Path Traversal

Path traversal in Gleam compiler versions 1.9.0-rc1 through 1.15.3 and 1.16.0-rc1 allows arbitrary file system modification when resolving git dependencies, enabling attackers to delete and overwrite directories outside the intended dependency folder via malicious dependency names containing relative or absolute paths. A user must invoke dependency download (e.g., gleam deps download) for exploitation; attackers can leverage this to cause data loss or achieve code execution by overwriting git hooks or shell configuration files. Vendor-released patches are available.

Authenticated remote attackers can traverse the file system through the OpenClaw canvas gateway endpoint to disclose sensitive information due to insufficient path validation. The vulnerability affects OpenClaw across unspecified versions and requires valid user credentials; attackers operating with low-privilege accounts can read arbitrary files in the service account context. No public exploit code or active exploitation has been identified at the time of analysis.

Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.

Path traversal vulnerability in Quarkus OpenAPI Generator (Quarkiverse) versions prior to 2.16.0 and 2.15.0-lts allows unauthenticated remote attackers to write arbitrary files outside intended directories via malicious ZIP archives. The ApicurioCodegenWrapper.java unzip() method fails to validate file paths during extraction, enabling path traversal sequences (../../) to bypass output directory restrictions and achieve arbitrary file write with high integrity impact. No public exploit identified at time of analysis. Affects Java-based Quarkus extensions for REST client and server stub generation.

Arbitrary file write vulnerability in Chamilo LMS versions before 1.11.38 allows unauthenticated remote attackers to modify existing files or create new files with system-level permissions through a chained attack exploiting the main/install/ directory. Attackers can bypass PHP execution restrictions when the installation directory remains accessible post-deployment, enabling complete system compromise where filesystem permissions permit. This vulnerability affects portals that have not removed the main/install/ directory after initial setup. No public exploit identified at time of analysis.

Path traversal in Chamilo LMS main/exercise/savescores.php enables authenticated attackers to delete arbitrary files on the server. Vulnerable versions prior to 1.11.38 fail to sanitize the 'test' parameter from $_REQUEST, allowing directory traversal sequences to escape intended paths and target critical system or application files. Attackers with low-level authenticated access can exploit this remotely without user interaction, resulting in high integrity and availability impact through targeted file deletion.

Unauthenticated path traversal in Saltcorn no-code application builder enables remote attackers to write arbitrary JSON files and create directories anywhere on the server filesystem via /sync/offline_changes endpoint, and read JSON files plus list directory contents via /sync/upload_finished endpoint. Affects Saltcorn versions prior to 1.4.5, 1.5.5, and 1.6.0-beta.4. No public exploit identified at time of analysis. Exploitation requires no authentication (CVSS PR:N), permitting arbitrary file write with high integrity impact and limited confidentiality exposure.

Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite through malicious .praison archive bundles. The cmd_unpack function in recipe CLI performs unvalidated tar extraction, allowing attackers to embed ../ path sequences that escape the intended extraction directory. Unauthenticated attackers can distribute weaponized bundles that, when unpacked by victims via 'praisonai recipe unpack' command, overwrite critical system files with attacker-controlled content. No public exploit identified at time of analysis.

Unauthenticated remote attackers can exploit a path traversal vulnerability in rembg's HTTP server (versions prior to 2.0.75) by sending a crafted request with a malicious model_path parameter to read arbitrary files from the server filesystem. The vulnerability allows attackers to enumerate file existence and permissions, and potentially extract file contents through verbose error messages when the server attempts to load arbitrary paths as ONNX models. This is a confirmed vulnerability with a vendor-released patch available in version 2.0.75.

Path traversal in OpenClaw before 2026.3.24 allows authenticated sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameters. Incomplete validation in normalizeSandboxMediaParams and missing mediaLocalRoots context enables attackers to bypass sandbox boundaries and access sensitive data including API keys and configuration files outside designated roots. This cross-agent data leakage vulnerability requires low-privilege authentication but no user interaction. No public exploit identified at time of analysis.

Unauthenticated path traversal in FalkorDB Browser 1.9.3 file upload API enables remote attackers to write arbitrary files to the server filesystem and execute code without authentication. Attack vector is network-accessible with low complexity, requiring no user interaction. CVSS 9.8 critical severity reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.09%, 25th percentile).

Path traversal in Tenda i6 router firmware 1.0.0.7(2204) allows unauthenticated remote attackers to read, write, or delete arbitrary files via malicious HTTP requests to the R7WebsSecurityHandlerfunction component. CVSS 7.3 (High) reflects network-accessible exploitation without authentication. Publicly available exploit code exists, documented in a GitHub repository demonstrating attack vectors. Affects Tenda i6 wireless router deployments running vulnerable firmware version.

Path traversal in zhayujie chatgpt-on-wechat CowAgent up to version 2.0.4 allows unauthenticated remote attackers to read arbitrary files via the filename parameter in the API Memory Content Endpoint (agent/memory/service.py). The vulnerability has a publicly available exploit, carries a moderate CVSS score of 5.3 reflecting limited confidentiality impact, and has been patched by the vendor in version 2.0.5 with patch commit 174ee0cafc9e8e9d97a23c305418251485b8aa89.

Authenticated arbitrary file overwrite in Perfmatters WordPress plugin ≤2.5.9 allows low-privileged attackers (Subscriber-level and above) to corrupt critical server files via path traversal. The PMCS::action_handler() method processes bulk activate/deactivate actions without authorization checks or nonce verification, passing unsanitized $_GET['snippets'][] values through Snippet::activate()/deactivate() to file_put_contents(). Attackers can overwrite files like .htaccess or index.php with fixed PHP docblock content, causing denial of service. Exploitation requires authenticated access with minimal privileges. No public exploit identified at time of analysis.

PraisonAIAgents versions prior to 1.5.128 allow unauthenticated remote attackers to enumerate arbitrary files on the filesystem by exploiting unvalidated glob patterns in the list_files() tool. An attacker can use relative path traversal sequences (../) within the glob pattern parameter to bypass workspace directory boundary checks, revealing file metadata including existence, names, sizes, and timestamps for any path accessible to the application process. This information disclosure vulnerability has a CVSS score of 5.3 (low/medium impact) and no public exploit code has been identified.

Disk exhaustion in PraisonAI prior to 4.5.128 allows remote attackers to consume arbitrary disk space by publishing malicious recipe bundles containing highly compressible data that expand dramatically during extraction. The vulnerability exists in the _safe_extractall() function, which validates only path traversal attacks but lacks checks on individual member sizes, cumulative extracted size, or member count before tar extraction, enabling an unauthenticated attacker to trigger denial of service via LocalRegistry.pull() or HttpRegistry.pull() with minimal user interaction.

Helm versions 3.20.1 and earlier, and 4.1.3 and earlier, allow local attackers with user interaction to write Chart contents to arbitrary directories via path traversal in the helm pull --untar command. A specially crafted Chart will bypass the expected subdirectory naming convention and extract files to the current working directory or a user-specified destination, potentially overwriting existing files. Vendor-released patches are available in versions 3.20.2 and 4.1.4.

Path traversal in flatpak-builder 1.4.5 through 1.4.7 enables arbitrary host file exfiltration through license-files manifest exploitation. Attacker-crafted manifest with symlink manipulation bypasses g_file_get_relative_path() and g_file_query_file_type() validation, allowing reads outside source directory. Successful exploitation requires user interaction (processing malicious manifest) but grants unauthenticated remote attackers high confidentiality impact with no authentication required. Publicly available exploit code exists. CVSS 7.1 reflects network vector with user participation prerequisite.

Remote path traversal in Tenda CH22 1.0.0.6(468) httpd component allows unauthenticated attackers to access arbitrary files via the R7WebsSecurityHandlerfunction, with publicly available exploit code and a CVSS score of 6.9 indicating moderate real-world risk despite the low scope of impact (information disclosure only).

Path traversal in Helm 4.0.0 through 4.1.3 allows malicious plugin installation to write arbitrary files to any filesystem location. When users install or update a specially crafted Helm plugin containing directory traversal sequences (/../) in the version field of plugin.yaml, the package manager writes plugin contents outside intended directories. Exploitation requires user interaction to install or update the malicious plugin. No public exploit identified at time of analysis. Impacts Kubernetes environments using Helm for package management, enabling potential system compromise through arbitrary file write.

Path traversal in Tenda i12 router firmware 1.0.0.11(3862) allows unauthenticated remote attackers to read, modify, or delete arbitrary files via malicious HTTP requests to an unidentified handler component. The vulnerability enables unauthorized access to the filesystem with low integrity and confidentiality impact. Publicly available exploit code exists, increasing the likelihood of opportunistic attacks against exposed devices.

Path traversal vulnerability in Tenda i3 router firmware version 1.0.0.6(2204) allows unauthenticated remote attackers to access arbitrary files via manipulation of the R7WebsSecurityHandler HTTP handler component. The vulnerability has a CVSS score of 6.9 (low confidentiality and integrity impact), publicly available exploit code exists, and exploitation requires only network access with no user interaction.

Path traversal in ALEAPP (Android Logs Events And Protobuf Parser) 3.4.0 and earlier enables arbitrary file writes outside the report directory through malicious NQ_Vault.py artifact parser database entries. Attackers embedding traversal sequences (e.g., ../../../target.bin) in file_name_from database values can overwrite system executables or configuration files, achieving local code execution. Exploitation requires user interaction to process a crafted Android database artifact. CVSS:4.0 base score 8.4 (High). No public exploit identified at time of analysis.

Path traversal in The Sleuth Kit (tsk_recover) through version 4.14.0 allows local attackers to write files outside intended recovery directories via malicious filesystem images. Crafted filenames with ../ sequences in processed disk images can overwrite arbitrary files, enabling potential code execution through shell configuration or cron file manipulation. Exploitation requires user interaction (processing attacker-supplied filesystem image). No public exploit identified at time of analysis.

Arbitrary file manipulation in MW WP Form plugin (WordPress) versions ≤5.1.1 allows unauthenticated attackers to move sensitive server files into web-accessible directories, enabling remote code execution. The vulnerability stems from insufficient validation of upload field keys in generate_user_file_dirpath(), exploiting WordPress's path_join() behavior with absolute paths. Attackers inject malicious keys via mwf_upload_files[] POST parameter to relocate critical files like wp-config.php. Exploitation requires forms with enabled file upload fields and 'Saving inquiry data in database' option. No public exploit identified at time of analysis.

Path traversal in AGiXT Python package (versions ≤1.9.1) allows authenticated attackers to read, write, or delete arbitrary files on the host server. The essential_abilities extension's safe_join() function fails to validate that resolved paths remain within the agent workspace directory, enabling directory traversal sequences (e.g., ../../etc/passwd) to bypass intended file access restrictions. Exploitation requires low-privilege authentication (valid API key) but no user interaction. Public exploit code exists demonstrating /etc/passwd disclosure via the read_file command endpoint.

Path traversal in LORIS neuroimaging research platform versions 24.0.0 through 27.0.2 and 28.0.0 allows authenticated attackers to bypass directory restrictions in FilesDownloadHandler, enabling unauthorized access to files outside intended download directories. The vulnerability exploits incorrect operation ordering during file access validation, permitting low-privileged authenticated users to exfiltrate sensitive neuroimaging data and project files across organizational boundaries. CVSS 7.7 severity reflects cross-scope confidentiality breach with network accessibility and low attack complexity. No public exploit identified at time of analysis.

Path traversal in LORIS neuroimaging research platform (versions 20.0.0 through 27.0.2 and 28.0.0) enables unauthenticated remote attackers to download arbitrary files outside intended directories via malicious requests to static file router endpoints (/static, /css, /js). Vulnerability permits high-impact information disclosure including sensitive research data, configuration files, and potentially database credentials. No public exploit identified at time of analysis. Affects self-hosted LORIS installations across academic and clinical neuroimaging research environments.

Remote code execution in Elastic Logstash versions 8.0.0 through 8.19.13 allows unauthenticated network attackers to write arbitrary files and execute code via malicious compressed archives. The vulnerability exploits improper path validation in archive extraction utilities, enabling attackers who compromise or control update endpoints to deliver path traversal payloads. When automatic pipeline reloading is enabled, arbitrary file writes escalate to full RCE with Logstash process privileges. CVSS 8.1 (High) with network vector but high attack complexity. EPSS data and KEV status not provided; no public exploit confirmed at time of analysis, though the technical details disclosed increase weaponization risk for environments with exposed update mechanisms.

Path traversal in liquidjs 10.25.0 allows local file disclosure when renderFile() or parseFile() receives absolute paths or traversal sequences, despite the root parameter being documented as a sandbox boundary. An attacker controlling template filenames passed to these APIs can read arbitrary files accessible to the Node.js process, such as /etc/hosts or sensitive configuration files. The vulnerability affects liquidjs versions prior to 10.25.5; a vendor-released patch is available. No public exploit code or active exploitation has been identified at the time of analysis.

Path traversal via backslash bypass in NiceGUI file upload sanitization allows arbitrary file write on Windows systems. The vulnerability exploits a cross-platform path handling inconsistency where PurePosixPath fails to strip backslash-based path traversal sequences, enabling attackers to write files outside the intended upload directory when applications construct paths using the sanitized filename. Windows deployments are exclusively affected; potential remote code execution is possible if executables or application files can be overwritten. No public exploit code identified at time of analysis, though the vulnerability is confirmed in NiceGUI versions prior to 3.10.0.

Arbitrary file deletion in DanbiLabs Advanced Members for ACF plugin for WordPress (versions ≤1.2.5) allows authenticated attackers with Subscriber-level privileges to delete critical server files via path traversal, enabling remote code execution by removing wp-config.php or similar critical files. The vulnerability stems from insufficient path validation in the create_crop function and was only partially patched in version 1.2.5, leaving residual risk. CVSS 8.8 (High) reflects network accessibility with low attack complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated users.

Path traversal in Hono's toSSG() function allows attackers to write files outside the configured output directory during static site generation by injecting traversal sequences into ssgParams dynamic route values. The vulnerability is limited to build-time operations and does not affect runtime request handling. A vendor-released patch is available in Hono v4.12.12.

Middleware bypass in Hono's serveStatic allows unauthenticated remote attackers to access protected static files by using repeated slashes in request paths, exploiting inconsistent path handling between the routing layer and static file resolution. The vulnerability affects Hono applications that rely on route-based middleware for access control, enabling unauthorized disclosure of sensitive files. Vendor-released patch available in version 4.12.12.

Path normalization inconsistency in Hono's node-server serveStatic middleware allows unauthenticated attackers to bypass route-based authorization middleware by using repeated slashes (e.g., //admin/secret.txt) to access protected static files, exposing sensitive information with low confidentiality impact (CVSS 5.3).

Path traversal in Emmett Python web framework versions 2.5.0 through 2.8.0 allows unauthenticated remote attackers to read arbitrary files from the server filesystem via malicious requests to the RSGI static handler endpoint. Attackers can bypass directory restrictions by inserting ../ sequences in /__emmett__ asset paths (e.g., /__emmett__/../rsgi/handlers.py) to access sensitive files including source code, configuration files, and credentials. With CVSS 9.1 (Critical) and network-based attack vector requiring no privileges or user interaction, this vulnerability poses severe confidentiality and availability risks. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Arbitrary file deletion in Flatpak versions prior to 1.16.4 allows sandboxed applications to delete files on the host system via path traversal during ld.so cache cleanup. The vulnerability stems from improper validation of application-controlled paths when removing outdated cache files, enabling applications to escape sandbox constraints and delete arbitrary host files. No active exploitation or public exploit code is confirmed at time of analysis, though the technical barrier is low given the CVSS vector shows network-accessible attack with low complexity and no authentication required.

Arbitrary file write in LibreChat prior to 0.8.4 allows authenticated users to overwrite arbitrary server files via path traversal in code artifact filenames. The vulnerability affects LibreChat deployments using the default local file storage strategy, where the execute_code sandbox returns a user-controllable filename that is concatenated directly into the file write path without sanitization. An authenticated attacker can craft malicious artifact names containing traversal sequences (e.g., ../../../../../app/client/dist/poc.txt) to write files outside the intended directory, potentially compromising application integrity or enabling remote code execution through client-side file injection.

Path traversal in WWBN AVideo platform ≤26.0 allows authenticated uploaders to read arbitrary server files via GIF poster manipulation. An attacker with uploader privileges can exploit aVideoEncoderReceiveImage.json.php to bypass path sanitization, fetch local files like /etc/passwd or application source code, and republish the contents through publicly accessible GIF media URLs. CVSS 7.6 reflects high confidentiality impact with low-complexity network attack requiring only low-privilege authentication. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.

OrangeHRM Open Source 5.0 through 5.8 allows authenticated users with high privileges to read arbitrary local files by manipulating email template file paths, bypassing the intended plugin directory restriction. The vulnerability requires high-privilege credentials and manual path influence but enables confidential file disclosure. Vendor has released patch version 5.8.1; no public exploit code or active exploitation is confirmed.

NVIDIA Triton Inference Server prior to r26.02 allows unauthenticated remote attackers to trigger information disclosure and denial of service through malicious model configuration uploads, exploiting a path traversal vulnerability (CWE-22) that enables access to sensitive files outside intended directories. The CVSS 4.8 score reflects moderate risk with high attack complexity, though real-world exploitation likelihood depends on network accessibility to model upload endpoints.

Remote code execution in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to upload malicious files via path traversal in the backup restore functionality, overwriting Apache .htaccess files to execute arbitrary code. The vulnerability exploits unsanitized user input in RestoreJob.php, enabling attackers with high-privilege access to bypass intended upload restrictions. No public exploit identified at time of analysis, though CVSS 9.1 reflects the critical impact of complete system compromise through changed security scope.

Path traversal in coursevault-preview versions before 0.1.1 allows local attackers without authentication to read arbitrary files outside the configured base directory by exploiting a flawed boundary check in the resolveSafe utility. The vulnerability exists because the code uses String.prototype.startsWith() to validate normalized paths, which fails to enforce proper directory boundaries when sibling directories share the same string prefix. This enables disclosure of sensitive files on systems where the application is installed.

File Browser versions prior to 2.63.1 contain a path traversal vulnerability in the Matches() function that fails to enforce directory boundaries when evaluating access control rules. An attacker can bypass intended access restrictions by exploiting the use of strings.HasPrefix() without trailing directory separators, allowing a rule intended to restrict access to /uploads to inadvertently grant or deny access to similarly-named directories such as /uploads_backup/. This affects all File Browser versions before 2.63.1 and requires network access but no authentication or user interaction; no public exploit code or active exploitation has been confirmed at time of analysis.

Path traversal in pyLoad's tar extraction allows writing files outside the intended directory via specially crafted archives. The vulnerability stems from incomplete remediation of a prior path traversal fix (CVE-2026-32808), where the _safe_extractall() function continues to use the insecure os.path.commonprefix() instead of the correct os.path.commonpath(). Unauthenticated remote attackers can exploit this via a malicious tar file when a user extracts it, achieving arbitrary file write on the system. The vulnerability affects pyLoad versions prior to 0.5.0b3.dev97 and is fixed in that release.

Emissary versions prior to 8.39.0 allow unauthenticated remote attackers to read arbitrary configuration files through path traversal via the /api/configuration/{name} endpoint. The vulnerability stems from incomplete blacklist validation of configuration names that can be bypassed using URL-encoded variants, double-encoding, or Unicode normalization attacks. No public exploit code or active exploitation has been confirmed.

Relative path traversal in Nokia MantaRay NM Software Manager allows authenticated local network attackers to read sensitive files on the affected system. The vulnerability stems from improper validation of input parameters in the file system handling code, enabling an attacker with local network access and low privileges to enumerate and access files outside the intended directory structure without modifying or disrupting them. No public exploit code or active exploitation has been confirmed at the time of analysis.

Unauthenticated path traversal in text-generation-webui prior to version 4.3 allows remote attackers to read arbitrary .txt files from the server filesystem via the load_prompt() function, with file contents returned directly in API responses. The vulnerability requires no authentication, user interaction, or special conditions, resulting in confidentiality impact with a CVSS score of 5.3. A vendor-released patch is available in version 4.3.

Remote unauthenticated file disclosure in oobabooga text-generation-webui versions prior to 4.3 allows arbitrary file reading through path traversal in load_grammar() function. Attackers can retrieve any file from the server filesystem without authentication by exploiting insufficient validation of Gradio dropdown values, submitting directory traversal sequences via API requests. EPSS data not available; no public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L) requiring only network access.

Unauthenticated path traversal in text-generation-webui prior to version 4.3 allows remote attackers to read arbitrary YAML files from the server filesystem via the load_preset() function, exposing sensitive credentials such as passwords, API keys, and connection strings in API responses. The vulnerability requires only network access with no authentication, user interaction, or special configuration, making it a practical attack vector despite the moderate CVSS score of 5.3.

Unauthenticated path traversal in text-generation-webui prior to version 4.3 enables remote attackers to read arbitrary files with .jinja, .jinja2, .yaml, or .yml extensions from the server filesystem. The vulnerability resides in the load_template() function and allows disclosure of configuration files, templates, and other sensitive data without authentication. EPSS score of 5.3 reflects low to moderate real-world exploitation risk despite network accessibility, as successful exploitation requires knowledge of file paths and extension constraints.

Path traversal in mintplex-labs/anything-llm (versions ≤1.9.1) allows authenticated administrators to read or delete arbitrary JSON files on the server, bypassing directory restrictions in the AgentFlows component. Exploitation requires high privileges (administrator access) but achieves cross-scope impact including leaking sensitive API keys from configuration files or destroying critical package.json files. Fixed in version 1.12.1. No public exploit identified at time of analysis, though technical details are disclosed via Huntr bounty platform.

Authorization bypass in Erlang OTP's inets HTTP server allows unanauthenticated remote attackers to execute CGI scripts protected by directory-level access controls. The vulnerability stems from a path mismatch where mod_auth validates access against DocumentRoot-relative paths while mod_cgi executes scripts at ScriptAlias-resolved paths outside DocumentRoot. With CVSS 8.3 (AV:N/AC:L/PR:N), the attack requires no authentication and low complexity but depends on specific ScriptAlias configurations (AT:P). SSVC assessment confirms the vulnerability is automatable with partial technical impact. No public exploit identified at time of analysis, though SSVC indicates exploitation status 'none'. Vendor-released patches available for affected OTP versions 17.0 through 28.4.1.

Improper path validation in Apache ActiveMQ Client and Broker allows authenticated users to traverse the classpath via crafted 'key' values in Stomp consumer creation and Web console message browsing operations, potentially enabling information disclosure or chaining with secondary attacks for greater impact. Affects ActiveMQ Client/Broker versions before 5.19.3 and 6.0.0–6.2.1; patch available in 5.19.4 and 6.2.3 (5.19.3/6.2.2 have platform-specific limitations). EPSS score of 0.04% indicates low real-world exploitation probability despite authenticated attack vector requirement.

Path traversal in PraisonAI's praisonai-agents package allows unauthenticated remote attackers to read or write arbitrary files on affected systems. The vulnerability stems from a critical logic flaw where path validation checks for '..' sequences after normalization has already collapsed them, rendering the security check completely ineffective. Attackers can trivially bypass protections using standard path traversal sequences (e.g., '/tmp/../etc/passwd') to access sensitive files including system credentials, SSH keys, or write malicious content. Publicly available exploit code exists demonstrating trivial exploitation. While no CVSS score is officially assigned, the vendor assessment indicates CVSS 4.0 score of 9.2 (Critical), and this represents a high-priority remediation given the ease of exploitation and severe impact.

Path traversal in PraisonAI recipe registry (<=4.5.112) allows authenticated publishers to write arbitrary files outside the registry root via malicious bundle manifests. The publish endpoint (`POST /v1/recipes/{name}/{version}`) extracts and writes uploaded recipe bundles using attacker-controlled `name` and `version` fields from the bundle's internal `manifest.json` before validating them against the HTTP route parameters. By embedding directory traversal sequences (e.g., `../../outside-dir`) in the manifest, an attacker can create files in arbitrary filesystem locations on the registry host, even though the request ultimately returns HTTP 400. This represents an authenticated arbitrary file write vulnerability (CVSS 7.1, AV:N/AC:L/PR:L) affecting any deployment exposing the recipe registry publish flow. EPSS data not available; no confirmed active exploitation or public exploit code identified beyond researcher PoC at time of analysis.

Arbitrary file write through path traversal in PraisonAI recipe registry allows authenticated publishers to escape extraction directories when victims pull malicious recipes. Attackers craft .praison tar archives with ../ traversal entries that bypass extraction boundaries, enabling file overwrites outside intended directories (CVSS 7.3, AV:N/AC:L/PR:L/UI:R). Both LocalRegistry and HttpRegistry pull operations use unsafe tar.extractall() without member path validation. No public exploit identified at time of analysis, though proof-of-concept demonstrates reliable exploitation via recipe bundle uploads. EPSS data not available, but attack vector requires minimal complexity-authenticated publisher uploads malicious bundle, victim triggers file write by pulling recipe.

Path traversal in PraisonAI Action Orchestrator (v<4.5.113) allows arbitrary file write via directory traversal sequences in action target paths. Attackers can exploit this through malicious ActionStep payloads containing '../' sequences to overwrite critical system files (SSH keys, shell profiles) or plant executables, achieving local privilege escalation or remote code execution. CVSS 9.0 (Critical). Vendor-released patch available in v4.5.113. No public exploit identified at time of analysis, though detailed proof-of-concept demonstrates trivial exploitation via crafted ActionStep objects targeting paths like '../../../tmp/pwned.txt'.

Vim 9.2.0279 and earlier contains a path traversal bypass in the zip.vim plugin that allows local attackers with user interaction to overwrite arbitrary files when opening specially crafted zip archives. This vulnerability circumvents a prior fix for CVE-2025-53906, affecting users who process untrusted ZIP files. The vulnerability requires local access and user interaction to trigger, with a CVSS score of 4.1 indicating low to moderate severity; no public exploit code or active exploitation has been identified at the time of analysis.

Path traversal in Chyrp Lite administration console allows privileged users with Change Settings permissions to manipulate the uploads path, enabling arbitrary file read (including database credentials from config.json.php) and arbitrary file write leading to remote code execution. Affects all versions prior to 2026.01. CVSS 9.1 (Critical) reflects post-authentication impact with scope change. EPSS data not available; no public exploit identified at time of analysis, no CISA KEV listing.

Arbitrary Python file overwrite in text-generation-webui versions prior to 4.1.1 enables authenticated high-privilege users to achieve remote code execution by overwriting critical application files like download-model.py through malicious extension settings saved in .py format, then triggering execution via the Model download interface. No public exploit identified at time of analysis, though EPSS data not available for this recent CVE and exploitation methodology is straightforward for authenticated attackers.

Path traversal in Vite dev server versions 6.x through 7.3.1 allows unauthenticated remote attackers to bypass filesystem restrictions and retrieve sensitive `.map` files outside the project root by injecting path traversal sequences into optimized dependency URLs. The vulnerability requires explicit network exposure of the dev server and predictable file paths, but publicly available proof-of-concept code demonstrates the attack. Affected Vite instances should upgrade to v6.4.2, v7.3.2, or v8.0.5.

Path traversal in kedro-datasets PartitionedDataset allows authenticated attackers to write files outside the configured dataset directory by injecting .. components into partition IDs, potentially overwriting arbitrary files on affected systems. The vulnerability affects all versions prior to 9.3.0 across all storage backends (local filesystem, S3, GCS, etc.). A vendor-released patch is available; no public exploit code or active exploitation has been identified at the time of analysis.

Path traversal in HerikLyma CPPWebFramework up to version 3.1 allows remote attackers to read arbitrary files on the server with low confidentiality impact. The vulnerability requires no authentication and can be exploited over the network with low complexity; publicly available exploit code exists. The vendor has been notified via GitHub issue but has not yet responded or released a patch.

Remote path traversal in griptape-ai griptape 0.19.4 ComputerTool allows authenticated attackers to manipulate the filename argument in griptape/tools/computer/tool.py, enabling unauthorized file access with read, write, and limited availability impact. Publicly available exploit code exists; the vendor has not responded to early disclosure notifications.

Path traversal in griptape-ai griptape 0.19.4 FileManagerTool allows authenticated remote attackers to read, write, and delete arbitrary files on the server via specially crafted paths in load_files_from_disk, list_files_from_disk, save_content_to_file, and save_memory_artifacts_to_disk functions. Publicly available exploit code exists, CVSS 6.3 (medium), and the vendor has not responded to early disclosure notification.

Path traversal in FedML-AI FedML up to version 0.8.9 allows authenticated remote attackers to read arbitrary files via manipulation of the dataSet argument in the MQTT Message Handler (FileUtils.java component). The vulnerability has a CVSS score of 4.3 and publicly available exploit code exists; however, it requires low-privilege authentication and provides only information disclosure without modification or availability impact. The vendor did not respond to early disclosure efforts.

Arbitrary file deletion in wpForo Forum WordPress plugin versions ≤2.4.16 allows authenticated attackers with subscriber-level privileges to delete any file on the server by embedding path traversal sequences in forum post content and subsequently deleting the post. CVSS 8.8 (High) with network-based attack vector requiring low-complexity exploitation. No public exploit identified at time of analysis, though EPSS data unavailable. Patched in version 2.4.17 per WordPress plugin repository changeset.

Path traversal in Coder code-marketplace ≤ v2.4.1 allows authenticated users to write arbitrary files outside the extension directory during VSIX extraction. The ExtractZip function passes unsanitized zip entry names containing '..' sequences to filepath.Join, which resolves parent directory references without confining output to the intended base path. Attackers can inject malicious cron jobs, SSH keys, or overwrite binaries depending on process privileges. Fixed in v2.4.2. No active exploitation confirmed (not in CISA KEV); publicly available exploit code exists.

Path traversal in Emlog CMS 2.6.2 and earlier enables authenticated administrators to achieve remote code execution by uploading malicious ZIP archives containing directory traversal sequences. The emUnZip() function fails to sanitize entry paths during plugin/template uploads and backup imports, allowing arbitrary file writes including PHP webshells. CVSS 7.2 (High) with network attack vector and low complexity. No vendor-released patch identified at time of analysis; publicly available exploit code exists via GitHub Security Advisory GHSA-2jg8-rmhm-xv9m.

Unauthenticated arbitrary file deletion in goshs HTTP file server allows remote attackers to delete any file or directory on the host system via path traversal. A missing return statement after input validation enables attackers to bypass the '..' check by double-encoding traversal sequences (e.g., %252e%252e), sending requests to '/<traversal>/<target-path>?delete' to trigger os.RemoveAll on arbitrary filesystem paths. The vulnerability affects the default configuration with no authentication or special flags required. Public exploit code exists with a working proof-of-concept shell script demonstrating the attack. CVSS 9.8 (Critical) reflects network accessibility, no authentication requirement, and complete impact to integrity and availability. Vendor-released patch available via GitHub commit 237f3af.

Path traversal in Zulip's ./manage.py import function allows local attackers to read arbitrary files from the server filesystem and copy them into the uploads directory via a crafted export tarball containing specially crafted paths in uploads/records.json. Zulip versions 1.4.0 through 11.5 are affected; the vulnerability requires local access and user interaction (import initiation) but can expose sensitive server data readable by the Zulip application user. No active exploitation has been confirmed; a vendor-released patch is available in version 11.6.

Path traversal in OpenPrinting CUPS RSS notifier (versions 2.4.16 and prior) allows unauthenticated remote IPP clients to write arbitrary files outside the intended CacheDir/rss directory via a crafted notify-recipient-uri parameter. By exploiting default group-writable permissions on CacheDir, attackers can overwrite critical state files such as job.cache, causing the CUPS scheduler to fail parsing job queues and resulting in loss of previously queued print jobs. No public exploit code or vendor patch is currently available, though the vulnerability is demonstrated with proof-of-concept exploitation.

Path traversal in prompts.chat skill file extraction allows unauthenticated remote attackers to write arbitrary files and execute code on client systems through malicious ZIP archives. The vulnerability (CVSS 8.6) stems from missing server-side filename validation enabling ../ sequences in archive filenames that overwrite shell initialization files during extraction. VulnCheck identified this issue; vendor-released patch available in commit 0f8d4c3. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.

Stackfield Desktop App before version 1.10.2 for macOS and Windows allows arbitrary file writes to the filesystem through a path traversal vulnerability in its decryption functionality when processing the filePath property. A malicious export file can enable attackers to overwrite critical system or application files, potentially leading to code execution or application compromise without requiring user interaction beyond opening the malicious export.

Path traversal in Budibase plugin upload endpoint allows Global Builders to delete arbitrary directories and write files to any accessible filesystem path. Affecting all versions prior to 3.33.4, attackers with high privileges (Global Builder role) can exploit unsanitized filename handling in POST /api/plugin/upload to execute directory traversal attacks remotely with low complexity. CVSS 8.7 (High) with scope change indicates potential container escape or cross-tenant impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the documented path traversal mechanism.

Arbitrary file deletion in Perfmatters WordPress plugin (≤2.5.9.1) allows authenticated attackers with Subscriber-level access to delete critical files including wp-config.php via path traversal, enabling full site takeover. The vulnerability stems from unsanitized GET parameter processing in PMCS::action_handler() without authentication or nonce checks. CVSS 8.1 reflects network-accessible attack requiring only low-privilege authentication with high integrity and availability impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the lack of input validation.

Unauthenticated arbitrary file write in goshs (Go Simple HTTP Server) allows remote attackers to overwrite any file on the host filesystem via path traversal in multipart upload endpoints. The vulnerability exists in the default configuration with no authentication required. The upload handler fails to sanitize the directory component of the request path, enabling attackers to escape the webroot using URL-encoded traversal sequences (e.g., /../../target/upload) while the server validates only that paths end with '/upload'. Functional proof-of-concept exploit code is publicly available. EPSS data not available, not listed in CISA KEV.

Arbitrary file write in goshs HTTP server allows unauthenticated remote attackers to overwrite any file on the target system via path traversal in PUT requests. The PUT upload handler in goshs (a Go-based simple HTTP server) performs no path sanitization on user-supplied URL paths, enabling direct filesystem access outside the intended webroot through URL-encoded directory traversal sequences (%2e%2e/). CVSS 9.8 reflects network-accessible exploitation requiring no authentication or user interaction. No public exploit identified at time of analysis beyond the proof-of-concept in the security advisory. EPSS data not available, but the trivial exploit complexity (single curl command with --path-as-is flag) and default-vulnerable configuration present significant risk to exposed instances.

Path traversal in Kedro's versioned dataset loader allows authenticated remote attackers to read arbitrary files outside intended data directories. Kedro versions before 1.3.0 fail to sanitize user-supplied version strings in catalog.load(), DataCatalog.from_config(), and CLI operations, enabling traversal sequences (../) to escape versioned dataset boundaries. Attackers with API or CLI access can exfiltrate sensitive files, poison training data, or access other tenants' data in multi-tenant ML pipelines. EPSS probability indicates moderate exploitation likelihood (specific score not provided), with publicly available exploit code exists via the referenced GitHub pull request demonstrating the vulnerability mechanics. Vendor-released patch available in Kedro 1.3.0.

Biztalk360 through version 11.5 contains a directory traversal vulnerability allowing Super User attackers to read arbitrary files on the system and coerce authentication from the service through mishandled user input in file path parameters. The vulnerability enables local file access and potential credential extraction by authenticated administrators with Super User privileges.

Directory traversal in BizTalk360 before version 11.5 allows authenticated attackers to write files outside the intended upload directory and potentially coerce authentication from the service through mishandling of user input in an upload mechanism. The vulnerability requires valid authentication credentials but enables arbitrary file write capabilities that could lead to remote code execution or service compromise.

Arbitrary file write in Fireshare <1.5.3 allows unauthenticated remote attackers to upload malicious files to any writable server path via path traversal in the /api/uploadChunked/public endpoint's checkSum parameter. This represents an incomplete fix for CVE-2026-33645, where remediation was applied only to the authenticated endpoint while leaving the public variant exploitable. SSVC confirms publicly available exploit code exists and the vulnerability is automatable with partial technical impact. CVSS 9.1 (Critical) reflects network-accessible, low-complexity exploitation requiring no authentication or user interaction, enabling both integrity and availability compromise.

Path traversal in Textpattern XML-RPC handler allows authenticated remote attackers to write arbitrary files via the file.name parameter in mt_uploadImage function, enabling potential code execution or sensitive file overwrite. Affects Textpattern up to version 4.9.1, with publicly available exploit code and vendor confirmation of the issue pending fix in an upcoming release.

Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through the /cgi-bin/backup.cgi remove ARCHIVE parameter. Attackers with low-privileged network access can leverage unsanitized path construction passed to unlink() to achieve high-integrity impact by removing critical system files. EPSS data not available; no public exploit identified at time of analysis, though the technical details disclosed by VulnCheck increase weaponization risk for authenticated threat actors.

Path traversal in OpenCart 4.1.0.3 Extension Installer Page allows high-privileged remote attackers to manipulate the installer.php file and traverse the filesystem, potentially accessing or modifying sensitive files outside the intended directory. The vulnerability has publicly available exploit code and affects the extension installation mechanism; vendor has not responded to early disclosure attempts, leaving installations unpatched.

Arbitrary file movement in MW WP Form plugin for WordPress (all versions ≤5.1.0) allows unauthenticated remote attackers to relocate server files and achieve remote code execution by moving critical files like wp-config.php. Exploitation requires a form with file upload capability and database inquiry storage enabled. CVSS 8.1 with network attack vector and high attack complexity. EPSS data not provided; no public exploit or CISA KEV status identified at time of analysis, though Wordfence threat intelligence has documented the vulnerability with source code references.

Path traversal in Ferret's IO::FS::WRITE and IO::FS::READ functions enables remote code execution when web scraping operators process attacker-controlled filenames. The vulnerability affects github.com/MontFerret/ferret (all v2.x and earlier versions), allowing malicious websites to write arbitrary files outside intended directories by injecting '../' sequences into filenames returned via scraped content. Attackers can achieve RCE by writing to /etc/cron.d/, ~/.ssh/authorized_keys, shell profiles, or web server directories. Vendor-released patch available via commit 160ebad6bd50f153453e120f6d909f5b83322917. CVSS 8.1 (High) reflects network attack vector with low complexity requiring user interaction. No public exploit identified at time of analysis beyond the proof-of-concept in the GitHub advisory, and not listed in CISA KEV.

Copier's `_external_data` feature allows malicious templates to read arbitrary files outside the destination directory via path traversal (e.g., `../secret.yml`) or absolute paths (e.g., `/tmp/secret.yml`), exposing YAML-parsed contents in rendered output without requiring the `--UNSAFE` flag. This affects all versions of the Copier package and poses a risk when running untrusted templates, as attackers can disclose sensitive files accessible to the user running Copier.

Path traversal and CSRF vulnerability in phpMyFAQ's MediaBrowserController enables remote deletion of critical server files. Authenticated admin accounts can be exploited via CSRF to delete arbitrary files including database configurations, .htaccess files, and application code. GitHub advisory confirms the vulnerability with POC demonstration. Attack requires low-privilege authentication (PR:L) but succeeds with minimal user interaction (UI:R), achieving high integrity and availability impact with scope change (S:C). No public exploit identified at time of analysis beyond the disclosed POC, and patch availability not confirmed from available data.