without any credentials or user interaction, as confirmed by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). Confidentiality impact is limited to file name disclosure rather than full file content retrieval, per the VC:L scoring. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal Dreammaker
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-10074 MEDIUM This Month

Arbitrary file read in Interinfo's DreamMaker application allows privileged attackers to traverse relative path boundaries and download arbitrary system files. The vulnerability stems from insufficient path normalization in a file download or retrieval function, enabling exfiltration of sensitive system content without modifying or disrupting the target. No public exploit code has been identified at time of analysis, and the requirement for high privileges (PR:H per CVSS 4.0) materially limits the attacker pool.

Path Traversal Dreammaker
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-44239 HIGH PATCH This Week

Local file inclusion in FreePBX versions prior to 16.0.22 and 17.0.5 allows authenticated remote attackers to include arbitrary .class.php files from the filesystem via path traversal in the Dashboard module's getcontent AJAX handler. The unsanitized $_REQUEST['rawname'] parameter is concatenated into a PHP include() call, and any included file's top-level code executes before the subsequent class instantiation fails. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but CWE-98 PHP file inclusion bugs are historically high-value targets in PBX systems exposed to the internet.

LFI PHP Path Traversal
NVD GitHub
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-10073 HIGH This Week

Arbitrary file read in Interinfo DreamMaker allows remote unauthenticated attackers to retrieve sensitive system files by abusing a relative path traversal flaw in the application's file-handling logic. The issue is rated CVSS 4.0 8.7 (High) due to network exploitability with no privileges or user interaction, though impact is confined to confidentiality. No public exploit identified at time of analysis, and the disclosure was coordinated through TWCERT (Taiwan's national CERT).

Path Traversal Dreammaker
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-8326 CRITICAL Act Now

Path traversal in Remote Spark SparkView before build 1127 enables remote attackers to read and write arbitrary files as root through the RDP drive redirection component, leading to full remote code execution. CVSS 4.0 scores this 10.0 with no public exploit identified at time of analysis, though SSVC marks it automatable with total technical impact. Depending on the deployment, exploitation can be performed without authentication, making vulnerable internet-facing instances a high-priority patching target.

Path Traversal Www Remotespark Com
NVD
CVSS 4.0
10.0
EPSS
0.1%
CVE-2025-41280 HIGH This Week

Relative path traversal (Zip Slip) in Waterfall WF-500 RX Host version 7.9.1.0 R2502171040 enables code execution on the RX side when attackers already control the TX Host and the deployment uses a MySQL connector with file compression enabled. The flaw, tracked as CWE-23 and reported by Nozomi Networks Labs, has no public exploit identified at time of analysis and an EPSS of 0.02% (4th percentile), but it meaningfully undermines the data-diode trust boundary the WF-500 is deployed to enforce.

Path Traversal Wf 500
NVD
CVSS 4.0
7.5
EPSS
0.0%
CVE-2025-41271 HIGH This Week

Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attackers to retrieve sensitive files from the device through a path traversal flaw in the Console WebUI. Discovered and disclosed by Nozomi Networks Labs, the issue scores CVSS 4.0 8.7 with network attack vector and no privileges required, though no public exploit identified at time of analysis and the device is not currently listed in CISA KEV.

Path Traversal Wf 500
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-41268 HIGH This Week

Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attackers to remove files on the host machine via a relative path traversal flaw in the Administration WebUI. The flaw was identified by Nozomi Networks Labs; no public exploit identified at time of analysis, and the EPSS score of 1.38% (81st percentile) indicates moderately elevated but not extreme exploitation likelihood. Because Waterfall WF-500 is a unidirectional security gateway deployed at OT/IT boundaries in industrial environments, file deletion can directly disrupt data diode operations.

Path Traversal Wf 500
NVD
CVSS 4.0
8.8
EPSS
1.4%
CVE-2026-9559 PHP CRITICAL PATCH GHSA Act Now

Remote code execution in Mautic 7 allows authenticated users with the campaign:imports:create permission to write arbitrary PHP files outside the intended extraction directory via a malicious ZIP uploaded through the campaign import feature. The flaw is a path traversal in the ZIP extraction routine that can be leveraged to overwrite cache or configuration files, yielding code execution as the web server user. No public exploit identified at time of analysis, and the CVSS 9.9 score reflects the combination of low attack complexity, scope change, and full CIA impact.

RCE PHP Path Traversal
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-47179 Go HIGH PATCH GHSA This Week

Authenticated arbitrary file read in Arcane (Docker management UI) versions ≤ 1.19.3 allows any low-privileged user to read any file accessible to the backend process by abusing Docker Compose `include:` directives. Because `CreateProject` skips include-path validation that `UpdateProject` enforces, an attacker can register a project whose compose file points at `/etc/passwd` or `/app/data/arcane.db`, then fetch the contents via the project file API - yielding stored password hashes and API keys for all users, enabling admin takeover and host RCE through Arcane's Docker control plane. No public exploit identified at time of analysis; vendor patch is available in 1.19.4.

Docker Path Traversal Privilege Escalation
NVD GitHub
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-42305 PyPI HIGH PATCH GHSA This Week

Arbitrary file write leading to remote code execution in Dulwich (pure-Python Git implementation) versions >= 0.10.0 and < 1.2.5 allows attackers controlling a Git repository to plant files inside a Windows victim's .git directory - most notably .git/hooks/pre-commit.exe - which executes on the next commit. The flaw stems from the NTFS path-element validator accepting Windows-hostile bytes (\, :, and git~<n> 8.3 short-name aliases) plus broken handling of core.protectNTFS/core.protectHFS configuration. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the technique is closely modeled on the well-documented Git CVE-2019-1353/1354 class.

Microsoft RCE Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-10044 HIGH POC PATCH This Week

{filename} endpoint. The flawed traversal guard only rejects forward slashes and '..' sequences, so absolute Windows paths or backslash traversal bypass it entirely. Publicly available exploit code exists and a vendor patch has been released; this issue was reported by VulnCheck.

Microsoft Path Traversal
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-47144 LIB MEDIUM PATCH GHSA This Month

Path traversal in the `shame next` subcommand of shamefile (pip/npm/Rust) allows an attacker who controls a `shamefile.yaml` to read one line at a time from any file accessible to the user running the command, including files outside the repository. Affected versions are 0.1.6 and earlier across all three package ecosystems; the fix in 0.1.7 eliminates disk reads entirely by rendering snippets from the registry's cached `content` field. No public exploit identified at time of analysis, and no CISA KEV listing, but the patch commit fully documents the vulnerable code path.

Path Traversal
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-33462 MEDIUM This Month

Dashboard management path traversal in Elastic Kibana allows a low-privileged authenticated attacker to redirect administrative delete operations to unintended internal endpoints, potentially causing unauthorized deletion of user accounts or other Kibana-managed resources. Elastic's advisory ESA-2026-30 identifies fixes in versions 8.19.16 and 9.3.5, confirming the issue spans both active release branches. No public exploit code or CISA KEV listing has been identified at time of analysis, but the integrity impact of silent account deletion warrants prioritized patching in multi-tenant deployments.

Path Traversal Elastic
NVD VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-32847 HIGH POC This Week

{full_path:path} in new_ui/backend/main.py. Publicly available exploit code exists (referenced in HKUDS/DeepCode issue #126 and a VulnCheck advisory), making opportunistic exploitation realistic against exposed instances. No CISA KEV listing or EPSS data was provided, but the combination of no authentication, low complexity, and a single-request exploit places this at a high operational priority for any exposed deployment.

Path Traversal Deepcode
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-49128 HIGH PATCH This Week

Information disclosure in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to read arbitrary directories and image files outside the configured music_directory via path traversal in the local storage plugin. The flaw, reported by VulnCheck, is exploitable through the standard MPD protocol commands listfiles and albumart, and a vendor patch is available in 0.24.11. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects trivial network-based exploitation against any default-configured MPD instance reachable on its protocol port.

Path Traversal Mpd
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-46380 PyPI MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in compliance-trestle's HTTPSFetcher._do_fetch() allows a local low-privileged attacker to redirect outbound HTTP requests to internal services or cloud metadata endpoints such as 169.254.169.254 - enabling credential theft from AWS, GCP, or Azure instance metadata. Affected are all pip releases of compliance-trestle before 3.12.2 and versions 4.0.0 through 4.0.2. A public proof-of-concept (poc_ssrf_and_path_traversal.py) with 13 verified exploit vectors is attached to the GitHub Security Advisory GHSA-w76h-q7c6-jpjp; no public exploit identified at time of analysis as confirmed active exploitation (CISA KEV) and no EPSS score was provided in the input data.

Path Traversal SSRF
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-4944 HIGH This Week

Remote code execution in vLLM 0.14.1 occurs because `trust_remote_code=True` is hardcoded inside the NemotronVL and KimiK25 model loaders, silently overriding the operator's explicit `--trust-remote-code=False` safety flag. Any deployment that loads a malicious or compromised HuggingFace repository for these model architectures will execute attacker-controlled Python in the inference process, despite UI:R requiring an operator to initiate the model load. No public exploit is identified at time of analysis, but the issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, indicating the regression pattern is already well understood.

RCE Path Traversal Vllm Project Vllm
NVD VulDB
CVSS 3.0
8.8
EPSS
0.1%
CVE-2026-46345 PyPI HIGH POC PATCH GHSA This Week

Arbitrary file write in compliance-trestle's `trestle author jinja` command allows a local user supplying a crafted `-o/--output` argument to write files anywhere the invoking user can write, due to missing validation of `../`, `..\`, and absolute paths. Affected versions are <= 3.12.1 and >= 4.0.0, < 4.0.3, with fixes in 3.12.2 and 4.0.3. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-4q5v-7g7x-j79w) includes a full reproducer; CVSS 8.4 reflects high impact on confidentiality, integrity, and availability.

Microsoft RCE Path Traversal Python
NVD GitHub
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-45774 PyPI MEDIUM PATCH GHSA This Month

Arbitrary file read in IBM's compliance-trestle Python library allows any file accessible to the running process to be extracted by supplying a malicious OSCAL profile YAML with path traversal sequences in the imports[].href field. Three confirmed attack vectors exist: via the trestle:// URI scheme, via relative href paths, and via back_matter rlinks - all exploiting the same root cause in LocalFetcher. Publicly available exploit code (PoC) exists demonstrating extraction of /etc/passwd, cloud credential files, and SSH private keys; no CISA KEV listing is confirmed at time of analysis.

IBM Path Traversal Python
NVD GitHub
EPSS
0.1%
CVE-2026-49238 HIGH PATCH This Week

Virtual machine escape in Canonical Multipass before 1.16.3 allows a root user inside a guest VM to read arbitrary files on the host filesystem by bypassing the host-side sshfs_server path containment. The flaw lives in the validate_path function (CWE-22 path traversal), which uses naive string prefix matching and accepts dot-dot sequences. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV, though the technical write-up in the GHSA advisory provides enough detail to make exploitation reproducible.

Path Traversal Canonical
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-48977 Maven HIGH PATCH GHSA This Week

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the server by abusing the 'cmd=log' command with a crafted log path parameter. The flaw allows any low-privileged API user to escape the intended log directory and access sensitive files such as configuration, credentials, or keystores, with no public exploit identified at time of analysis.

Apache Path Traversal
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-9804 Go HIGH PATCH GHSA This Week

Arbitrary file read in KubeVirt's virt-exportserver component allows authenticated namespace users to exfiltrate sensitive files from the exporter pod via symlink-based path traversal in the VMExport directory endpoint. The flaw, reported by Red Hat and impacting Red Hat OpenShift Virtualization 4, carries a CVSS 7.7 score driven by scope change and high confidentiality impact, though no public exploit identified at time of analysis.

Information Disclosure Path Traversal Red Hat Openshift Virtualization 4
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-6455 HIGH This Week

Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.

Deserialization CSRF SQLi WordPress PHP +1
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-9789 HIGH This Week

Local privilege escalation in Acer NitroSense software versions prior to 3.01.3052 allows any authenticated local user to delete arbitrary files with SYSTEM authority by abusing a weakly-ACL'd Named Pipe exposed by the PSAdminAgent service. No public exploit has been identified at time of analysis, but the issue was disclosed by Acer themselves and a patched version is available.

Privilege Escalation Path Traversal Nitrorsense V3
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-45725 PyPI HIGH PATCH GHSA This Week

Arbitrary file write in the compliance-trestle Python library (versions 4.0.0-4.0.2 and any release below 3.12.2) lets an attacker who controls a referenced OSCAL artifact plant attacker-supplied content anywhere the trestle process can write. The HTTPSFetcher and SFTPFetcher cache layer builds the local cache file path directly from the URL path component, so when trestle imports a remote OSCAL profile whose href contains `../` traversal the fetched HTTP/SFTP response body escapes the .trestle cache directory; overwriting files such as /etc/cron.d entries, ~/.ssh/authorized_keys, or a module on sys.path turns the primitive into code execution. A reproducible public proof-of-concept exists in the GHSA advisory (GHSA-g3vg-vx23-3858); the flaw is not listed in CISA KEV and no CVSS or EPSS scoring is provided, but the maintainers have shipped fixes in 4.0.3 and 3.12.2.

IBM RCE Python Nginx Path Traversal
NVD GitHub
EPSS
0.0%
CVE-2026-46402 HIGH This Week

Path traversal write in Microsoft UFO (build 3.0.1-4-ge2626659) lets an authenticated client smuggle directory-traversal sequences (e.g. ../) inside the user-controlled task_name value, which UFO concatenates directly into session log paths, causing it to create directories and write log files anywhere the process can reach outside the intended logs/ directory. The CVSS 8.1 (CWE-22) rating reflects high integrity and availability impact with no confidentiality loss, consistent with arbitrary file/directory creation rather than data theft. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the only available source is the vendor GitHub Security Advisory GHSA-whcg-fgpx-76f2.

Microsoft Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-45309 PyPI MEDIUM PATCH GHSA This Month

Path traversal in AsyncSSH 2.22.0's AuthorizedKeysFile %u token expansion allows an unauthenticated remote attacker to bypass SSH public-key authentication by supplying a crafted username containing directory traversal sequences. Servers configured with per-user key patterns such as AuthorizedKeysFile authorized_keys/%u are vulnerable when an attacker can place or reference a readable authorized-keys-format file at a filesystem path reachable by traversal from the configured directory. Publicly available exploit code exists demonstrating successful authentication bypass; KEV status is not confirmed at time of analysis.

SSH Path Traversal Suse
NVD GitHub
EPSS
0.2%
CVE-2026-8361 HIGH PATCH This Week

Information disclosure via path traversal in Gladinet Triofox lets remote unauthenticated attackers read arbitrary files on the server by sending crafted requests whose URL path begins with /woshome, which are handled by the WOSDefaultHttpModule.dll component. The CVSS 7.5 scoring (confidentiality-only impact) reflects unrestricted file read without code execution or service disruption. No public exploit has been identified at time of analysis, and the issue was reported by Tenable rather than appearing in CISA KEV.

Path Traversal Triofox
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-6957 HIGH This Week

Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost server plant files at attacker-chosen paths inside the target server's filestore by supplying a malicious, unsanitized filename through the shared-channel attachment sync protocol. The flaw stems from CWE-22 path traversal in the export-path construction logic and carries CVSS 8.0 with a changed scope, reflecting that a compromised or hostile federation peer can affect resources beyond the plugin's intended boundary. There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation status as 'none' but technical impact as 'total'.

Mattermost Path Traversal
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-48544 PyPI HIGH GHSA This Week

Unauthorized file disclosure in Taipy 4.1.1 lets remote unauthenticated attackers read files outside an extension library's intended directory through the GUI ElementLibrary.get_resource() resource handler. The containment check used str.startswith() without a trailing separator, so a crafted request with traversal segments can resolve into a prefix-matching sibling directory on disk while still passing the flawed check. Impact is confined to confidentiality (file read), with no public exploit identified at time of analysis and no CISA KEV listing.

Path Traversal Python
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-47118 HIGH PATCH This Week

Arbitrary file read in Agent Zero before version 1.15 lets remote unauthenticated attackers retrieve files outside the agent workspace through the image-serving API (api/image_get.py), which validates only the file extension while the directory-containment check is commented out. Any file readable by the process and bearing an allowed image extension can be disclosed, and symlinks can be abused to reach non-image targets because the path is never canonicalized. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.

Path Traversal
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-9035 MEDIUM This Month

Path traversal in the asperahttpd HTTP component of IBM Aspera High-Speed Transfer Endpoint and Server (versions 3.7.4 through 4.4.7 Fix Pack 1) enables authenticated network users to read arbitrary files from the server's local filesystem beyond their authorized scope. The vulnerability is classified CWE-22 and carries a CVSS 6.5 medium score, reflecting high confidentiality impact with no integrity or availability exposure. No public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation status as none with partial technical impact, suggesting limited immediate threat despite the sensitive nature of file read primitives in a file-transfer product.

Path Traversal IBM
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7524 CRITICAL Act Now

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitrary code by abusing how the platform handles symbolic links while unpacking uploaded archives. Because extraction does not properly validate symlink targets, a crafted archive can write files outside the intended directory and ultimately achieve code execution on the host. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and is reachable without authentication or user interaction, though no public exploit identified at time of analysis.

RCE Path Traversal IBM
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-3366 HIGH This Week

Directory traversal in IBM InfoSphere Optim Test Data Fabrication (versions 1.0.0 through 1.0.2.7) lets a remote, unauthenticated attacker read arbitrary files from the host by sending a crafted URL containing '../' sequences. The flaw is purely an information-disclosure issue - confidentiality is impacted with no integrity or availability effect - and CVSS rates it 7.5 (High). There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation status as none, though it flags the issue as automatable.

Path Traversal IBM
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-42757 CRITICAL Act Now

Path traversal in the WebinarIgnition WordPress plugin (Saleswonder Team: Tobias) affects all versions up to and including 4.08.253 and allows authenticated low-privilege users to manipulate file paths outside the intended plugin directory. The linked Patchstack advisory characterizes the concrete impact as arbitrary file deletion, which can corrupt the WordPress installation or enable further compromise. EPSS probability is very low (0.05%, 15th percentile) and there is no public exploit identified at time of analysis, despite the 9.9 CVSS score.

Path Traversal
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-42756 CRITICAL Act Now

Path traversal in the QuickWebP WordPress plugin (versions up to and including 3.2.7) allows authenticated low-privilege users to manipulate file paths and delete arbitrary files on the server, per the Patchstack advisory titling this an arbitrary file deletion flaw. With a CVSS of 9.9 and a changed scope, deletion of sensitive files such as wp-config.php can cascade into full site compromise. There is no public exploit identified at time of analysis.

Path Traversal
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-42737 HIGH This Week

Path traversal in the VikBooking Hotel Booking Engine & PMS WordPress plugin (e4jvikwp) through version 1.8.9 allows remote unauthenticated attackers to delete arbitrary files on the host. The CVSS vector (A:H only, with C:N/I:N) and the Patchstack reference title both indicate the concrete impact is arbitrary file deletion rather than data disclosure, which can corrupt or take down the WordPress site. No public exploit has been identified and the EPSS score is very low (0.05%, 15th percentile), indicating this is not yet being broadly exploited despite the high 8.6 CVSS rating.

Path Traversal
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2024-47267 LOW PATCH Monitor

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Synology Path Traversal
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2024-11399 MEDIUM PATCH This Month

Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity.

Synology Path Traversal Redis Information Disclosure
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-41009 MEDIUM PATCH This Month

Path traversal in BOSH Director allows a compromised BOSH agent to cause the Director to read and delete arbitrary files outside the blobstore root on the Director host filesystem. When the Director processes long-running operations such as compile_package and is configured with the local blobstore provider, agent-supplied blob IDs in the reply JSON are passed unmodified into filesystem path construction, enabling traversal strings like '../../jobs/director/config/director.yml' to resolve to sensitive files. No public exploit exists and no active exploitation has been identified; the CVSS 4.0 score of 4.3 reflects the significant prerequisite barriers including high privilege requirements and a specific non-default configuration.

Path Traversal Bosh
NVD
CVSS 4.0
4.3
EPSS
0.0%
CVE-2026-44705 npm HIGH PATCH GHSA This Week

Path traversal in the tmp npm package (versions < 0.2.6) lets callers escape the intended temporary directory by passing traversal sequences or absolute paths in the prefix, postfix, or dir options to tmp.file(), tmp.dir(), or tmp.tmpName(). Applications that forward untrusted input into those options can be coerced into creating files at attacker-chosen filesystem locations with the process's privileges, enabling config poisoning, cache poisoning, or web-shell drops. Publicly available exploit code exists (the advisory ships a working PoC and a regression test), but no public exploit identified at time of analysis indicates active exploitation in the wild.

Path Traversal PHP Microsoft Node.js Privilege Escalation +2
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-9312 CRITICAL PATCH Act Now

Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issuing crafted requests to internal services, reachable through an upload endpoint that fails to validate input. By injecting path-traversal content into request parameters, an attacker can redirect internal API calls to reach back-end services and harvest sensitive credentials. No public exploit identified at time of analysis; the issue was reported through the GitHub Bug Bounty program and carries a CVSS 4.0 base score of 9.2 (Critical), though the vector flags high attack complexity and an extra attack requirement that temper real-world ease of exploitation.

SSRF Path Traversal Enterprise Server
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-49009 LOW Monitor

Directory traversal in Northern.tech Mender Server allows a remote authenticated attacker to read files outside intended directory boundaries, resulting in limited confidentiality exposure. Affected versions include v4.1.0, v4.0.1, and all prior releases; patched versions v4.1.1 and v4.0.2 are available. No public exploit code and no active exploitation have been identified at time of analysis, and the low CVSS score of 3.1 reflects constrained real-world impact.

Path Traversal
NVD
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-44177 PHP HIGH PATCH GHSA This Week

Pre-authentication path traversal in Kirby CMS versions 5.3.0 through 5.4.0 lets remote attackers manipulate the user ID used during account lookup to escape the site/accounts directory, enabling inclusion of arbitrary PHP files named index.php (such as plugin entrypoints) and probing for the existence of arbitrary server directories. The flaw is reachable through the unauthenticated authentication API and affects all Kirby sites on these versions regardless of configuration. The vendor rates it high (CVSS 8.8); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal PHP
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-48047 Maven MEDIUM PATCH GHSA This Month

Path traversal in XWiki Platform's WebJars API enables a subwiki admin who can publish and install a malicious WebJar extension to write arbitrary files anywhere on the server filesystem. The affected Maven component `xwiki-platform-webjars-api` fails to validate that JAR entry paths extracted during extension installation remain within the intended export directory, allowing overwrite of configuration files or potential superadmin credential manipulation. No public exploit is identified and no CISA KEV listing exists; vendor-released patches are available across three version branches.

Atlassian Path Traversal
NVD GitHub
EPSS
0.1%
CVE-2026-40383 HIGH This Week

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privilege attackers to read arbitrary server files via improper validation of the layout parameter in htmlview. The flaw is reported by the Joomla project itself (EUVD-2026-31888) and no public exploit identified at time of analysis, with EPSS scoring 0.00% and CISA SSVC marking exploitation status as none despite total technical impact.

Path Traversal Joomla Cms
NVD VulDB
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-40384 MEDIUM This Month

Path traversal in Joomla! CMS com_media web service endpoint allows authenticated high-privilege attackers to read arbitrary files outside the intended web root via a manipulated search parameter. Affected versions span two major release trains: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. No public exploit code exists and no active exploitation has been confirmed, but the vulnerability results in full confidentiality loss of the vulnerable system's filesystem contents accessible to the web process.

Path Traversal Joomla Cms
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-48126 Go HIGH PATCH GHSA This Week

Path traversal in xyproto's Algernon web server prior to 1.17.8 lets unauthenticated remote attackers escape the document root via a crafted Host header when the server runs with --domain or --letsencrypt. Beyond arbitrary file read and directory listing, any reachable .lua file in the parent directory will be executed server-side, escalating disclosure into code execution. No public exploit is identified at time of analysis, but SSVC marks the issue as automatable with PoC and EPSS sits at the 20th percentile (0.07%).

Path Traversal Algernon
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-43982 HIGH PATCH This Week

Path traversal in Algernon web server versions prior to 1.17.6 allows remote unauthenticated attackers to write uploaded files outside the intended directory by supplying a directory parameter containing ../ sequences. The flaw in uploadedFileSaveIn() within lua/upload/upload.go fails to validate the joined path after filepath.Join(), so a value like ../../../tmp resolves to /tmp on the host. No public exploit identified at time of analysis, and EPSS is very low (0.05%), but CISA SSVC flags the issue as automatable with partial technical impact.

Path Traversal Algernon
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-40564 MEDIUM PATCH This Month

Unvalidated jarURI handling in Apache Flink Kubernetes Operator exposes authenticated low-privilege users to server-side request forgery and arbitrary file read primitives against the operator pod. Any Kubernetes principal holding Custom Resource create permissions can submit a malicious FlinkSessionJob CR with a crafted jarURI - pointing to local filesystem paths, internal cloud metadata endpoints, link-local addresses, or any backing store reachable through Flink's pluggable filesystem layer - and retrieve that content via the submitted job. No public exploit has been identified at time of analysis, and EPSS sits at 0.01% (3rd percentile), but the confidentiality impact is rated High by NVD given the breadth of accessible internal resources.

Apache Information Disclosure Kubernetes SSRF Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-41917 MEDIUM POC This Month

Path traversal in OpenKM's administrative scripting interface exposes arbitrary server-side files to authenticated administrators who supply attacker-controlled paths via the fsPath parameter at /admin/Scripting with action=Load. Both the Community Edition (≤6.3.12) and Professional Edition (≤7.1.47) are affected, enabling exfiltration of /etc/passwd, database credential files, and JVM keystores accessible to the OpenKM process. No public exploit identified at time of analysis as a KEV entry, but publicly available exploit code exists via Exploit-DB (52520) and Terra System Labs' GitHub repository, raising the realistic risk for environments where admin credentials are shared, weak, or previously compromised.

Path Traversal Openkm Community Edition Openkm Professional Edition
NVD Exploit-DB GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-9550 MEDIUM POC This Month

Unauthenticated path traversal in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 exposes arbitrary file system access through the `/SubstationWEBV2/app/..;/main/upfile` endpoint by manipulating the `path` argument. The vulnerability is remotely exploitable with no authentication or user interaction required (CVSS 4.0 AV:N/AC:L/AT:N/PR:N/UI:N), and a publicly available proof-of-concept exists. Although EPSS sits at 0.09% (25th percentile), SSVC classifies this as automatable, and the vendor has not responded to disclosure, leaving no official patch available.

Path Traversal Eems Enterprise Power Operation And Maintenance Cloud Platform
NVD VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-9473 LOW POC Monitor

Path traversal in jimeng-mcp 1.10.0 allows low-privileged remote attackers to read and write files outside the intended directory by supplying crafted filePath arguments to four distinct API functions: getFileContent, uploadCoverFile, generateImage, and generateVideo in src/api.ts. A publicly available proof-of-concept exploit exists, disclosed via GitHub issue #15, though EPSS at 0.04% (13th percentile) indicates minimal observed mass-exploitation activity to date. No patch has been released and the vendor has not responded to the responsible disclosure, leaving deployments without an official remediation path.

Path Traversal Jimeng Mcp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9472 LOW POC Monitor

Path traversal in dazeb markdown-downloader exposes server-side file systems to low-privileged remote attackers through unsanitized input in three functions within src/index.ts. The affected functions - download_markdown, list_downloaded_files, and create_subdirectory - fail to restrict directory scope, allowing authenticated users with low privileges to read or write files outside intended boundaries. No public exploit identified at time of analysis as a KEV entry, but publicly available exploit code exists via a GitHub issue report, and the project maintainer has not acknowledged or patched the disclosure.

Path Traversal Markdown Downloader
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9468 LOW POC Monitor

Path traversal in dazeb cline-mcp-memory-bank exposes host filesystems to authenticated remote attackers via unsanitized user input in the `handleInitializeMemoryBank` function of `src/index.ts`. All versions up to and including commit 55c81b9cf6c16700983c84dc4cdea3cafa19a75f are affected, covering the entire release history of this rolling-release MCP memory tool. A public proof-of-concept exploit exists via the project's GitHub issue tracker, though EPSS scoring (0.04%, 13th percentile) and SSVC's non-automatable classification suggest limited mass exploitation risk at time of analysis.

Path Traversal Cline Mcp Memory Bank
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9467 LOW POC Monitor

Path traversal in debugmcp mcp-debugger through version 0.20.0 enables authenticated remote attackers with low-privilege access to read arbitrary files outside the intended directory via the `handleGetSourceContext` function in `src/server.ts`. Impact is restricted to limited confidentiality exposure on the vulnerable system (CVSS VC:L) with no integrity or availability consequence, yielding a CVSS 4.0 score of 2.1. A public proof-of-concept exploit exists on GitHub, though the EPSS score remains at 0.04% (12th percentile) and the issue is absent from the CISA KEV catalog, indicating exploitation has not been observed at meaningful scale. The vendor did not respond to responsible disclosure, meaning no official patch is available.

Path Traversal Mcp Debugger
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2018-25374 HIGH POC This Week

Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the path parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2018-25365 HIGH POC This Week

PCViewer vt1000 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by submitting relative path sequences in GET requests. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Pcviewer
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-7766 HIGH PATCH This Week

Kenik Camera management Panel is vulnerable to Path Traversal vulnerability. An unauthenticated attacker can send GET request with arbitrary file path and read corresponding files located on the server. The issue was fixed in version 2026-04-23 of the KG-5260xxxx-IL-(G)2 cameras. Rest of the products were fixed in version 2025-04-21.

Path Traversal Kg 5230Tas Il 3 Kg 5230Tas Il G3 Kg 5230Das Il G3 Kg 5260Tzas Il 3 +4
NVD
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-41863 Maven MEDIUM PATCH This Month

Path traversal in Spring AI 1.1.0-1.1.x allows authenticated remote attackers to write arbitrary files outside the intended target directory by exploiting unsanitized LLM-influenced filenames in the Anthropic Skills API file-write workflow. The root cause is Spring AI passing filenames derived from LLM output directly to Path.resolve() without input sanitization, enabling directory escape via traversal sequences. No public exploit identified at time of analysis and EPSS is very low (0.04%, 11th percentile), though the high integrity impact (CVSS I:H) makes unauthorized file writes to restricted directories a meaningful concern in production deployments.

Path Traversal Java Spring Ai
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9489 HIGH This Week

NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.

Microsoft Path Traversal RCE Privilege Escalation
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-9351 MEDIUM POC This Month

Path traversal in NousResearch hermes-agent through version 2026.4.16 allows remote unauthenticated attackers to bypass path restrictions and modify or disrupt file operations via the read_file tool. The flaw exists in the _is_blocked_device function within tools/file_tools.py. Public exploit code is available (EPSS data not provided, but exploit confirmed). Vendor was notified but did not respond, suggesting no official patch exists at time of analysis.

Path Traversal Hermes Agent
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-34911 HIGH PATCH This Week

Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary files on the underlying device filesystem, enabling disclosure of sensitive information such as configuration data, credentials, or cryptographic material. The flaw (CVSS 7.7, scope-changed) affects a broad fleet of UniFi gateways, cloud keys, NVRs, and NAS appliances. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Ubiquiti Path Traversal Unifi Os Server Udm Udm Pro +28
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-34909 CRITICAL POC KEV PATCH THREAT NEWS Act Now

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlying system, which can then be leveraged to take over an underlying account. The flaw carries a maximum CVSS 10.0 score reflecting unauthenticated network exploitation with scope change and full confidentiality, integrity, and availability impact across a broad fleet of UniFi gateways, cameras, NVRs, and NAS appliances. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Ubiquiti Path Traversal Unifi Os Server Udm Udm Pro +28
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
Threat
5.0
CVE-2025-45145 HIGH This Week

Arbitrary file disclosure in Follett Software's Destiny Library Manager (version 22_0_2_rc1) lets remote unauthenticated attackers read system and application files by supplying directory-traversal sequences in the 'image' parameter. Publicly available exploit code exists (a Medium write-up documenting the unauthenticated LFI), and CISA's SSVC framework classifies exploitation as proof-of-concept and automatable, though EPSS remains modest at 0.46% (64th percentile). The flaw is fixed in v.22.5 AU1.

Path Traversal N A
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-36227 MEDIUM This Month

Directory traversal in Easy Chat Server 3.1 enables remote unauthenticated attackers to read arbitrary files and potentially execute arbitrary code by supplying path traversal sequences in the UserName parameter. The CVSS vector (PR:N/AV:N/AC:L) confirms exploitation requires no authentication and low complexity, and a public proof-of-concept repository is available on GitHub (NullByte8080/CVE-2026-36227). Despite the RCE tag and unauthenticated network vector, EPSS sits at just 0.14% (33rd percentile) and SSVC reports no active exploitation, suggesting this is not yet being leveraged at scale.

Path Traversal RCE N A
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-46703 LIB CRITICAL PATCH GHSA Act Now

Arbitrary file write on the host in Boxlite sandbox service versions prior to 0.9.0 allows attackers to escape the OCI image extraction root via crafted symlink entries in layer tarballs, enabling remote code execution on the host (typically as root). Exploitation requires a user to pull and load a malicious OCI image distributed through registries such as DockerHub. Publicly available exploit code exists (vendor-published PoC); no public exploit identified in CISA KEV at time of analysis.

Path Traversal Python RCE
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.2%
EPSS 0% CVSS 8.6
HIGH This Week

Vertex is a management tool for PT (Private Tracker) users to manage streaming and watching videos. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Vertex
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Path traversal in the Classified Listing WordPress plugin (versions through 5.3.8) enables authenticated low-privileged users to download arbitrary files from the server filesystem. The vulnerability, reported by Patchstack as an arbitrary file download flaw, exposes full confidentiality impact (C:H) with no integrity or availability consequence, meaning attackers can exfiltrate sensitive server files - including wp-config.php, credentials, or private data - but cannot modify or destroy them. No active exploitation is confirmed and no public exploit code has been identified at time of analysis.

Path Traversal Classified Listing
NVD
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Path traversal during wheel installation in pip allows a malicious package's console_scripts or gui_scripts entry point names to be written outside the intended scripts directory. All pip versions are listed as affected (CPE covers wildcard versions), and exploitation requires a victim to run pip install on a specially crafted package - making this a supply chain attack vector. No public exploit code is identified at time of analysis, no KEV listing exists, and a vendor fix is available upstream via PR #14000, though no specific patched release version is independently confirmed from available intelligence.

Path Traversal Pip
NVD GitHub VulDB
EPSS 0%
MEDIUM PATCH This Month

Arbitrary file write via path traversal in rattler's noarch:python entry-point installer allows a malicious conda package to write executable files outside the install prefix on both Unix and Windows. Any user of rattler < 0.43.2, pixi < 0.69.0, or rattler-build < 0.65.0 who installs a crafted noarch:python package is affected - no special configuration or flag opt-in is required. The attacker-controlled file is written with mode 0o775 on Unix or as a copied launcher .exe on Windows, enabling code execution when the entry-point is subsequently invoked. No public exploit code is identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Microsoft Path Traversal Python
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Unrestricted file upload in SOPlanning's backup import functionality (versions 1.55 and below) allows an authenticated high-privilege attacker to smuggle a malicious PHP script inside a crafted ZIP archive alongside a legitimate user.csv file, bypassing extension validation entirely. This vulnerability is materially escalated when chained with CVE-2026-40547 (Path Traversal in the same product), which redirects extraction to a web-accessible directory, converting an upload flaw into full server-side remote code execution. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the exploitation chain is technically straightforward once administrative credentials are held.

File Upload PHP Path Traversal
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Path traversal in SOPlanning 1.55 and below exposes backup endpoints to arbitrary file read and execution, allowing a high-privilege authenticated attacker to construct payloads that traverse directories and interact with files previously stored via the backup functionality. The standalone vulnerability's PR:H authentication barrier is critically undermined by a companion flaw, CVE-2026-40543 (Missing Authorization), which removes authorization enforcement on backup file access entirely - enabling any unauthenticated user to read backup files. The combined exploit chain elevates practical risk well above what the standalone CVSS 6.4 score implies, with downstream High impacts across Confidentiality, Integrity, and Availability. No public exploit or CISA KEV listing has been identified at time of analysis.

Path Traversal
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in AstrBot 4.23.6 allows authenticated remote attackers to manipulate the Name parameter of the /api/skills/delete API endpoint to escape the intended directory boundary, enabling unauthorized deletion or corruption of arbitrary files on the host system. The CVSS vector (C:N/I:L/A:L) confirms no confidentiality exposure but meaningful integrity and availability impact. A public proof-of-concept exploit is available on GitHub; the vendor did not respond to responsible disclosure, and no patch has been released at time of analysis.

Path Traversal Astrbot
NVD VulDB GitHub
EPSS 0% CVSS 7.1
HIGH POC This Week

Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB VulDB
EPSS 0%
Awaiting Data

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/30. ist] oss-security mailing list - 2026/05/30 CVE-2026-48827: Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git (Thomas Wolf <twolf@...che.org>) CVE-2025-70116: NULL Pointer Dereference in GPAC/MP4Box via gf_media_map_esd on truncated MP4 input (Alexander <shvedov@....com>) CVE-2026-47187, CVE-2026-48711: sshfs <= 3.7.5 symlink escape (local file read/write) and ssh argument injection (local… (Abhinav Agarwal <abhinavagarwal1996@gma…) 3 messages Powered by blists - more mailing lists Please check out the Open Source Software Security Wiki , which is counterpart to this mailing list . Confused about

Apache Denial Of Service Path Traversal
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Path traversal in the org.apache.sshd:sshd-git component of Apache MINA SSHD allows authenticated remote attackers to read files outside the intended Git repository directory by supplying crafted path references over SSH. The flaw was disclosed pre-NVD on the oss-security mailing list on 2026-05-30 by Apache maintainer Thomas Wolf, with no public exploit identified at time of analysis and no CISA KEV listing.

Apache Path Traversal Denial Of Service +2
NVD VulDB
EPSS 0%
Awaiting Data

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/30. month] [year] [list] oss-security mailing list - 2026/05/30 CVE-2026-48827: Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git (Thomas Wolf <twolf@...che.org>) CVE-2025-70116: NULL Pointer Dereference in GPAC/MP4Box via gf_media_map_esd on truncated MP4 input (Alexander <shvedov@....com>) CVE-2026-47187, CVE-2026-48711: sshfs <= 3.7.5 symlink escape (local file read/write) and ssh argument injection (local… (Abhinav Agarwal <abhinavagarwal1996@gma…) 3 messages Powered by blists - more mailing lists Please check out the Open Source Software Security Wiki , which is counterpart to this mailing list

Apache Denial Of Service Path Traversal
NVD
EPSS 0%
HIGH PATCH This Week

Arbitrary file write in PraisonAI <= 4.6.39 enables remote attackers to plant attacker-controlled files at arbitrary filesystem paths when a victim uses the Python API to crawl attacker-hosted web content. The flaw stems from write_file.py skipping path validation whenever workspace=None, which is the default state in production, and is triggered indirectly via hidden HTML metadata that PraisonAI agents interpret as legitimate instructions. No public exploit identified at time of analysis beyond the detailed PoC included in the GitHub Security Advisory (GHSA-hvhp-v2gc-268q).

Path Traversal Python
NVD GitHub
EPSS 0%
HIGH PATCH This Week

Unauthenticated arbitrary file read in PraisonAI's MCP server (pip/PraisonAI <= 4.6.39) allows remote callers to retrieve any file readable by the host user via the praisonai.workflow.show, praisonai.workflow.validate, and praisonai.deploy.validate tool handlers. The flaw is an incomplete fix for CVE-2026-44336: a hardening helper was applied to the rules.* tools but not to these adjacent workflow/deploy handlers, and the dispatcher still forwards unvalidated kwargs to handlers. Publicly available exploit code exists (working proof-of-concept in the advisory); no public exploit identified at time of analysis as a packaged exploit, but the advisory itself ships a runnable PoC.

Docker PostgreSQL Path Traversal +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Intermediate-symlink traversal in Sparkle's binary delta apply pipeline allows a holder of a compromised EdDSA signing key to achieve arbitrary file write at the privilege level of the AppInstaller process - root for system-domain installs. The flaw exists in SUBinaryDeltaApply.m, which only inspects the immediate parent directory for symlink status rather than all intermediate path components; a .delta archive item can first plant a symlink (e.g., pointing to /Library/LaunchDaemons) and a second item can then write through it via fopen(), which follows kernel-resolved symlinks unconditionally. A fully functional proof-of-concept demonstrating LaunchDaemon persistence installation is detailed in GHSA-hg88-v3cw-3qrh, though it requires a valid EdDSA signature, meaning public exploit utility is gated on signing key possession. No vendor-released patch has been identified at time of analysis.

Path Traversal
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authenticated administrator access on the Danelec MacGregor Voyage Data Recorder (VDR) G4E web interface permits direct editing of sensitive authentication files, including the ability to overwrite the root password. The CVSS vector (AV:A/AC:L/PR:H/UI:N) confirms exploitation requires both adjacent network positioning and existing high-privilege credentials, meaning this is not a remotely exploitable unauthenticated attack path. Reported by ICS-CERT under advisory ICSA-26-148-01 as a maritime OT device concern, no public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Path Traversal Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Remote code execution in TriliumNext Trilium Notes desktop client prior to 0.102.2 allows attackers to achieve arbitrary code execution by tricking a user into importing a malicious ZIP archive with safe import enabled. The flaw chains a #docName path traversal (CWE-22) with stored XSS, and the Electron renderer's nodeIntegration=true setting elevates the XSS into full host RCE. No public exploit identified at time of analysis, but the vendor advisory describes a complete working chain and the CVSS 4.0 score of 9.3 reflects subsequent-system impact.

XSS Path Traversal Trilium
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

{file_path:path} endpoint. The flaw stems from comparing an attacker-controlled absolute path against the music base path without a trailing separator, so sibling directories sharing the base name's prefix are reachable. No public exploit identified at time of analysis, but the upstream commit publicly discloses the exact bypass technique.

Path Traversal Xiaomusic
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Zip slip path traversal in Gotenberg through version 8.32.0 allows remote unauthenticated attackers to plant files outside the extraction directory on Windows hosts that unzip multi-output API responses. Because Gotenberg runs on Linux containers, its filepath.Base sanitisation never strips Windows-style backslashes from uploaded multipart filenames, so a crafted name like '..\..\..\Windows\System32\evil.pdf' is preserved verbatim as a zip entry name and honoured by Windows extractors (7-Zip, WinRAR, .NET ZipFile, Explorer). A working publicly available exploit code exists in the GHSA advisory; the issue is not present in CISA KEV and no EPSS score was provided.

Docker Microsoft Path Traversal +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Authenticated remote code execution in Emlog Pro v2.6.9 stems from a path traversal flaw in the template upload feature that lets administrators write arbitrary PHP files outside the intended template directory. Attackers leverage crafted ZIP archives containing '../' sequences in member filenames to overwrite default template files or drop new PHP payloads inside the active template, yielding code execution under the web server account. No public exploit identified at time of analysis, but a vulnerability report repository on GitHub demonstrates the issue.

PHP Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Navigate CMS 2.8.5 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by injecting directory traversal sequences in the id parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Authenticated path traversal in Dokploy v0.26.5 and earlier (CWE-22) enables arbitrary file write during application deployment, escalating to remote code execution when the affected instance uses the remote server deployment feature. With a CVSS 9.9 score reflecting scope change and full CIA impact, any user with deployment privileges can drop cron jobs onto remote hosts to fully compromise them, bypassing container isolation. No public exploit identified at time of analysis, though the vendor's own GHSA-66v7-g3fh-47h3 advisory characterizes the chain as critical.

RCE Path Traversal Dokploy
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Absolute Path Traversal in DreamMaker (developed by Interinfo) allows unauthenticated remote attackers to enumerate file names under arbitrary filesystem paths on the host. The vulnerability stems from CWE-36 (Absolute Path Traversal) and is exploitable over the network without any credentials or user interaction, as confirmed by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). Confidentiality impact is limited to file name disclosure rather than full file content retrieval, per the VC:L scoring. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal Dreammaker
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Arbitrary file read in Interinfo's DreamMaker application allows privileged attackers to traverse relative path boundaries and download arbitrary system files. The vulnerability stems from insufficient path normalization in a file download or retrieval function, enabling exfiltration of sensitive system content without modifying or disrupting the target. No public exploit code has been identified at time of analysis, and the requirement for high privileges (PR:H per CVSS 4.0) materially limits the attacker pool.

Path Traversal Dreammaker
NVD
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Local file inclusion in FreePBX versions prior to 16.0.22 and 17.0.5 allows authenticated remote attackers to include arbitrary .class.php files from the filesystem via path traversal in the Dashboard module's getcontent AJAX handler. The unsanitized $_REQUEST['rawname'] parameter is concatenated into a PHP include() call, and any included file's top-level code executes before the subsequent class instantiation fails. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but CWE-98 PHP file inclusion bugs are historically high-value targets in PBX systems exposed to the internet.

LFI PHP Path Traversal
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Arbitrary file read in Interinfo DreamMaker allows remote unauthenticated attackers to retrieve sensitive system files by abusing a relative path traversal flaw in the application's file-handling logic. The issue is rated CVSS 4.0 8.7 (High) due to network exploitability with no privileges or user interaction, though impact is confined to confidentiality. No public exploit identified at time of analysis, and the disclosure was coordinated through TWCERT (Taiwan's national CERT).

Path Traversal Dreammaker
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Path traversal in Remote Spark SparkView before build 1127 enables remote attackers to read and write arbitrary files as root through the RDP drive redirection component, leading to full remote code execution. CVSS 4.0 scores this 10.0 with no public exploit identified at time of analysis, though SSVC marks it automatable with total technical impact. Depending on the deployment, exploitation can be performed without authentication, making vulnerable internet-facing instances a high-priority patching target.

Path Traversal Www Remotespark Com
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Relative path traversal (Zip Slip) in Waterfall WF-500 RX Host version 7.9.1.0 R2502171040 enables code execution on the RX side when attackers already control the TX Host and the deployment uses a MySQL connector with file compression enabled. The flaw, tracked as CWE-23 and reported by Nozomi Networks Labs, has no public exploit identified at time of analysis and an EPSS of 0.02% (4th percentile), but it meaningfully undermines the data-diode trust boundary the WF-500 is deployed to enforce.

Path Traversal Wf 500
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attackers to retrieve sensitive files from the device through a path traversal flaw in the Console WebUI. Discovered and disclosed by Nozomi Networks Labs, the issue scores CVSS 4.0 8.7 with network attack vector and no privileges required, though no public exploit identified at time of analysis and the device is not currently listed in CISA KEV.

Path Traversal Wf 500
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attackers to remove files on the host machine via a relative path traversal flaw in the Administration WebUI. The flaw was identified by Nozomi Networks Labs; no public exploit identified at time of analysis, and the EPSS score of 1.38% (81st percentile) indicates moderately elevated but not extreme exploitation likelihood. Because Waterfall WF-500 is a unidirectional security gateway deployed at OT/IT boundaries in industrial environments, file deletion can directly disrupt data diode operations.

Path Traversal Wf 500
NVD
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution in Mautic 7 allows authenticated users with the campaign:imports:create permission to write arbitrary PHP files outside the intended extraction directory via a malicious ZIP uploaded through the campaign import feature. The flaw is a path traversal in the ZIP extraction routine that can be leveraged to overwrite cache or configuration files, yielding code execution as the web server user. No public exploit identified at time of analysis, and the CVSS 9.9 score reflects the combination of low attack complexity, scope change, and full CIA impact.

RCE PHP Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authenticated arbitrary file read in Arcane (Docker management UI) versions ≤ 1.19.3 allows any low-privileged user to read any file accessible to the backend process by abusing Docker Compose `include:` directives. Because `CreateProject` skips include-path validation that `UpdateProject` enforces, an attacker can register a project whose compose file points at `/etc/passwd` or `/app/data/arcane.db`, then fetch the contents via the project file API - yielding stored password hashes and API keys for all users, enabling admin takeover and host RCE through Arcane's Docker control plane. No public exploit identified at time of analysis; vendor patch is available in 1.19.4.

Docker Path Traversal Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary file write leading to remote code execution in Dulwich (pure-Python Git implementation) versions >= 0.10.0 and < 1.2.5 allows attackers controlling a Git repository to plant files inside a Windows victim's .git directory - most notably .git/hooks/pre-commit.exe - which executes on the next commit. The flaw stems from the NTFS path-element validator accepting Windows-hostile bytes (\, :, and git~<n> 8.3 short-name aliases) plus broken handling of core.protectNTFS/core.protectHFS configuration. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the technique is closely modeled on the well-documented Git CVE-2019-1353/1354 class.

Microsoft RCE Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

{filename} endpoint. The flawed traversal guard only rejects forward slashes and '..' sequences, so absolute Windows paths or backslash traversal bypass it entirely. Publicly available exploit code exists and a vendor patch has been released; this issue was reported by VulnCheck.

Microsoft Path Traversal
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Path traversal in the `shame next` subcommand of shamefile (pip/npm/Rust) allows an attacker who controls a `shamefile.yaml` to read one line at a time from any file accessible to the user running the command, including files outside the repository. Affected versions are 0.1.6 and earlier across all three package ecosystems; the fix in 0.1.7 eliminates disk reads entirely by rendering snippets from the registry's cached `content` field. No public exploit identified at time of analysis, and no CISA KEV listing, but the patch commit fully documents the vulnerable code path.

Path Traversal
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Dashboard management path traversal in Elastic Kibana allows a low-privileged authenticated attacker to redirect administrative delete operations to unintended internal endpoints, potentially causing unauthorized deletion of user accounts or other Kibana-managed resources. Elastic's advisory ESA-2026-30 identifies fixes in versions 8.19.16 and 9.3.5, confirming the issue spans both active release branches. No public exploit code or CISA KEV listing has been identified at time of analysis, but the integrity impact of silent account deletion warrants prioritized patching in multi-tenant deployments.

Path Traversal Elastic
NVD VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

{full_path:path} in new_ui/backend/main.py. Publicly available exploit code exists (referenced in HKUDS/DeepCode issue #126 and a VulnCheck advisory), making opportunistic exploitation realistic against exposed instances. No CISA KEV listing or EPSS data was provided, but the combination of no authentication, low complexity, and a single-request exploit places this at a high operational priority for any exposed deployment.

Path Traversal Deepcode
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Information disclosure in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to read arbitrary directories and image files outside the configured music_directory via path traversal in the local storage plugin. The flaw, reported by VulnCheck, is exploitable through the standard MPD protocol commands listfiles and albumart, and a vendor patch is available in 0.24.11. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects trivial network-based exploitation against any default-configured MPD instance reachable on its protocol port.

Path Traversal Mpd
NVD GitHub VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Server-Side Request Forgery in compliance-trestle's HTTPSFetcher._do_fetch() allows a local low-privileged attacker to redirect outbound HTTP requests to internal services or cloud metadata endpoints such as 169.254.169.254 - enabling credential theft from AWS, GCP, or Azure instance metadata. Affected are all pip releases of compliance-trestle before 3.12.2 and versions 4.0.0 through 4.0.2. A public proof-of-concept (poc_ssrf_and_path_traversal.py) with 13 verified exploit vectors is attached to the GitHub Security Advisory GHSA-w76h-q7c6-jpjp; no public exploit identified at time of analysis as confirmed active exploitation (CISA KEV) and no EPSS score was provided in the input data.

Path Traversal SSRF
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in vLLM 0.14.1 occurs because `trust_remote_code=True` is hardcoded inside the NemotronVL and KimiK25 model loaders, silently overriding the operator's explicit `--trust-remote-code=False` safety flag. Any deployment that loads a malicious or compromised HuggingFace repository for these model architectures will execute attacker-controlled Python in the inference process, despite UI:R requiring an operator to initiate the model load. No public exploit is identified at time of analysis, but the issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, indicating the regression pattern is already well understood.

RCE Path Traversal Vllm Project Vllm
NVD VulDB
EPSS 0% CVSS 8.4
HIGH POC PATCH This Week

Arbitrary file write in compliance-trestle's `trestle author jinja` command allows a local user supplying a crafted `-o/--output` argument to write files anywhere the invoking user can write, due to missing validation of `../`, `..\`, and absolute paths. Affected versions are <= 3.12.1 and >= 4.0.0, < 4.0.3, with fixes in 3.12.2 and 4.0.3. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-4q5v-7g7x-j79w) includes a full reproducer; CVSS 8.4 reflects high impact on confidentiality, integrity, and availability.

Microsoft RCE Path Traversal +1
NVD GitHub
EPSS 0%
MEDIUM PATCH This Month

Arbitrary file read in IBM's compliance-trestle Python library allows any file accessible to the running process to be extracted by supplying a malicious OSCAL profile YAML with path traversal sequences in the imports[].href field. Three confirmed attack vectors exist: via the trestle:// URI scheme, via relative href paths, and via back_matter rlinks - all exploiting the same root cause in LocalFetcher. Publicly available exploit code (PoC) exists demonstrating extraction of /etc/passwd, cloud credential files, and SSH private keys; no CISA KEV listing is confirmed at time of analysis.

IBM Path Traversal Python
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Virtual machine escape in Canonical Multipass before 1.16.3 allows a root user inside a guest VM to read arbitrary files on the host filesystem by bypassing the host-side sshfs_server path containment. The flaw lives in the validate_path function (CWE-22 path traversal), which uses naive string prefix matching and accepts dot-dot sequences. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV, though the technical write-up in the GHSA advisory provides enough detail to make exploitation reproducible.

Path Traversal Canonical
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the server by abusing the 'cmd=log' command with a crafted log path parameter. The flaw allows any low-privileged API user to escape the intended log directory and access sensitive files such as configuration, credentials, or keystores, with no public exploit identified at time of analysis.

Apache Path Traversal
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Arbitrary file read in KubeVirt's virt-exportserver component allows authenticated namespace users to exfiltrate sensitive files from the exporter pod via symlink-based path traversal in the VMExport directory endpoint. The flaw, reported by Red Hat and impacting Red Hat OpenShift Virtualization 4, carries a CVSS 7.7 score driven by scope change and high confidentiality impact, though no public exploit identified at time of analysis.

Information Disclosure Path Traversal Red Hat Openshift Virtualization 4
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.

Deserialization CSRF SQLi +3
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation in Acer NitroSense software versions prior to 3.01.3052 allows any authenticated local user to delete arbitrary files with SYSTEM authority by abusing a weakly-ACL'd Named Pipe exposed by the PSAdminAgent service. No public exploit has been identified at time of analysis, but the issue was disclosed by Acer themselves and a patched version is available.

Privilege Escalation Path Traversal Nitrorsense V3
NVD VulDB
EPSS 0%
HIGH PATCH This Week

Arbitrary file write in the compliance-trestle Python library (versions 4.0.0-4.0.2 and any release below 3.12.2) lets an attacker who controls a referenced OSCAL artifact plant attacker-supplied content anywhere the trestle process can write. The HTTPSFetcher and SFTPFetcher cache layer builds the local cache file path directly from the URL path component, so when trestle imports a remote OSCAL profile whose href contains `../` traversal the fetched HTTP/SFTP response body escapes the .trestle cache directory; overwriting files such as /etc/cron.d entries, ~/.ssh/authorized_keys, or a module on sys.path turns the primitive into code execution. A reproducible public proof-of-concept exists in the GHSA advisory (GHSA-g3vg-vx23-3858); the flaw is not listed in CISA KEV and no CVSS or EPSS scoring is provided, but the maintainers have shipped fixes in 4.0.3 and 3.12.2.

IBM RCE Python +2
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Path traversal write in Microsoft UFO (build 3.0.1-4-ge2626659) lets an authenticated client smuggle directory-traversal sequences (e.g. ../) inside the user-controlled task_name value, which UFO concatenates directly into session log paths, causing it to create directories and write log files anywhere the process can reach outside the intended logs/ directory. The CVSS 8.1 (CWE-22) rating reflects high integrity and availability impact with no confidentiality loss, consistent with arbitrary file/directory creation rather than data theft. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the only available source is the vendor GitHub Security Advisory GHSA-whcg-fgpx-76f2.

Microsoft Path Traversal
NVD GitHub VulDB
EPSS 0%
MEDIUM PATCH This Month

Path traversal in AsyncSSH 2.22.0's AuthorizedKeysFile %u token expansion allows an unauthenticated remote attacker to bypass SSH public-key authentication by supplying a crafted username containing directory traversal sequences. Servers configured with per-user key patterns such as AuthorizedKeysFile authorized_keys/%u are vulnerable when an attacker can place or reference a readable authorized-keys-format file at a filesystem path reachable by traversal from the configured directory. Publicly available exploit code exists demonstrating successful authentication bypass; KEV status is not confirmed at time of analysis.

SSH Path Traversal Suse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure via path traversal in Gladinet Triofox lets remote unauthenticated attackers read arbitrary files on the server by sending crafted requests whose URL path begins with /woshome, which are handled by the WOSDefaultHttpModule.dll component. The CVSS 7.5 scoring (confidentiality-only impact) reflects unrestricted file read without code execution or service disruption. No public exploit has been identified at time of analysis, and the issue was reported by Tenable rather than appearing in CISA KEV.

Path Traversal Triofox
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost server plant files at attacker-chosen paths inside the target server's filestore by supplying a malicious, unsanitized filename through the shared-channel attachment sync protocol. The flaw stems from CWE-22 path traversal in the export-path construction logic and carries CVSS 8.0 with a changed scope, reflecting that a compromised or hostile federation peer can affect resources beyond the plugin's intended boundary. There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation status as 'none' but technical impact as 'total'.

Mattermost Path Traversal
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Unauthorized file disclosure in Taipy 4.1.1 lets remote unauthenticated attackers read files outside an extension library's intended directory through the GUI ElementLibrary.get_resource() resource handler. The containment check used str.startswith() without a trailing separator, so a crafted request with traversal segments can resolve into a prefix-matching sibling directory on disk while still passing the flawed check. Impact is confined to confidentiality (file read), with no public exploit identified at time of analysis and no CISA KEV listing.

Path Traversal Python
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file read in Agent Zero before version 1.15 lets remote unauthenticated attackers retrieve files outside the agent workspace through the image-serving API (api/image_get.py), which validates only the file extension while the directory-containment check is commented out. Any file readable by the process and bearing an allowed image extension can be disclosed, and symlinks can be abused to reach non-image targets because the path is never canonicalized. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.

Path Traversal
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Path traversal in the asperahttpd HTTP component of IBM Aspera High-Speed Transfer Endpoint and Server (versions 3.7.4 through 4.4.7 Fix Pack 1) enables authenticated network users to read arbitrary files from the server's local filesystem beyond their authorized scope. The vulnerability is classified CWE-22 and carries a CVSS 6.5 medium score, reflecting high confidentiality impact with no integrity or availability exposure. No public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation status as none with partial technical impact, suggesting limited immediate threat despite the sensitive nature of file read primitives in a file-transfer product.

Path Traversal IBM
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitrary code by abusing how the platform handles symbolic links while unpacking uploaded archives. Because extraction does not properly validate symlink targets, a crafted archive can write files outside the intended directory and ultimately achieve code execution on the host. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and is reachable without authentication or user interaction, though no public exploit identified at time of analysis.

RCE Path Traversal IBM
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Directory traversal in IBM InfoSphere Optim Test Data Fabrication (versions 1.0.0 through 1.0.2.7) lets a remote, unauthenticated attacker read arbitrary files from the host by sending a crafted URL containing '../' sequences. The flaw is purely an information-disclosure issue - confidentiality is impacted with no integrity or availability effect - and CVSS rates it 7.5 (High). There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation status as none, though it flags the issue as automatable.

Path Traversal IBM
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Path traversal in the WebinarIgnition WordPress plugin (Saleswonder Team: Tobias) affects all versions up to and including 4.08.253 and allows authenticated low-privilege users to manipulate file paths outside the intended plugin directory. The linked Patchstack advisory characterizes the concrete impact as arbitrary file deletion, which can corrupt the WordPress installation or enable further compromise. EPSS probability is very low (0.05%, 15th percentile) and there is no public exploit identified at time of analysis, despite the 9.9 CVSS score.

Path Traversal
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Path traversal in the QuickWebP WordPress plugin (versions up to and including 3.2.7) allows authenticated low-privilege users to manipulate file paths and delete arbitrary files on the server, per the Patchstack advisory titling this an arbitrary file deletion flaw. With a CVSS of 9.9 and a changed scope, deletion of sensitive files such as wp-config.php can cascade into full site compromise. There is no public exploit identified at time of analysis.

Path Traversal
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Path traversal in the VikBooking Hotel Booking Engine & PMS WordPress plugin (e4jvikwp) through version 1.8.9 allows remote unauthenticated attackers to delete arbitrary files on the host. The CVSS vector (A:H only, with C:N/I:N) and the Patchstack reference title both indicate the concrete impact is arbitrary file deletion rather than data disclosure, which can corrupt or take down the WordPress site. No public exploit has been identified and the EPSS score is very low (0.05%, 15th percentile), indicating this is not yet being broadly exploited despite the high 8.6 CVSS rating.

Path Traversal
NVD
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Synology Path Traversal
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity.

Synology Path Traversal Redis +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Path traversal in BOSH Director allows a compromised BOSH agent to cause the Director to read and delete arbitrary files outside the blobstore root on the Director host filesystem. When the Director processes long-running operations such as compile_package and is configured with the local blobstore provider, agent-supplied blob IDs in the reply JSON are passed unmodified into filesystem path construction, enabling traversal strings like '../../jobs/director/config/director.yml' to resolve to sensitive files. No public exploit exists and no active exploitation has been identified; the CVSS 4.0 score of 4.3 reflects the significant prerequisite barriers including high privilege requirements and a specific non-default configuration.

Path Traversal Bosh
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Path traversal in the tmp npm package (versions < 0.2.6) lets callers escape the intended temporary directory by passing traversal sequences or absolute paths in the prefix, postfix, or dir options to tmp.file(), tmp.dir(), or tmp.tmpName(). Applications that forward untrusted input into those options can be coerced into creating files at attacker-chosen filesystem locations with the process's privileges, enabling config poisoning, cache poisoning, or web-shell drops. Publicly available exploit code exists (the advisory ships a working PoC and a regression test), but no public exploit identified at time of analysis indicates active exploitation in the wild.

Path Traversal PHP Microsoft +4
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issuing crafted requests to internal services, reachable through an upload endpoint that fails to validate input. By injecting path-traversal content into request parameters, an attacker can redirect internal API calls to reach back-end services and harvest sensitive credentials. No public exploit identified at time of analysis; the issue was reported through the GitHub Bug Bounty program and carries a CVSS 4.0 base score of 9.2 (Critical), though the vector flags high attack complexity and an extra attack requirement that temper real-world ease of exploitation.

SSRF Path Traversal Enterprise Server
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW Monitor

Directory traversal in Northern.tech Mender Server allows a remote authenticated attacker to read files outside intended directory boundaries, resulting in limited confidentiality exposure. Affected versions include v4.1.0, v4.0.1, and all prior releases; patched versions v4.1.1 and v4.0.2 are available. No public exploit code and no active exploitation have been identified at time of analysis, and the low CVSS score of 3.1 reflects constrained real-world impact.

Path Traversal
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Pre-authentication path traversal in Kirby CMS versions 5.3.0 through 5.4.0 lets remote attackers manipulate the user ID used during account lookup to escape the site/accounts directory, enabling inclusion of arbitrary PHP files named index.php (such as plugin entrypoints) and probing for the existence of arbitrary server directories. The flaw is reachable through the unauthenticated authentication API and affects all Kirby sites on these versions regardless of configuration. The vendor rates it high (CVSS 8.8); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal PHP
NVD GitHub
EPSS 0%
MEDIUM PATCH This Month

Path traversal in XWiki Platform's WebJars API enables a subwiki admin who can publish and install a malicious WebJar extension to write arbitrary files anywhere on the server filesystem. The affected Maven component `xwiki-platform-webjars-api` fails to validate that JAR entry paths extracted during extension installation remain within the intended export directory, allowing overwrite of configuration files or potential superadmin credential manipulation. No public exploit is identified and no CISA KEV listing exists; vendor-released patches are available across three version branches.

Atlassian Path Traversal
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privilege attackers to read arbitrary server files via improper validation of the layout parameter in htmlview. The flaw is reported by the Joomla project itself (EUVD-2026-31888) and no public exploit identified at time of analysis, with EPSS scoring 0.00% and CISA SSVC marking exploitation status as none despite total technical impact.

Path Traversal Joomla Cms
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Path traversal in Joomla! CMS com_media web service endpoint allows authenticated high-privilege attackers to read arbitrary files outside the intended web root via a manipulated search parameter. Affected versions span two major release trains: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. No public exploit code exists and no active exploitation has been confirmed, but the vulnerability results in full confidentiality loss of the vulnerable system's filesystem contents accessible to the web process.

Path Traversal Joomla Cms
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Path traversal in xyproto's Algernon web server prior to 1.17.8 lets unauthenticated remote attackers escape the document root via a crafted Host header when the server runs with --domain or --letsencrypt. Beyond arbitrary file read and directory listing, any reachable .lua file in the parent directory will be executed server-side, escalating disclosure into code execution. No public exploit is identified at time of analysis, but SSVC marks the issue as automatable with PoC and EPSS sits at the 20th percentile (0.07%).

Path Traversal Algernon
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Path traversal in Algernon web server versions prior to 1.17.6 allows remote unauthenticated attackers to write uploaded files outside the intended directory by supplying a directory parameter containing ../ sequences. The flaw in uploadedFileSaveIn() within lua/upload/upload.go fails to validate the joined path after filepath.Join(), so a value like ../../../tmp resolves to /tmp on the host. No public exploit identified at time of analysis, and EPSS is very low (0.05%), but CISA SSVC flags the issue as automatable with partial technical impact.

Path Traversal Algernon
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unvalidated jarURI handling in Apache Flink Kubernetes Operator exposes authenticated low-privilege users to server-side request forgery and arbitrary file read primitives against the operator pod. Any Kubernetes principal holding Custom Resource create permissions can submit a malicious FlinkSessionJob CR with a crafted jarURI - pointing to local filesystem paths, internal cloud metadata endpoints, link-local addresses, or any backing store reachable through Flink's pluggable filesystem layer - and retrieve that content via the submitted job. No public exploit has been identified at time of analysis, and EPSS sits at 0.01% (3rd percentile), but the confidentiality impact is rated High by NVD given the breadth of accessible internal resources.

Apache Information Disclosure Kubernetes +2
NVD
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Path traversal in OpenKM's administrative scripting interface exposes arbitrary server-side files to authenticated administrators who supply attacker-controlled paths via the fsPath parameter at /admin/Scripting with action=Load. Both the Community Edition (≤6.3.12) and Professional Edition (≤7.1.47) are affected, enabling exfiltration of /etc/passwd, database credential files, and JVM keystores accessible to the OpenKM process. No public exploit identified at time of analysis as a KEV entry, but publicly available exploit code exists via Exploit-DB (52520) and Terra System Labs' GitHub repository, raising the realistic risk for environments where admin credentials are shared, weak, or previously compromised.

Path Traversal Openkm Community Edition Openkm Professional Edition
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated path traversal in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 exposes arbitrary file system access through the `/SubstationWEBV2/app/..;/main/upfile` endpoint by manipulating the `path` argument. The vulnerability is remotely exploitable with no authentication or user interaction required (CVSS 4.0 AV:N/AC:L/AT:N/PR:N/UI:N), and a publicly available proof-of-concept exists. Although EPSS sits at 0.09% (25th percentile), SSVC classifies this as automatable, and the vendor has not responded to disclosure, leaving no official patch available.

Path Traversal Eems Enterprise Power Operation And Maintenance Cloud Platform
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in jimeng-mcp 1.10.0 allows low-privileged remote attackers to read and write files outside the intended directory by supplying crafted filePath arguments to four distinct API functions: getFileContent, uploadCoverFile, generateImage, and generateVideo in src/api.ts. A publicly available proof-of-concept exploit exists, disclosed via GitHub issue #15, though EPSS at 0.04% (13th percentile) indicates minimal observed mass-exploitation activity to date. No patch has been released and the vendor has not responded to the responsible disclosure, leaving deployments without an official remediation path.

Path Traversal Jimeng Mcp
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in dazeb markdown-downloader exposes server-side file systems to low-privileged remote attackers through unsanitized input in three functions within src/index.ts. The affected functions - download_markdown, list_downloaded_files, and create_subdirectory - fail to restrict directory scope, allowing authenticated users with low privileges to read or write files outside intended boundaries. No public exploit identified at time of analysis as a KEV entry, but publicly available exploit code exists via a GitHub issue report, and the project maintainer has not acknowledged or patched the disclosure.

Path Traversal Markdown Downloader
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in dazeb cline-mcp-memory-bank exposes host filesystems to authenticated remote attackers via unsanitized user input in the `handleInitializeMemoryBank` function of `src/index.ts`. All versions up to and including commit 55c81b9cf6c16700983c84dc4cdea3cafa19a75f are affected, covering the entire release history of this rolling-release MCP memory tool. A public proof-of-concept exploit exists via the project's GitHub issue tracker, though EPSS scoring (0.04%, 13th percentile) and SSVC's non-automatable classification suggest limited mass exploitation risk at time of analysis.

Path Traversal Cline Mcp Memory Bank
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in debugmcp mcp-debugger through version 0.20.0 enables authenticated remote attackers with low-privilege access to read arbitrary files outside the intended directory via the `handleGetSourceContext` function in `src/server.ts`. Impact is restricted to limited confidentiality exposure on the vulnerable system (CVSS VC:L) with no integrity or availability consequence, yielding a CVSS 4.0 score of 2.1. A public proof-of-concept exploit exists on GitHub, though the EPSS score remains at 0.04% (12th percentile) and the issue is absent from the CISA KEV catalog, indicating exploitation has not been observed at meaningful scale. The vendor did not respond to responsible disclosure, meaning no official patch is available.

Path Traversal Mcp Debugger
NVD VulDB GitHub
EPSS 1% CVSS 8.7
HIGH POC This Week

Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the path parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB
EPSS 1% CVSS 8.7
HIGH POC This Week

PCViewer vt1000 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by submitting relative path sequences in GET requests. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Pcviewer
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Kenik Camera management Panel is vulnerable to Path Traversal vulnerability. An unauthenticated attacker can send GET request with arbitrary file path and read corresponding files located on the server. The issue was fixed in version 2026-04-23 of the KG-5260xxxx-IL-(G)2 cameras. Rest of the products were fixed in version 2025-04-21.

Path Traversal Kg 5230Tas Il 3 Kg 5230Tas Il G3 +6
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal in Spring AI 1.1.0-1.1.x allows authenticated remote attackers to write arbitrary files outside the intended target directory by exploiting unsanitized LLM-influenced filenames in the Anthropic Skills API file-write workflow. The root cause is Spring AI passing filenames derived from LLM output directly to Path.resolve() without input sanitization, enabling directory escape via traversal sequences. No public exploit identified at time of analysis and EPSS is very low (0.04%, 11th percentile), though the high integrity impact (CVSS I:H) makes unauthorized file writes to restricted directories a meaningful concern in production deployments.

Path Traversal Java Spring Ai
NVD
EPSS 0% CVSS 8.5
HIGH This Week

NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.

Microsoft Path Traversal RCE +1
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Path traversal in NousResearch hermes-agent through version 2026.4.16 allows remote unauthenticated attackers to bypass path restrictions and modify or disrupt file operations via the read_file tool. The flaw exists in the _is_blocked_device function within tools/file_tools.py. Public exploit code is available (EPSS data not provided, but exploit confirmed). Vendor was notified but did not respond, suggesting no official patch exists at time of analysis.

Path Traversal Hermes Agent
NVD VulDB GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary files on the underlying device filesystem, enabling disclosure of sensitive information such as configuration data, credentials, or cryptographic material. The flaw (CVSS 7.7, scope-changed) affects a broad fleet of UniFi gateways, cloud keys, NVRs, and NAS appliances. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Ubiquiti Path Traversal Unifi Os Server +30
NVD VulDB
EPSS 0% 5.0 CVSS 10.0
CRITICAL POC KEV PATCH THREAT Act Now

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlying system, which can then be leveraged to take over an underlying account. The flaw carries a maximum CVSS 10.0 score reflecting unauthenticated network exploitation with scope change and full confidentiality, integrity, and availability impact across a broad fleet of UniFi gateways, cameras, NVRs, and NAS appliances. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Ubiquiti Path Traversal Unifi Os Server +30
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in Follett Software's Destiny Library Manager (version 22_0_2_rc1) lets remote unauthenticated attackers read system and application files by supplying directory-traversal sequences in the 'image' parameter. Publicly available exploit code exists (a Medium write-up documenting the unauthenticated LFI), and CISA's SSVC framework classifies exploitation as proof-of-concept and automatable, though EPSS remains modest at 0.46% (64th percentile). The flaw is fixed in v.22.5 AU1.

Path Traversal N A
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Directory traversal in Easy Chat Server 3.1 enables remote unauthenticated attackers to read arbitrary files and potentially execute arbitrary code by supplying path traversal sequences in the UserName parameter. The CVSS vector (PR:N/AV:N/AC:L) confirms exploitation requires no authentication and low complexity, and a public proof-of-concept repository is available on GitHub (NullByte8080/CVE-2026-36227). Despite the RCE tag and unauthenticated network vector, EPSS sits at just 0.14% (33rd percentile) and SSVC reports no active exploitation, suggesting this is not yet being leveraged at scale.

Path Traversal RCE N A
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Arbitrary file write on the host in Boxlite sandbox service versions prior to 0.9.0 allows attackers to escape the OCI image extraction root via crafted symlink entries in layer tarballs, enabling remote code execution on the host (typically as root). Exploitation requires a user to pull and load a malicious OCI image distributed through registries such as DockerHub. Publicly available exploit code exists (vendor-published PoC); no public exploit identified in CISA KEV at time of analysis.

Path Traversal Python RCE
NVD GitHub VulDB
Prev Page 7 of 86 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy