Path Traversal
Path traversal exploits occur when applications use user-controlled input to construct file system paths without proper validation.
How It Works
Path traversal exploits occur when applications use user-controlled input to construct file system paths without proper validation. Attackers inject special sequences like ../ (dot-dot-slash) to escape the intended directory and navigate to arbitrary locations in the file system. Each ../ sequence moves up one directory level, allowing an attacker to break out of a restricted folder and access sensitive files elsewhere on the server.
Attackers employ various encoding techniques to bypass basic filters. Simple URL encoding transforms ../ into %2e%2e%2f, while double encoding becomes %252e%252e%252f (encoding the percent sign itself). Other evasion methods include nested sequences like ....// (which become ../ after filter removal), null byte injection (%00 to truncate path validation), and OS-specific path separators (backslashes on Windows). Absolute paths like /etc/passwd may also work if the application doesn't enforce relative path constraints.
The typical attack flow begins with identifying input parameters that reference files—such as file=, path=, template=, or page=. The attacker then tests various traversal payloads to determine if path validation exists and what depth is needed to reach system files. Success means reading configuration files, credentials, source code, or even writing malicious files if the application allows file uploads or modifications.
Impact
- Credential exposure: Access to configuration files containing database passwords, API keys, and authentication tokens
- Source code disclosure: Reading application code reveals business logic, additional vulnerabilities, and hardcoded secrets
- System file access: Retrieving
/etc/passwd,/etc/shadow, or Windows SAM files for credential cracking - Configuration tampering: If write access exists, attackers modify settings or inject malicious code
- Remote code execution: Writing web shells or executable files to web-accessible directories enables full system compromise
Real-World Examples
ZendTo file sharing application (CVE-2025-34508) contained a path traversal vulnerability allowing unauthenticated attackers to read arbitrary files from the server. The flaw existed in file retrieval functionality where user input directly influenced file path construction without adequate validation, exposing sensitive configuration data and potentially system files.
Web application frameworks frequently suffer from path traversal in template rendering engines. When applications allow users to specify template names or include files, insufficient validation permits attackers to read source code from other application modules or framework configuration files, revealing database credentials and session secrets.
File download features in content management systems represent another common vector. Applications that serve user-requested files from disk often fail to restrict paths properly, enabling attackers to download backup files, logs containing sensitive data, or administrative scripts that weren't intended for public access.
Mitigation
- Avoid user input in file paths: Use indirect references like database IDs mapped to filenames on the server side
- Canonicalize and validate: Convert paths to absolute canonical form, then verify they remain within the allowed base directory
- Allowlist permitted files: Maintain an explicit list of accessible files rather than trying to blocklist malicious patterns
- Chroot jails or sandboxing: Restrict application file system access to specific directories at the OS level
- Strip dangerous sequences: Remove
../,..\\, and encoded variants, though this alone is insufficient
Recent CVEs (7701)
Arbitrary file disclosure in the Gravity Forms WordPress plugin (all versions through 2.10.4) lets unauthenticated attackers read sensitive files from the web server by abusing the 'gform_uploaded_files' parameter against the process_send_resume_link endpoint. Reported by Wordfence, the flaw carries CVSS 7.5 and is exfiltrated by directing the traversal-retrieved file to an attacker-controlled email as a form notification attachment. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Path traversal in OpenWrt's cgi-io cgi-download handler (prior to 25.12.5) allows an authenticated administrator to read arbitrary root-readable files - including /etc/shadow - by exploiting a TOCTOU-style authorization flaw where ACL checks occur before path canonicalization. The rpcd session.c ACL matcher uses fnmatch() without FNM_PATHNAME, meaning a wildcard-prefixed ACL entry (e.g., /etc/config/*) can be defeated by appending ../ sequences that pass the ACL check but resolve to an out-of-scope file when open() is called. No public exploit identified at time of analysis; vendor-released patch is available in v25.12.5.
Arbitrary file write in Splunk Enterprise (versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, 9.3.14) and Splunk Cloud Platform lets a privileged user with the edit_local_apps and install_apps capabilities abuse the app-installation workflow to write files outside the target app directory into $SPLUNK_HOME/etc/ and its subdirectories. The flaw is a path traversal (CWE-22) that can be leveraged to overwrite Splunk configuration and system files, yielding high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Path traversal in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows a remote, authenticated attacker with administrative credentials to read or delete arbitrary files on the underlying operating system via crafted HTTP requests. Successful exploitation could expose sensitive configuration or credential files, or trigger destructive deletion of system files. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the high confidentiality impact and the critical role ISE plays in enterprise network access control make this notable for environments running affected versions.
Zip-slip path traversal in File Browser 2.63.6–2.63.16 allows a low-privileged user with upload permission to plant a POSIX backslash-named file that the archive builder incorrectly normalizes into a directory traversal sequence, enabling arbitrary file write on any victim who downloads and extracts the generated archive. The root cause is the server-side conversion of `\` to `/` in archive entry names, which manufactures paths like `../../evil.sh` from the legal POSIX filename `..\..\evil.sh`. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the attack chain is straightforward for any user with upload access.
Path traversal in Apache Ivy's PackagerResolver (versions 2.0.0 through 2.5.3) allows an attacker with write access to a packager repository to overwrite arbitrary files outside the configured buildRoot directory by embedding '../' sequences in module coordinates such as organisation, name, or revision. The overwrite occurs during the Ant-script-driven repackaging phase that PackagerResolver triggers on artifact download. No public exploit code has been identified at time of analysis, and the vendor has released version 2.6.0 as the fix, confirmed via the Apache Ant project site on July 14, 2026.
Path traversal in F5 NGINX Agent via the config_dirs directive enables a remotely authenticated low-privileged attacker to read and write files outside of the directories designated as secure in the agent's configuration. The config_dirs directive can be set directly in the NGINX Agent configuration or through NGINX Instance Manager, expanding the attack surface across both products. No public exploit code or active exploitation has been identified at time of analysis, and a vendor patch is available per F5 advisory K000161971.
Arbitrary file write in Cornac's dataset-download utility (all versions before 2.6.0) lets an attacker who controls a downloaded TAR archive place files anywhere the Python process can write, because the _extract_archive() helper in cornac/utils/download.py calls archive.extractall() without validating member paths. Since Cornac's built-in dataset loaders automatically fetch and unpack archives, a poisoned or MITM'd dataset archive containing ../ traversal, absolute paths, or symlink/hardlink entries can overwrite sensitive files and potentially achieve code execution. VulnCheck reported the issue; no public exploit identified at time of analysis and it is not in CISA KEV.
Authenticated arbitrary file write in the Grav CMS Form plugin (versions before 9.1.8) allows attackers to plant PHP webshells in the web root by abusing the process.save.filename parameter. The filename is checked for path traversal before Twig rendering but never re-validated afterward, so traversal sequences reconstructed during template evaluation bypass the guard. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the flaw was disclosed by VulnCheck via a coordinated GitHub security advisory.
Arbitrary code execution in PraisonAI (praisonaiagents) before 1.6.78 lets an attacker who can drop a Python file into a plugin directory run their own code. The plugin manager auto-discovers and executes any .py file found in project-level or user-home .praisonai/plugins/ directories at initialization, with no code signing, integrity checks, or sandboxing. VulnCheck reported it under CWE-94; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Path-traversal remote code execution in PraisonAI (mervinpraison/praisonai) before 1.6.78 lets an authenticated agent user abuse SkillTools.run_skill_script(), which executes skill scripts without validating that the supplied path stays inside the intended working directory. Because absolute file paths are accepted, a low-privileged attacker can point the skill runner at any executable script on the host and run it. No public exploit code has been identified and it is not in CISA KEV, but the flaw was reported by VulnCheck and a GitHub Security Advisory (GHSA-c44f-37qr-gw3f) confirms the fix.
File path restriction bypass in n8n before 2.19.3 allows authenticated users with workflow creation or modification rights to circumvent the N8N_RESTRICT_FILE_ACCESS_TO security boundary via a legacy REST API code path, enabling arbitrary file existence disclosure on the host filesystem. Where a targeted path contains valid workflow JSON, that file can additionally be loaded and executed by the n8n engine, potentially triggering downstream actions on all systems connected to that workflow. No public exploit or active exploitation has been identified at time of analysis, but the low complexity and broad impact on connected downstream systems make this a meaningful risk in multi-tenant or partially-trusted deployments.
Path traversal in mastergo-magic-mcp versions up to 0.2.0 allows local low-privileged attackers to read and write files outside the intended working directory by supplying manipulated path sequences via the `rootPath` argument of the `mcp__getComponentGenerator` component's `execute` function. A public proof-of-concept exploit has been disclosed (CVSS 4.0 E:P), and the vendor has not responded to the issue report, leaving no patch available at time of analysis. No public exploitation (CISA KEV) has been confirmed, and the local-only attack vector significantly constrains the realistic threat surface.
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path, allowing an authenticated user to include .. in a request such as //..//config and read, overwrite, or delete another user's private repository on backends that clean path components. This issue is fixed in version 1.74.4.
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-selected destination prefix when extracting a crafted archive containing parent path components such as ../, allowing creation or overwrite of sibling objects in the same bucket or path scope. This issue is fixed in version 1.74.4.
jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check. When jadx is launched from a directory that is an ancestor of the config directory, the arbitrary write can plant a JAR in plugins/dropins, and the next jadx run loads the JAR with URLClassLoader and ServiceLoader, executing attacker-controlled plugin code. This issue is fixed in version 1.5.6.
ColdFusion is affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.
Arbitrary code execution in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) is possible through a path traversal weakness that a low-privileged remote attacker can trigger without user interaction to run code in the context of the current user. The CVSS 9.9 rating reflects a scope change (S:C), meaning impact reaches beyond the vulnerable component. No public exploit is identified at time of analysis, and CISA SSVC currently records exploitation as none, though ColdFusion is a historically heavily targeted product.
Path traversal in Adobe ColdFusion allows an authenticated remote attacker (PR:L) to read arbitrary files outside the intended web/application scope by manipulating pathname input, per Adobe advisory APSB26-82. The flaw carries a critical 9.9 CVSS with a changed scope, meaning a successful read can reach files belonging to other security contexts on the host. No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.
A security flaw has been discovered in mastergo-design mastergo-magic-mcp up to 0.2.0. This issue affects the function execute of the file src/tools/get-c2d.ts of the component mcp__C2d. Performing a manipulation of the argument filePath results in path traversal. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Local File Read in Anyquery's Server Mode lets unauthenticated network attackers exfiltrate arbitrary files (e.g. /etc/passwd, ~/.ssh/id_rsa) readable by the server process. When `anyquery server` is running and reachable, any client speaking the MySQL wire protocol can issue native SQLite CREATE VIRTUAL TABLE statements against built-in reader modules such as csv_reader or log_reader to point at restricted paths, with no authentication or credentials required (CVSS 3.1 base 7.5, C:H/I:N/A:N). A working proof-of-concept is published in the GHSA advisory, so publicly available exploit code exists; there is no CISA KEV listing or EPSS score in the provided data.
Arbitrary code execution in Adobe Animate 2023 and 2024 stems from a path traversal weakness triggered when a victim opens a maliciously crafted file, letting an attacker run code in the context of the current user and reach files or directories outside intended restrictions. The flaw carries a CVSS 3.1 base score of 8.6 with a changed scope, reflecting impact beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation risk hinges on social-engineering a user into opening a rogue project file.
Arbitrary file system read in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets remote unauthenticated attackers traverse outside the intended directory scope to retrieve sensitive files, per Adobe advisory APSB26-74. The CVSS 3.1 score of 8.6 is elevated by a changed scope (S:C), meaning the read reaches resources beyond the vulnerable component's security authority. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Arbitrary file write in Anyquery Server Mode (versions < 0.4.5) allows unauthenticated remote attackers to write files to any path the process can access by abusing SQLite's native ATTACH DATABASE command exposed over the MySQL-compatible listener. Because the server blindly proxies SQL to the underlying SQLite engine, an attacker can create files such as cron jobs, PHP web shells, or SSH authorized_keys and escalate the file write into remote code execution or denial of service. A working step-by-step proof-of-concept is published in the vendor's GitHub Security Advisory (GHSA-xrcf-6jh3-ggvx); there is no CISA KEV entry and no confirmed in-the-wild exploitation at time of analysis.
Unauthenticated arbitrary file read in FacturaScripts (all versions through v2026.2) lets remote attackers retrieve protected documents by abusing the static file controllers Files.php and Myfiles.php, which authorize requests on the raw URL prefix rather than the resolved filesystem path. A request such as /Plugins/../MyFiles/Private/invoice.pdf passes the prefix allow-list yet resolves to a private file, leaking customer/supplier invoices, attachments, and .sql database backups. A detailed, reproducible exploit is publicly available in the GitHub Security Advisory; there is no vendor-released patch identified at time of analysis and no evidence of active exploitation.
Remote code execution in Microsoft Windows Admin Center allows an authenticated attacker to run arbitrary code over the network by exploiting a relative path traversal (CWE-23) flaw. Any user holding valid low-privilege credentials to the WAC gateway can leverage the traversal to break out of the intended file path and achieve full compromise (confidentiality, integrity, and availability impact all High). Microsoft has published a patch via MSRC; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Relative path traversal in DNS Server allows an authorized attacker to execute code over an adjacent network.
Local privilege escalation in Windows User Interface Core (UI Core) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a relative path traversal flaw lets an already-authenticated low-privileged user escalate to higher privileges on the local machine. The CVSS 3.1 score of 7.8 reflects full confidentiality, integrity, and availability impact once triggered, though attack requires local access and existing low-level privileges. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in Windows PowerShell allows an authenticated attacker with low privileges to run arbitrary code across a network by exploiting a relative path traversal (CWE-23) flaw, provided a victim is induced to interact (UI:R). Affecting supported Windows 10/11 clients and Windows Server 2012 through 2025, the issue carries a CVSS 8.0 with full confidentiality, integrity, and availability impact, and a vendor patch is available via MSRC. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Remote code execution in Microsoft's Age of Empires II: Definitive Edition Game is possible via a relative path traversal flaw (CWE-23) that lets a network-based attacker execute arbitrary code once a victim loads attacker-supplied content. The vulnerability is rated CVSS 8.8 (AV:N/AC:L/PR:N/UI:R) and requires user interaction, meaning a player must open or load a malicious game asset such as a downloaded map, mod, recording, or scenario. Microsoft has released a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Improper limitation of a pathname to a restricted directory ('path traversal') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.
Path traversal in DedeCMS 5.7.118's Album Publishing Feature allows remote attackers with administrative credentials to read or write files outside the intended extraction directory by manipulating the `filename` argument passed to the `ExtractFile` function in `include/zip.class.php`. A public proof-of-concept exploit has been released on GitHub, lowering the skill bar for exploitation, though no active exploitation has been confirmed in the CISA KEV catalog. The CVSS 4.0 score of 5.1 with PR:H reflects the high privilege requirement, which materially limits the exposed attack surface to authenticated admin-level sessions.
Arbitrary file read/write in Perl's DBD::File before 1.651 lets callers of file-based DBI drivers escape the configured data directory via a symbolic link placed inside it. Because the complete_table_name method resolved the absolute table-file path without validating whether the entry was a symlink, a link within f_dir could point to any path on the filesystem, breaking the directory sandbox for both reads and writes. No public exploit has been identified at time of analysis, and the flaw is not in CISA KEV; a vendor patch (DBI 1.651) is available.
Path traversal in openSIS Classic 9.3 exposes arbitrary server files through the legacy messaging sent-mail attachment download endpoint, exploitable by any authenticated low-privilege user. The vulnerability allows crafted sequences such as directory traversal patterns to escape the intended attachment directory and retrieve sensitive server-side files. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; however, the low authentication bar and network accessibility make this a realistic internal threat.
Path traversal (CWE-22) in Fortinet FortiOS, FortiProxy, and FortiPAM enables a highly-privileged, physically-present attacker to execute unauthorized code or commands by escaping restricted directory boundaries. The vendor-supplied CVSS vector (AV:P/PR:H) constrains exploitation to scenarios requiring both physical device access and high-level credentials, making opportunistic or remote mass exploitation implausible. A proof-of-concept exists per the CVSS temporal indicator (E:P), and Fortinet has released an official fix per PSIRT advisory FG-IR-26-151; this vulnerability is not currently listed in the CISA KEV catalog.
Path traversal in Rockwell Automation's Studio 5000 Logix Designer allows an attacker who can deliver a crafted ACD project file to write arbitrary files to attacker-controlled locations on an engineer's workstation. The software fails to sanitize or validate embedded filenames during the ACD project-open procedure, enabling path traversal sequences to escape the intended extraction directory and potentially achieve code execution. No public exploit code or CISA KEV listing has been identified at time of analysis, but the ICS context makes targeted file-delivery attacks via spear-phishing or shared project repositories a realistic threat vector.
Arbitrary file write in Rockwell Automation FactoryTalk ThinManager allows an authenticated attacker to abuse a path traversal flaw in the software's API, saving files outside the application's intended directory into restricted system locations. Because CWE-22 file-write primitives on a Windows-based OT management server commonly enable code execution or service disruption, this carries an integrity and availability impact (CVSS 4.0 base 7.2). There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Arbitrary file write via path traversal in Tenable Agent 11.2.0 and 11.1.3 and earlier lets a privileged attacker escape the intended plugin directory and drop files at attacker-chosen paths, potentially escalating to remote code execution. The flaw is vendor-reported (Tenable TNS-2026-18) and affects the endpoint scanning agent that typically runs with elevated/service privileges. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary file write in Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers plant JSON files outside the intended data directory by abusing the JSON backup-restore feature, which builds file paths from attacker-controlled keys without validation. Because the default deployment ships with no required passphrase (or the hardcoded default 'opendoor'), an attacker can reach the restore endpoint without legitimate credentials. Publicly available exploit code exists (VulnCheck / Zero Science advisory), and EPSS/KEV data were not provided, so exploitation appears proof-of-concept rather than confirmed in-the-wild.
Arbitrary file disclosure in Ivanti Xtraction before 2026.2.1 lets a remote, authenticated attacker traverse outside the application's web root and read sensitive files from the underlying host. The CVSS 3.1 score of 7.7 reflects a scope change (S:C), meaning the impact reaches beyond the web application into the host filesystem, though only confidentiality is affected. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; no EPSS score was provided.
Arbitrary file read in Apache OpenMeetings 5.0.0 through 9.0.x allows any room moderator to exfiltrate files accessible to the OS account running the server, including credentials and secrets, via a crafted download request to the WhiteBoard download service. The vulnerability stems from insufficient path validation in the WB download endpoint, enabling directory traversal outside the intended file scope. No active exploitation has been confirmed (not in CISA KEV), but the ability to read credential files makes this high-priority for any internet-exposed deployment where moderator access is not tightly controlled.
Unauthenticated arbitrary file write in Eclipse BaSyx Java Server SDK (2.0.0-milestone-05 through 2.0.0-milestone-12) lets remote attackers plant files anywhere the Java process can write when the server is deployed with the MongoDB file backend, potentially escalating to remote code execution. The AAS thumbnail API trusts a client-supplied fileName that is later reused as a filesystem path, so a traversal or absolute-path filename lands attacker-controlled bytes outside the intended directory. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-fixed release (2.0.0-milestone-13) is available.
Arbitrary file write in the AI Engine WordPress plugin before 3.5.5 lets authenticated editor-level users abuse an unsanitized, user-supplied filename during a file-download-and-save operation to plant attacker-controlled bytes anywhere the web server user can write via path traversal. Because writing a PHP payload into the webroot typically yields remote code execution, this crosses from a content-management flaw into full site compromise. Publicly available exploit code exists and a vendor patch has shipped, though the issue is not listed in CISA KEV.
Symlink entries in malicious tar archives bypass the `filter_safe_tarinfos` validation in Keras 3.12.0, enabling directory escape that can read or overwrite arbitrary files on the host filesystem. The root defect is in `keras/src/utils/file_utils.py`, where `is_path_in_dir` path containment checks are applied only to regular file entries - symlink entries are extracted without equivalent validation. The exposure is most severe on Python 3.10 and 3.11, where `filter_safe_tarinfos` is the sole extraction safeguard; no public exploit or active exploitation has been identified at time of analysis.
Path traversal in GoClaw 3.13.3-beta.3 allows authenticated remote attackers to read or write files outside the intended workspace directory by manipulating the path argument to the `writeFile` function in the ACP ToolBridge Workspace Handler (`internal/providers/acp/tool_bridge.go`). A proof-of-concept exploit has been publicly disclosed via a GitHub issue, lowering the bar for exploitation. No CISA KEV listing indicates active widespread exploitation has not been confirmed at time of analysis.
Path-traversal privilege escalation in Cockpit CMS Bucket file storage API (before 2.14.0) lets an authenticated low-privileged user bypass per-bucket isolation by supplying a '../' bucket name, granting cross-bucket read, upload, and delete over all files regardless of owner or role. The flaw stems from an incomplete sanitization regex that strips dangerous characters but preserves dot sequences, which Flysystem then normalizes down to the storage root. No public exploit is identified at time of analysis, though a proof-of-concept gist is referenced; the issue was reported by VulnCheck and a vendor patch is available.
Arbitrary file write in the Plank Laravel-Mediable package (before 7.0.0) lets an attacker who influences the destination directory of MediaUploader::toDestination() plant uploaded files outside the intended storage path, culminating in remote code execution. The flaw stems from a weak File::sanitizePath() regex that permits both '.' and '/' characters plus an ineffective trailing trim(), so '../' traversal sequences survive sanitization and files can land in the document root, .env, or config directories. No public exploit has been identified at time of analysis, but a vendor patch (7.0.0) exists and the issue was reported by VulnCheck.
Arbitrary file deletion in NukeViet CMS (versions before 4.6.00) allows an authenticated administrator to permanently delete any file within the web application root via a path-traversal payload in the comment Edit function. By padding the POST 'attach' parameter with exactly 26 filler characters followed by '../../<target>', an attacker survives the naive substr() prefix-stripping and stores a traversal path in the database; deleting the comment then removes the referenced file (e.g. config.php), forcing the site into the install wizard and causing a full outage. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c9xg-64p9-f2jj) includes a full working reproduction.
Path traversal via the `lang` query parameter in Rejetto HFS 3.0.0 through 3.2.0 enables remote unauthenticated attackers to read JSON files outside the application's designated shared folders. Exploitation is constrained by the application's own file-loading logic - only files matching a narrow naming convention and JSON format are reachable, limiting impact to partial information disclosure rather than arbitrary file read. Vendor-released patch v3.2.1 is available; no KEV listing or confirmed public exploit exists, though the same release addresses additional higher-severity vulnerabilities noted in the release notes.
GitLab API request redirection in zereight's mcp-gitlab (gitlab-mcp) MCP server lets attackers who control the job_id parameter escape the intended /jobs/ path prefix and reach arbitrary GitLab REST API endpoints under the operator's personal access token. Because the token is a bearer of the operator's full GitLab privileges, a crafted value such as '../../../user' resolves to /api/v4/user (or any other resource), turning a scoped job lookup into broad unauthorized data access. No public exploit was identified at time of analysis, and it is not listed in CISA KEV, but the flaw is trivially triggerable and was reported by VulnCheck with a vendor fix committed.
Remote unauthenticated code execution in Thales CERT's "Suspicious" email-analysis application (versions 1.3.4 and earlier), dubbed "Matryoshka Mail," lets an attacker abuse path traversal in attachment handling to overwrite writable application files-Python modules, configuration, cron inputs, and runtime artifacts-yielding root-level execution inside the Django container. Because the affected code runs Python and processes attacker-supplied mail, overwriting an imported module effectively converts arbitrary file write into RCE, plus persistent denial of service and possible exposure of application secrets and integrations. No public exploit identified at time of analysis and the issue is not in CISA KEV, but it carries a CVSS 4.0 base score of 9.2 and vendor-credited discovery by Lucien Doustaly (wlayzz).
Arbitrary file download via path traversal in the Forminator WordPress plugin (WPMU DEV) affects all versions up to and including 1.55.0.2, letting remote unauthenticated attackers read files outside the intended directory (CVSS 7.5, confidentiality-only). The Patchstack reference characterizes this as an arbitrary file download flaw, meaning sensitive server files such as wp-config.php could be exfiltrated. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Arbitrary file deletion in WP Swings' Membership For WooCommerce WordPress plugin (all versions up to and including 3.1.0) lets remote attackers delete files outside the intended directory via unsanitized path input. The CVSS vector (PR:N) indicates the flaw is reachable without authentication, and the scope-changed rating reflects that deletion of critical files (e.g., wp-config.php) can break or reset the entire WordPress site. No public exploit has been identified at time of analysis; the issue was reported by Patchstack.
Arbitrary file deletion via path traversal in the SureDash WordPress plugin (Brainstorm Force) affects all versions up to and including 1.8.0, allowing an authenticated low-privilege user to delete files outside the plugin's intended directory by supplying crafted pathnames. The Patchstack reference explicitly characterizes the flaw as arbitrary file deletion, meaning an attacker can remove critical files such as wp-config.php to disrupt the site or force a re-installation takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 9.9 rating reflects the low barrier to exploitation.
Path traversal in the Groundhogg WordPress CRM/marketing-automation plugin (versions up to and including 4.4.1) lets remote unauthenticated attackers delete arbitrary files on the server by supplying crafted pathnames that escape the intended directory. Patchstack classifies the concrete impact as arbitrary file deletion, and the CVSS vector (AV:N/PR:N with scope-change and high availability impact) reflects that deleting critical files such as wp-config.php can break or reset the WordPress site. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Path traversal in better-auth/better-icons (versions up to and including 1.0.5) allows a local low-privileged attacker to manipulate the icons_file argument passed to the scan_project_icons/sync_icon component, escaping the intended directory boundary to read or write arbitrary files accessible to the process. A public proof-of-concept has been disclosed via GitHub issue #18, and the vendor has not yet responded to the responsible disclosure. No CISA KEV listing exists; the CVSS 4.0 base score of 1.9 correctly reflects the constrained local-only attack surface and limited per-file impact.
Path traversal in augmnt augments-mcp-server 7.1.0 allows a local low-privileged attacker to read arbitrary files outside the intended project directory by manipulating the packageJsonPath argument passed to the scanProjectDeps function. The vulnerability is limited to confidentiality impact (VC:L) with no integrity or availability effect, and a proof-of-concept has been publicly disclosed via a GitHub issue. The vendor has not responded to the responsible disclosure report, meaning no patch is currently available.
Path traversal in alioshr memory-bank-mcp through versions 0.2.1 and 3.1 allows a local low-privileged user to read files outside the intended project directory boundary by supplying traversal sequences in the `projectName` argument processed by `list-project-files-validation-factory.ts`. A public proof-of-concept has been disclosed via GitHub issue #36, and no patch is available as the vendor has not yet responded to the coordinated disclosure. No confirmed active exploitation has been identified (not listed in CISA KEV), though the public exploit lowers the barrier for opportunistic local abuse.
Path traversal in tugcantopaloglu godot-mcp 2.0.0 allows a local low-privileged user to escape the intended project directory by manipulating the projectPath argument passed to the validatePath function within the run_project component. A public proof-of-concept has been disclosed via GitHub issue #9, raising practical exploitability above the raw CVSS score of 4.8 would suggest. No active exploitation is confirmed by CISA KEV; a vendor-released patch is available in version 3.0.0.
Path traversal in makafeli n8n-workflow-builder (versions up to 0.11.0) allows a local low-privileged attacker to manipulate the filePath argument in the update_node_from_file function within build/server.cjs, enabling arbitrary file reads and writes outside the intended directory scope. A publicly available proof-of-concept exists on GitHub (issue #28), and the vendor has not responded to the coordinated disclosure. No public exploit has been confirmed as actively exploited and it is not listed in CISA KEV, but the local requirement combined with POC availability makes this a credible insider or post-compromise risk.
Sensitive information disclosure in OpenBMB XAgent v1.0.0 and earlier allows remote unauthenticated attackers to read arbitrary files on the server by abusing a path traversal flaw in the file() endpoint of XAgentServer's workspace router. The user-controllable 'filename' parameter is concatenated into a file path without validation, so a crafted request escapes the intended workspace directory. SSVC lists exploitation as proof-of-concept and automatable=yes; publicly available exploit code exists via a referenced gist, though this is not confirmed as actively exploited in the wild.
Arbitrary file write in Crawl4AI's Docker API server (versions before 0.8.7) lets remote unauthenticated attackers overwrite any file writable by the service account by abusing the unvalidated output_path parameter on the /screenshot and /pdf endpoints. Reported by VulnCheck and disclosed in GitHub advisory GHSA-365w-hqf6-vxfg, the flaw enables path traversal or absolute-path writes that corrupt server files and cause denial of service. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privileges attack surface makes it a straightforward target once a Crawl4AI Docker server is exposed.
Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let an attacker with chat-interface access weaponize LLM tool calls: because file paths are not validated and shell commands are not sanitized, a crafted prompt can write files anywhere on the host and run arbitrary shell commands as root. Reported by VulnCheck and fixed in 4.6.78, this is a CVSS 9.4 (v4.0) flaw with no public exploit identified at time of analysis, though the injection path is trivial to trigger for any user who can reach the chat.
Path traversal in PraisonAI before 4.6.78 enables file exfiltration outside the workspace by embedding traversal sequences (e.g., @../outside_secret.txt) or absolute paths in custom project command templates, which are then injected verbatim into model prompts. Users who process attacker-controlled command files expose all process-readable files - including credentials, environment variables, and application secrets - to whoever controls the model interaction. No public exploit code has been identified and PraisonAI is not listed in the CISA KEV catalog at time of analysis; a vendor patch is available.
Arbitrary file disclosure in the W3 Total Cache plugin for WordPress (versions ≤ 2.9.4) lets remote unauthenticated attackers read any file readable by the web server via a path traversal in the Minify subsystem's setupSources function. Exploitation is gated on the site running manual minify mode with a crafted manual-format filename, so it is not universally triggerable, and there is no public exploit identified at time of analysis. The flaw was reported by Wordfence and can expose credentials, wp-config.php secrets, and other sensitive server files.
Local File Inclusion in the LA-Studio Element Kit for Elementor WordPress plugin (all versions through 1.6.1) lets authenticated contributors and above coerce the get_type_template function into including arbitrary server-side .php files, enabling access-control bypass, sensitive data disclosure, and full PHP code execution where an attacker can plant a .php file. Reported by Wordfence with a CVSS 3.1 base score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw stems from wp_normalize_path being relied upon for path safety even though it only canonicalizes separators and never rejects traversal sequences.
Arbitrary file read in the UnderConstructionPage PRO WordPress plugin (≤ 5.76) exposes sensitive server files to any authenticated subscriber-level user. The plugin's template_thumbnail parameter accepts unsanitized local file paths and copies their contents into the publicly accessible uploads directory, making the exfiltrated data retrievable by unauthenticated third parties after the fact. No public exploit code or CISA KEV listing exists at time of analysis; however, the low privilege bar (subscriber accounts) and high confidentiality impact (CVSS C:H) make this a meaningful risk on multi-user WordPress installations.
Arbitrary file write leading to remote code execution in the Frappe framework (versions prior to 15.112.0 and 16.23.0) allows a privileged user to abuse the Package Import feature, where tarfile members are extracted without adequate path validation (a TarSlip / path-traversal flaw, CWE-22). An attacker who can upload a crafted package tarball can write files outside the intended extraction directory to overwrite application files and achieve code execution as the Frappe service account. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 8.6, reflecting high impact gated by a high-privilege prerequisite.
Path traversal via the download_backups endpoint in Frappe framework exposes arbitrary server-side files to authenticated high-privilege users. Affected versions span the entire v15 branch prior to 15.109.0 and the v16 branch prior to 16.19.0 (CPE: cpe:2.3:a:frappe:frappe:*). An attacker holding administrator-level credentials can craft a traversal payload in the backup download request to read files outside the intended backup directory, achieving high confidentiality impact with no integrity or availability consequence. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Local file inclusion in the Frappe Framework's Chrome PDF Generator (versions prior to 16.18.3) allows an authenticated user to abuse the 'secure local resource access' mechanism to traverse the filesystem and read arbitrary local files on the server. The flaw is a CWE-22 path traversal disclosed via GitHub Security Advisory GHSA-234v-jfr8-v2f8 and carries a CVSS 4.0 base score of 7.1 (VC:H - confidentiality-only impact). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network vector with only low privileges makes it a meaningful information-disclosure risk on multi-tenant deployments.
Unauthenticated arbitrary file write in EverOS, an AI-agent memory runtime by EverMind-AI, affects all versions prior to 1.0.1 via the POST /api/v1/memory/add ingestion endpoint. Because the per-message sender_id field is not sanitized as a path-safe identifier (unlike app_id and project_id), an attacker can supply ../ sequences that redirect where extracted memory episodes are written, letting a remote unauthenticated caller create or overwrite .md files outside the memory root with partially attacker-controlled content. No public exploit identified at time of analysis, and no EPSS score was provided, but the CVSS 8.2 rating and unauthenticated network reach make it a meaningful integrity risk for exposed instances.
Arbitrary file deletion in Snipe-IT prior to 8.6.2 allows an authenticated attacker holding both import and assets.update permissions to delete any file readable by the server process via a path traversal string injected into the asset image field during CSV import. The vulnerability is triggered in a two-stage pattern: first importing a crafted CSV, then invoking the image deletion action, which follows the unsanitized path without boundary checks. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog. The fix is confirmed in the v8.6.2 release.
DSN string injection in grav-plugin-database prior to version 1.2.0 allows an administrator with Grav CMS plugin configuration access to manipulate PDO database connection strings by injecting unsanitized YAML field values. The vulnerable `Database::__call` method concatenates fields such as host, dbname, charset, server, database, directory, and filename directly into DSN strings without validation, enabling DSN attribute injection or path traversal to redirect database connections to unintended targets. No public exploit code or active exploitation has been identified at time of analysis; the fix is available in version 1.2.0.
Code execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper sanitization of the project workspace ID to write or reference files outside the intended workspace directory, culminating in arbitrary code execution. The flaw was self-reported by JetBrains and a fix is available; no public exploit has been identified at time of analysis. The NVD-assigned CVSS of 9.8 (network, no privileges, no user interaction) is notably high for a desktop IDE flaw and warrants scrutiny given that IDE project-handling bugs typically require a victim to open a crafted project.
Path traversal in PraisonAI's FastContext feature (praisonaiagents before 1.6.78) enables low-privileged network attackers to read arbitrary files outside the intended workspace sandbox. FastContextAgent.execute_tool() applies the workspace_path prefix only to relative paths, neither rejecting absolute path arguments nor canonicalizing joined paths before enforcing containment - meaning file-operation tools (grep_search, glob_search, read_file, list_directory) can be exploited with '../' sequences or direct absolute paths to exfiltrate host files. No public exploit has been identified at time of analysis, but the vulnerability is straightforward to trigger given the mechanics, and CVSS 4.0 rates the confidentiality impact on the vulnerable system as High.
Path traversal in PraisonAI's ContextGatherer component (all versions before 4.6.78) allows an attacker who can supply or manipulate .praisoncontext or .praisoninclude files to read arbitrary files outside the intended workspace directory, including sensitive system files accessible to the user running PraisonAI. The vulnerability stems from a complete absence of path validation before file inclusion, permitting both absolute paths and relative traversal sequences. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; however, the attack is conceptually simple and requires no special tooling once an attacker can influence project workspace files.
Path traversal in PraisonAI (pip package praisonaiagents) before version 1.6.78 allows an untrusted checked-out repository to overwrite arbitrary files on a developer's machine by embedding a malicious `.praisonai/config.toml` that sets `defaults.output.output_file` to an absolute or directory-traversal path. When the developer subsequently constructs an Agent and calls `agent.start()` without an explicit output parameter, PraisonAI resolves the attacker-supplied path - creating parent directories as needed - and writes agent output there with the privileges of the running user. No public exploit code or CISA KEV listing has been identified; a vendor patch at version 1.6.78 and an upstream fix commit are available per GitHub Security Advisory GHSA-qjw5-xwrp-xwpq.
Path traversal in phpMyFAQ's PDF export pipeline allows authenticated FAQ editors to read arbitrary server-side files by storing HTML with crafted image paths that exploit a type-juggling flaw in concatenatePaths(). When the substring 'content' is absent from an attacker-controlled path, strpos() returns false, which PHP silently coerces to integer 0, causing the full unsanitized path to pass through to file_get_contents() without canonicalization. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, but the root cause is a low-complexity PHP type-juggling antipattern that is straightforward to weaponize once the attack surface is understood.
Path traversal in Dell Unisphere for PowerMax 10.3.0.5 and prior exposes arbitrary files on the underlying server to remote attackers holding low-privileged credentials. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms high confidentiality impact with no integrity or availability consequence, consistent with a read-only directory traversal flaw. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis, though the low attack complexity raises concern for rapid weaponization if credentials are compromised.
Arbitrary file write in Apache IoTDB (versions 1.0.0 through 2.0.9) lets remote attackers plant files anywhere the IoTDB process can write by abusing an unsafe API that fails to sanitize user-supplied pathnames. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with high confidentiality and integrity impact, and controlled file placement can escalate to code execution or overwrite of critical files. No public exploit has been identified at time of analysis, and EPSS is low (0.16%, 5th percentile) despite the 9.1 severity.
Arbitrary file read in the Hide My WP Lite WordPress plugin (versions ≤ 1.3) lets unauthenticated attackers disclose any file readable by the web server - including wp-config.php with database credentials and secret keys - by abusing the he_wrapper_js and he_wrapper_css parameters handled by elementor_assets_filter(). Reported by Wordfence and rated CVSS 7.5, the flaw is confidentiality-only but exposes crypto salts and DB secrets that enable deeper compromise. There is no public exploit identified at time of analysis, and exploitation depends on the site also running Elementor with the plugin's 'Hide Elementor' feature enabled.
Path traversal in Samsung's SemClipboardService exposes arbitrary system-privileged files to local low-privileged attackers on Samsung Mobile Devices running Android 14, 15, and 16. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H) confirms that a local application with minimal privileges can exploit the service to read protected system files, bypassing Android's permission model. No public exploit code or active exploitation has been identified at time of analysis; a vendor patch is available via SMR Jul-2026 Release 1.
Path traversal in Samsung Mobile's Wallpaper service exposes arbitrary files readable under the system server privilege to local privileged attackers. Affected devices run Android 14, 15, and 16 with firmware prior to the SMR Jul-2026 Release 1. The CVSS 4.0 vector (AV:L/PR:H/VC:H) confirms a local, high-privilege attack path with confidentiality-only impact and no integrity or availability consequence. No public exploit code or CISA KEV listing has been identified at time of analysis.
Path traversal in zhayujie CowAgent versions up to 2.1.0 allows remote low-privilege authenticated attackers to write files outside the intended skill installation directory by manipulating the `Name` argument in the Skill Installation Handler. The flaw resides in the `_add_url` and `_add_package` functions within `agent/skills/service.py`, which fail to sanitize path components before constructing filesystem paths during skill installation. No public exploit or active exploitation confirmed (no CISA KEV listing); a vendor-released patch exists in version 2.1.2.
Path traversal via the unsanitized 'X-FILENAME' HTTP header in the ARMember WordPress membership plugin allows unauthenticated remote attackers to upload and overwrite files outside the intended 'wp-content/uploads/armember' directory on affected WordPress installations running versions 4.0.27 and earlier. The integrity impact is limited by the plugin's handling of 'certain files (e.g., CSS)' rather than arbitrary file types, capping the CVSS score at 5.3 Medium; however, successful exploitation can enable website defacement or manipulation of frontend assets without any authentication. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Path traversal in halo-dev/halo through version 2.24.2 allows authenticated administrators to write files outside the intended theme directory by supplying a crafted `metadata.name` value during theme installation. The flaw resides in the `ThemeUtils.unzipThemeTo()` function in `ThemeUtils.java`, which fails to sanitize the metadata name before constructing extraction paths. A public proof-of-concept exploit exists, but real-world impact is substantially constrained by the PR:H prerequisite - the attacker must already hold admin-level credentials - yielding a CVSS 4.0 score of only 2.0 and no CISA KEV listing.
An unauthenticated path traversal vulnerability exists in the web management interface of WTI (Wireless Technology, Inc.) version 3.5.0.r 2024/05/24 00:00:00. An unauthenticated attacker can craft malicious HTTP requests containing traversal sequences to access files outside of the intended web root directory. This may allow disclosure of sensitive system files and configuration data
Path traversal in psd-tools through v1.17.0 exposes any application processing untrusted PSD files to arbitrary file write and secondary arbitrary file read via the SmartObject API. SmartObject.save() consumes the embedded smart-object filename verbatim from the PSD binary - without basename stripping, absolute-path rejection, or directory-escape filtering - allowing a crafted PSD to write attacker-supplied bytes to any path the process can reach. A secondary issue in SmartObject.open() for external-kind objects uses the attacker-controlled fullPath descriptor as a read source, enabling file exfiltration to the write destination. A standalone proof-of-concept is publicly confirmed in the advisory; the fix is vendor-confirmed in v1.17.1 (PR #657). No public exploit identified at time of analysis beyond the advisory-embedded POC, and no CISA KEV listing was found.
Path traversal in rattler_cache and py-rattler exposes the victim's filesystem to out-of-bounds file writes when package metadata from an untrusted conda channel contains path separators or directory traversal sequences in the build string. Users who install packages from a malicious channel trigger cache materialization logic that joins the unsanitized build string into a filesystem path, allowing package contents to land outside the configured cache directory. No public exploit has been identified and no CISA KEV listing exists; exploitation requires deliberate use of an untrusted channel (CVSS UI:R), meaningfully limiting real-world exposure.
Authenticated path traversal in SiYuan personal knowledge management system (versions prior to 3.7.1) lets a low-privileged user read arbitrary workspace files by abusing the /snippets/*filepath handler. Because serveSnippets in kernel/server/serve.go single-decodes the request path and joins it to the snippets directory without containment or sensitive-file checks, a request like /snippets/%2e%2e/%2e%2e/conf/conf.json returns workspace secrets and the document database. No public exploit identified at time of analysis, though the fixing commit publicly reveals the vulnerable code path.
Quick Facts
- Typical Severity
- HIGH
- Category
- web
- Total CVEs
- 7701