Path Traversal
Path traversal exploits occur when applications use user-controlled input to construct file system paths without proper validation.
How It Works
Path traversal exploits occur when applications use user-controlled input to construct file system paths without proper validation. Attackers inject special sequences like ../ (dot-dot-slash) to escape the intended directory and navigate to arbitrary locations in the file system. Each ../ sequence moves up one directory level, allowing an attacker to break out of a restricted folder and access sensitive files elsewhere on the server.
Attackers employ various encoding techniques to bypass basic filters. Simple URL encoding transforms ../ into %2e%2e%2f, while double encoding becomes %252e%252e%252f (encoding the percent sign itself). Other evasion methods include nested sequences like ....// (which become ../ after filter removal), null byte injection (%00 to truncate path validation), and OS-specific path separators (backslashes on Windows). Absolute paths like /etc/passwd may also work if the application doesn't enforce relative path constraints.
The typical attack flow begins with identifying input parameters that reference files—such as file=, path=, template=, or page=. The attacker then tests various traversal payloads to determine if path validation exists and what depth is needed to reach system files. Success means reading configuration files, credentials, source code, or even writing malicious files if the application allows file uploads or modifications.
Impact
- Credential exposure: Access to configuration files containing database passwords, API keys, and authentication tokens
- Source code disclosure: Reading application code reveals business logic, additional vulnerabilities, and hardcoded secrets
- System file access: Retrieving
/etc/passwd,/etc/shadow, or Windows SAM files for credential cracking - Configuration tampering: If write access exists, attackers modify settings or inject malicious code
- Remote code execution: Writing web shells or executable files to web-accessible directories enables full system compromise
Real-World Examples
ZendTo file sharing application (CVE-2025-34508) contained a path traversal vulnerability allowing unauthenticated attackers to read arbitrary files from the server. The flaw existed in file retrieval functionality where user input directly influenced file path construction without adequate validation, exposing sensitive configuration data and potentially system files.
Web application frameworks frequently suffer from path traversal in template rendering engines. When applications allow users to specify template names or include files, insufficient validation permits attackers to read source code from other application modules or framework configuration files, revealing database credentials and session secrets.
File download features in content management systems represent another common vector. Applications that serve user-requested files from disk often fail to restrict paths properly, enabling attackers to download backup files, logs containing sensitive data, or administrative scripts that weren't intended for public access.
Mitigation
- Avoid user input in file paths: Use indirect references like database IDs mapped to filenames on the server side
- Canonicalize and validate: Convert paths to absolute canonical form, then verify they remain within the allowed base directory
- Allowlist permitted files: Maintain an explicit list of accessible files rather than trying to blocklist malicious patterns
- Chroot jails or sandboxing: Restrict application file system access to specific directories at the OS level
- Strip dangerous sequences: Remove
../,..\\, and encoded variants, though this alone is insufficient
Recent CVEs (7724)
Path traversal in PyLoad-ng package folder name sanitization allows authenticated users with ADD permission to write files outside the intended download directory via insufficient string replacement logic. The sanitizer replaces `../` with `_`, but the pattern `....//` bypasses this filter by becoming `.._` after replacement, leaving exploitable `..` sequences that the OS later resolves. CVSS 6.5 (network-accessible, low complexity, requires low-privilege authentication, high integrity impact). Publicly available proof-of-concept code demonstrates exploitation against default credentials.
Arbitrary file write in wireshark-mcp up to version 1.1.5 allows remote attackers to write files to any filesystem location via prompt injection in pcap payloads that trigger the wireshark_export_objects MCP tool. The vulnerability exploits missing mandatory path restrictions when the WIRESHARK_MCP_ALLOWED_DIRS environment variable is not configured (default state). An attacker can craft a malicious pcap with embedded HTTP objects bearing filenames like authorized_keys, manipulate an AI model using the MCP server into calling export_objects with dest_dir=/home/user/.ssh/, and achieve SSH access, cron hijacking, or web shell placement. Publicly available proof of concept confirms exploitation against version 1.1.5 with tshark 4.6.4; no vendor-released patch exists at time of analysis.
Path traversal in django-s3file's S3FileMiddleware allows attackers to manipulate HTTP requests and force Django applications to load arbitrary files from unintended S3 locations into request.FILES, bypassing pre-signed upload location restrictions. Affects all versions <=7.0.1. Vendor-confirmed vulnerability with patch released in version 7.0.2. No active exploitation confirmed (not in CISA KEV). CVSS metrics not available, but path traversal combined with file handling operations presents moderate confidentiality and integrity risk depending on application-specific file processing logic.
Path traversal in MinIO's ReadMultiple internode storage-REST endpoint allows authenticated cluster peers or root-credential holders to read arbitrary files from the host filesystem outside configured drive roots. Distributed-erasure (multi-node) deployments are affected; single-node standalone deployments are not. The vulnerability exists in all releases from RELEASE.2022-07-24T01-54-52Z through RELEASE.2025-09-07T16-13-09Z and has been fixed as of MinIO AIStor RELEASE.2024-10-23T19-38-07Z (with security patch RELEASE.2026-04-14T21-32-45Z recommended). No public exploit code or active exploitation has been identified at time of analysis.
Path traversal and authentication bypass in s3-proxy allows remote unauthenticated attackers to read, write, or delete objects in protected S3 namespaces via percent-encoded slashes (%2F) and dot-segment traversal. Three distinct bypass mechanisms exploit mismatches between encoded/decoded path handling: (1) wildcard glob patterns lacking path separators match across directory boundaries, (2) percent-encoded slashes collapse into decoded paths after authentication checks, and (3) dot-segment sequences bypass prefix-based access controls. Vendor-released patches available in commits 1320e4abd and af5ff57d. CVSS 9.4 (AV:N/AC:L/PR:N/UI:N) reflects critical network-accessible unauthenticated access, though exploitation requires specific resource path configurations using wildcards or prefix patterns.
Path traversal in Langflow's Knowledge Bases API allows authenticated attackers to delete arbitrary directories on the server filesystem via crafted DELETE requests to /api/v1/knowledge_bases. The vulnerability (CVSS 9.6, Critical) stems from insufficient input validation in the delete_knowledge_bases_bulk function, which passes user-supplied knowledge base names directly to shutil.rmtree() without path containment checks. Publicly available exploit code exists (PoC disclosed in GHSA-9whx-c884-c68q), enabling cross-tenant data destruction and service disruption. Fixed in version 1.9.0 via PR #12243.
Authenticated users can access, modify, and delete files in sibling directories outside Jupyter Server's configured root_dir by exploiting a flawed string prefix check in path validation (CWE-22). Jupyter Server <=2.17.0 incorrectly uses startswith() validation, allowing attackers to traverse to directories like 'testtest/' when root is 'test/'. Publicly available exploit code exists. This primarily threatens multi-tenant deployments with predictable naming schemes (e.g., user1, user10-user19) where low-privileged users can escalate to access other users' workspaces. CVSS 7.1 reflects network-accessible attack requiring low privileges but high attack complexity; EPSS data not provided but real-world risk is significant for affected multi-tenant environments.
Remote code execution in Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to write arbitrary files anywhere on the host filesystem via path traversal in the Submodel HTTP API's file upload fileName parameter, leading to complete system compromise. The vulnerability receives the maximum CVSS score of 10.0 due to network-accessible exploitation requiring no authentication, privileges, or user interaction, with scope change enabling impact beyond the vulnerable component. EPSS data not available; KEV status not confirmed; exploitation status depends on release recency and deployment exposure of this industrial automation SDK.
Path traversal in OpenClaw's screen_record tool allows authenticated users to write files outside workspace boundaries via crafted outPath parameters, bypassing filesystem security controls. OpenClaw versions before 2026.4.10 are affected. Vendor-released patch available (version 2026.4.10 and later, including current release 2026.4.14). No active exploitation confirmed (CISA KEV negative), but publicly documented vulnerability with working proof-of-concept code in GitHub commit diff. CVSS 7.1 with high integrity impact reflects potential for unauthorized file system modifications outside intended workspace scope.
Arbitrary file deletion via path traversal in Betheme WordPress theme version 28.4 and earlier allows authenticated contributors and above to delete arbitrary files on the server by manipulating the mfn-icon-upload parameter in the upload_icons() function. The vulnerability requires valid WordPress account credentials at contributor level or higher but exploits an unconstrained filesystem move operation to bypass upload directory restrictions. No public exploit code or active KEV listing identified at analysis time.
Path Traversal in Forminator Forms plugin allows unauthenticated remote attackers to read arbitrary files from WordPress servers, potentially exposing database credentials, configuration files, and sensitive user data. Exploitation requires a publicly accessible form with File Upload field and specific 'Save and Continue' behavior settings enabled. CVSS 7.5 (High) with network vector and no authentication required. No CISA KEV listing or public exploit identified at time of analysis, suggesting limited active exploitation despite high theoretical severity.
Path traversal vulnerability in 54yyyu code-mcp's MCP File Handler (function is_safe_path in src/code_mcp/server.py) allows remote unauthenticated attackers to access files outside intended directories with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; the project uses rolling releases without versioned releases, and the vendor has not yet responded to early disclosure.
Path traversal in UsamaK98 python-notebook-mcp allows remote unauthenticated attackers to read, write, and manipulate notebook files outside their intended directory via crafted input to the create_notebook, read_notebook, edit_cell, and add_cell functions in server.py. Public exploit code is available. The project uses rolling releases with no versioning, and the vendor has not yet responded to the initial issue report despite early notification.
EmailKit plugin for WordPress versions up to 1.6.5 allows authenticated attackers with Author-level access to read arbitrary files from the server due to a path traversal vulnerability in the create_template() method. The vulnerability exploits a PHP 8.x type coercion flaw where realpath() returns false for non-existent directories, causing strpos() validation to incorrectly evaluate and bypass directory restrictions. Attackers can retrieve sensitive files such as wp-config.php by submitting absolute paths via the emailkit-editor-template REST API parameter. No public exploit code identified at time of analysis, though the vulnerability mechanism is trivial to weaponize once authentication is obtained.
Loco Translate plugin for WordPress versions up to 2.8.2 allows authenticated attackers with Translator-level access to read arbitrary files outside the intended translation directory via path traversal in the `fsReference` AJAX endpoint. The vulnerability exploits insufficient validation of directory traversal sequences (`../`) in the `findSourceFile()` method, enabling disclosure of sensitive `.php`, `.js`, `.json`, and `.twig` files including wp-config.php-adjacent files. No public exploit code has been identified at time of analysis, and the attack requires administrative capability assignment (`loco_admin` capability) granted to translators by default.
Arbitrary file writing via directory traversal in Nix versions before 2.34.7 allows unauthenticated remote attackers to overwrite files on systems running vulnerable versions of nix-prefetch-url or nix store prefetch-file with the --unpack flag. The vulnerability exploits improper path validation during archive extraction, enabling an attacker to craft malicious packages that write to arbitrary filesystem locations when unpacked. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N) reflects network-based exploitation without authentication, though real-world impact depends on file permissions and deployment context. No active exploitation has been confirmed in CISA KEV at time of analysis.
Path traversal vulnerability in Apache Thrift Node.js web_server.js (versions prior to 0.23.0) allows remote unauthenticated attackers to read arbitrary files, write to unauthorized locations, and potentially execute code. Disclosed via oss-security mailing list pre-NVD publication. EPSS score of 0.01% indicates low observed exploitation probability despite network-accessible attack vector and no authentication requirement. CISA SSVC framework classifies this as automatable with partial technical impact but no confirmed exploitation. Patch available in version 0.23.0.
Path traversal vulnerability in RTGS2017 NagaAgent up to version 5.1.0 allows remote unauthenticated attackers to manipulate the Name argument in the Skills Endpoint (apiserver/routes/extensions.py) to access arbitrary files on the server with limited confidentiality impact. Exploit code has been publicly disclosed and the vendor was informed via issue report but has not responded with a patch.
Path traversal in Axle-Bucamp MCP-Docusaurus document handling functions allows remote unauthenticated attackers to manipulate the DOCS_DIR path parameter in update_document, continue_document, delete_document, and get_content endpoints, enabling unauthorized file access and manipulation. The vulnerability affects all versions up to commit 404bc028e15ec304c9a045528560f4b5f27a17e0, with publicly available exploit code disclosed via GitHub issues.
Symlink-following path traversal in apko (versions 0.14.8 through <1.2.5) allows malicious APK archives to write arbitrary files to host paths during build operations. A crafted .apk can install a symlink entry pointing outside the build root, then traverse that symlink via subsequent file-write or directory-creation operations to reach any path writable by the build user. Affects disk-backed operations in apko build-cpio and downstream tools like melange; in-memory tarfs paths (apko build, apko publish) are not vulnerable. Vendor-released patch available in apko v1.2.5. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates network-reachable unauthenticated exploitation, though practical attack requires convincing a target to process the malicious APK during a build. No EPSS or KEV data available; publicly available exploit code exists in the form of regression tests demonstrating each primitive.
Path traversal in AzuraCast's Flow.js media upload endpoint allows authenticated users with media management permissions to write arbitrary PHP files outside designated storage directories, achieving remote code execution. The vulnerability exists in versions ≤0.23.5 where the unsanitized `currentDirectory` parameter bypasses filename sanitization, and a `finally` block writes uploaded files before MIME validation completes. Only local filesystem storage (default configuration) is affected-remote S3/cloud backends are not vulnerable. Vendor-confirmed patch available in version 0.23.6. No public exploit or CISA KEV listing identified at time of analysis, but detailed proof-of-concept exists in GitHub advisory GHSA-vp2f-cqqp-478j demonstrating webshell upload to web root.
Path normalization bypass in fast-uri 3.1.0 and earlier allows remote attackers to circumvent path-based access controls through percent-encoded path traversal sequences. The normalize() and equal() functions decode URL-encoded separators (%2F) and dot segments (%2E) before applying normalization rules, causing distinct URIs to collapse onto identical normalized paths. Applications relying on fast-uri for URL validation in authorization checks can be tricked into allowing access to restricted resources. EPSS exploitation probability not yet calculated given recent disclosure; no active exploitation confirmed (not in CISA KEV), but attack vector is trivial (CVSS AV:N/AC:L/PR:N/UI:N) and patch is available in version 3.1.1.
Path traversal (Zip Slip) vulnerability in OpenMRS Core ≤ 2.7.8 and 2.8.0-2.8.5 allows authenticated administrators to achieve remote code execution by uploading a malicious .omod module archive to the REST API endpoint POST /openmrs/ws/rest/v1/module. Attackers can write arbitrary JSP files to the Tomcat webroot via crafted ZIP entries containing directory traversal sequences (e.g., web/module/../../../../malicious.jsp), which bypass incomplete path validation in WebModuleUtil.startModule(). The vulnerability also bypasses the module.allow_web_admin security control, as the REST API does not enforce this restriction despite Legacy UI being protected. No vendor-released patch identified at time of analysis for either affected version range.
Path traversal in Detect-It-Easy archive extraction allows local attackers to write arbitrary files outside intended directories and achieve persistent code execution by overwriting user startup scripts. Affects all versions prior to 3.21. Exploitation requires user interaction to open a specially crafted archive file. Vendor-released patch available in version 3.21, with fixes applied across multiple repository components (DIE-engine, Formats, XArchive). No public exploit identified at time of analysis, though the vulnerability class is well-understood and exploitation techniques are documented.
Path traversal in OpenMRS Core's ModuleResourcesServlet allows unauthenticated attackers to read arbitrary files from the server filesystem, including sensitive configuration files and system files like /etc/passwd. The vulnerability exists in versions ≤ 2.7.8 and 2.8.0-2.8.5, with exploitation requiring Apache Tomcat < 8.5.31 where path parameter bypass protections are absent. Fix available in version 2.8.6 for the 2.8.x branch; no patch released for 2.7.x series at time of analysis. CVSS 7.5 (High) reflects network-accessible unauthenticated exploitation with high confidentiality impact.
OpenC3 COSMOS before versions 6.10.5 and 7.0.0-rc3 allows authenticated users to write arbitrary files to the shared /plugins directory via path traversal sequences in tool configuration filenames, potentially overwriting other plugins' configuration files. The vulnerability exists in the save_tool_config() function which canonicalizes filenames but does not restrict writes to plugin-specific subdirectories, enabling lateral movement between plugins. CVSS 4.3 reflects low severity due to authentication requirement and limited scope (integrity only), though real-world impact depends on whether plugin configurations contain sensitive data.
Arbitrary file write vulnerability in PPTAgent prior to commit 418491a allows authenticated users with UI interaction to write files outside the intended workspace via path traversal in the save_generated_slides function, potentially overwriting arbitrary files on the system. CVSS 4.6 (low integrity and availability impact); no public exploit code identified at time of analysis.
PPTAgent prior to commit 418491a allows authenticated users to write arbitrary files and create directories outside intended workspace boundaries via path traversal in the markdown_table_to_image function. An attacker with login access can supply crafted file paths containing directory traversal sequences to escape the configured workspace and write malicious files to arbitrary locations on the system. The vulnerability requires user interaction (UI:R in CVSS vector) and affects confidentiality and availability, with no public exploit code identified at time of analysis.
Path traversal in Evolver's skill fetch command enables arbitrary file writes via unvalidated --out= flag. Authenticated attackers can overwrite system files or create malicious files in sensitive locations (e.g., cron directories) by using directory traversal sequences like '../../../etc/cron.d'. The vulnerability exists in index.js where user-provided paths from --out= are extracted without sanitization and passed directly to fs.mkdirSync(). Patch released in version 1.69.3. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation.
Path traversal in puchunjie doc-tools-mcp 1.0.18 MCP Interface allows authenticated remote attackers to access arbitrary files on the system via manipulation of the filePath argument in create_document and open_document functions. The vulnerability has a low CVSS score (2.1) due to authentication requirements and limited confidentiality impact, but publicly available exploit code exists. The vendor has not responded to the early disclosure.
Magic Export & Import WordPress plugin before version 1.2.0 stores exported CSV files in a publicly accessible web directory, allowing unauthenticated remote attackers to enumerate and download sensitive user data without authentication. The vulnerability affects all versions prior to 1.2.0, has publicly available proof-of-concept code, and carries moderate real-world risk due to the low attack complexity and high automatable nature of exploitation, though the actual severity is constrained by the fact that CSV export must first occur and require that files remain accessible.
Path traversal in ryanjoachim mcp-rtfm 0.1.0 allows authenticated remote attackers to read, write, and delete arbitrary files by manipulating the docFile parameter in the get_doc_content, read_doc, update_doc, and related MCP interface functions. Publicly available exploit code exists, and the vulnerability affects all versions of the product without a patched release identifier provided. An authenticated user can exploit this with no user interaction required via network access to escape the intended .handoff_docs directory and access files outside the designated documentation scope.
Path traversal in ravenwits mcp-server-arangodb up to version 0.4.7 allows authenticated remote attackers to manipulate the outputDir argument in the arango_backup function, enabling unauthorized file system access with limited confidentiality and integrity impact. The vulnerability affects the MCP Interface component and has publicly available exploit code; however, the low CVSS score (2.1) reflects constrained real-world risk due to the requirement for authenticated access and limited technical impact scope.
Path traversal vulnerability in AV Stumpfl Pixera Two Media Server up to version 25.1 R2 allows adjacent network attackers to access arbitrary files via manipulation of an unknown function on Service Port 1338. The vulnerability has a low CVSS score of 2.1 due to adjacency requirement (AV:A) and confidentiality-only impact, but publicly available exploit code exists and the vendor has released a patch in version 25.2 R3.
Path traversal in jsbroks COCO Annotator up to version 0.11.1 allows authenticated remote attackers to access arbitrary files on the server by manipulating the folder argument in the Data Endpoint (backend/webserver/api/datasets.py). The vulnerability requires valid user credentials and an attacker can only read files with limited technical impact, but publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Path traversal vulnerability in kerwincui FastBee up to version 1.2.1 allows authenticated remote attackers to read arbitrary files on the server via manipulation of the fileName parameter in the ToolController.download endpoint. The vulnerability has publicly available exploit code and affects the Tool Download functionality, enabling unauthorized file disclosure with low CVSS impact (4.3) due to authentication requirements and limited scope.
Path traversal in the MCP Interface export_state function of ruvnet sublinear-time-solver 1.5.0 allows remote unauthenticated attackers to manipulate file paths, resulting in information disclosure and integrity compromise. Public exploit code is available and the vulnerability has CVSS 6.5 (medium severity) with proof-of-concept publicly disclosed, though the vendor has not yet responded to early notification.
Arbitrary file read in Salon Booking System plugin for WordPress (versions ≤10.30.25) allows unauthenticated remote attackers to exfiltrate sensitive local files by injecting malicious file paths into booking form fields, which are then attached to confirmation emails sent by the system. Wordfence identified this path traversal vulnerability (CWE-22) with a CVSS score of 7.5, exploitable without authentication or user interaction. The vulnerability is confirmed patched in version 10.30.26 via changeset 3512110, though no CISA KEV listing or public exploit code has been identified at time of analysis.
Path traversal in 8nite metatrader-4-mcp 1.0.0 allows authenticated remote attackers to access arbitrary files via manipulation of the ea_name argument in the CallToolRequestSchema function of src/index.ts. The vulnerability affects the sync_ea_from_file component, has publicly available exploit code, and impacts confidentiality with a CVSS score of 2.1. The vendor has not responded to early disclosure notification.
Path traversal in Dayoooun hwpx-mcp 0.2.0 allows authenticated remote attackers to manipulate the output_path argument in save_document, export_to_text, and export_to_html functions, enabling arbitrary file write or read operations outside intended directories. The vulnerability affects the MCP Interface component (mcp-server/src/index.ts) with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure.
Path traversal in Flux159 mcp-game-asset-gen 0.1.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files via manipulation of the statusFile parameter in the image_to_3d_async function. The vulnerability is confirmed actively exploited with publicly available exploit code (GitHub issue #3). CVSS 7.3 reflects network-accessible attack with low confidentiality, integrity, and availability impact. Despite early responsible disclosure via issue report, the maintainer has not responded, leaving the open-source project unpatched.
Path traversal in the CSV Export endpoint of ghantakiran's splunk-mcp-integration allows remote unauthenticated attackers to access arbitrary files on the server by manipulating the job_name parameter in the create_csv_export function. The vulnerability affects all versions up to commit 0b86b09d5e5adf0433acd43c975951224613a1a6, with publicly available exploit code disclosed via GitHub issue; no vendor patch has been released despite early notification.
Path traversal in ggerve coding-standards-mcp server.py allows remote unauthenticated attackers to access arbitrary files by manipulating the Language parameter in the get_style_guide and get_best_practices functions. The vulnerability has publicly available exploit code and affects the product's rolling-release model where specific vulnerable versions are not formally documented. The project maintainer has not yet responded to the early vulnerability disclosure.
Path traversal in Fujian Apex LiveBOS through the /feed/UploadImage.do endpoint allows remote attackers to manipulate the filename parameter and write files to arbitrary locations on the server. Versions up to 2.0 are affected. Public exploit code is available. Upgrading to version 2.1 resolves the vulnerability.
Remote unauthenticated arbitrary file write in AGL (Automotive Grade Linux) app-framework-main through version 17.1.12 allows attackers to achieve code execution or system compromise via malicious widget packages. A crafted ZIP archive combining path traversal (../ sequences in filenames) with a time-of-check-time-of-use race condition allows files to be written anywhere on the filesystem before signature validation occurs. Even when signature checks fail, malicious files persist outside the temporary directory. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. Public technical analysis available via GitHub Gist reference suggests proof-of-concept may exist.
Path traversal via profile import in Wireshark lets a malicious configuration profile archive write files outside the intended profile directory, causing denial of service and potentially arbitrary code execution when a user imports it. Affected builds are Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14, with the flaw triggered by user interaction (importing a crafted profile) rather than network traffic. EPSS is very low (0.01%) and there is no public exploit identified at time of analysis; a vendor patch is available.
Path traversal in IBM Langflow Desktop versions 1.8.4 and earlier allows authenticated remote attackers to read arbitrary files on the system by crafting URLs containing directory traversal sequences (/../). The vulnerability affects the file handling mechanism and could expose sensitive configuration, source code, or other confidential files accessible to the Langflow process. A vendor-released patch is available.
Authenticated attackers can exploit a path traversal vulnerability in IBM Langflow Desktop 1.2.0 through 1.8.4 to write arbitrary files to the system by crafting URLs containing directory traversal sequences (/../). The vulnerability requires prior authentication but allows complete bypass of file system restrictions, enabling file overwrite or creation outside intended directories with no integrity protections.
Unauthenticated remote file write in Shopizer v3.2.5 allows attackers to upload arbitrary files to any writable system path via path traversal in the /content/images/add endpoint. With CVSS 10.0 and network-based exploitation requiring no authentication or user interaction, this enables immediate remote code execution by uploading malicious executables or web shells. No public exploit confirmed at time of analysis, though the attack vector is straightforward for a path traversal vulnerability. EPSS data not available, but the technical characteristics (AV:N/PR:N/AC:L) indicate high exploitability once details become widely known.
Path traversal in JeeSite 5.15.1 allows authenticated users with file upload permissions to write arbitrary files to any filesystem location during chunked uploads by manipulating the fileMd5 parameter in /a/file/upload. Attackers can bypass directory restrictions to plant webshells, modify configuration files, or overwrite executables with whitelisted extensions, achieving remote code execution and full system compromise. Scope change in CVSS vector indicates container escape or cross-tenant impact in multi-tenant deployments. No active exploitation confirmed (not in CISA KEV) but vulnerability disclosed via GitHub issue #530.
Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Path traversal in ColorOS Assistant allows local attackers to manipulate file downloads and cause high availability impact via an unauthenticated download channel. The vulnerability (CWE-23) enables writing files to arbitrary paths when a user is socially engineered to trigger the malicious download. OPPO has published a security advisory. No active exploitation confirmed; EPSS data not available for this recent 2026 CVE.
Path traversal in JeeSite v5.15.1's file upload endpoint allows authenticated users with file upload permissions to write arbitrary files to any filesystem location, enabling remote code execution by uploading malicious files (e.g., JSP webshells) outside intended directories. The vulnerability exists in the fileEntityId parameter of /a/file/upload, bypassing directory restrictions while respecting file extension whitelists. EPSS score of 0.01% (3rd percentile) indicates low predicted exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis, though vendor issue tracker discussion provides technical details that could facilitate POC development.
Path traversal in ZMCPTools up to version 0.2.2 allows authenticated remote attackers to read or manipulate files outside intended directories via the dirname argument in the MCP Log Resource Handler component. The vulnerability is exploitable over the network by authenticated users with low privileges, has publicly available exploit code, and carries a CVSS score of 2.1 reflecting low confidentiality and integrity impact with no scope expansion.
### Summary Versions of `i18next-http-middleware` prior to 3.9.3 pass the user-controlled `lng` and `ns` values from `getResourcesHandler` directly into `i18next.services.backendConnector.load(languages, namespaces, …)` without any sanitisation. Depending on which backend is configured, the unvalidated path segments enable one of two attacks: - **Filesystem path traversal** when the middleware is paired with `i18next-fs-backend` (or any backend that interpolates `lng` / `ns` into a filesystem path). - **Server-Side Request Forgery (SSRF)** when the middleware is paired with `i18next-http-backend` (or any backend that interpolates into an HTTP URL). Example request: ``` GET /locales/resources.json?lng=../../etc/passwd&ns=root ``` with `i18next-fs-backend` reads the attacker-chosen file from disk; with `i18next-http-backend` reshapes the outgoing URL to target an internal service. ### Impact - **Arbitrary file read** via `fs`-style backends - any file the Node process can read becomes reachable (source, configuration, `.ssh` keys, `.env`, Docker secrets, etc.). - **SSRF** via `http`-style backends - requests to internal IPs / hostnames not normally reachable from the internet; combined with cloud metadata endpoints this can escalate to credential theft. - **Unbounded growth of `i18next.options.ns`** - a now-incidental amplification: the pre-patch `getResourcesHandler` pushed every unique `ns` value into the shared `i18next.options.ns` singleton array without validation or bounds, enabling memory exhaustion from repeated unique payloads. The severity is bounded by the backend in place, but the middleware itself exposed the unsanitised path; this is the "weakest link" layer. ### Affected versions `< 3.9.3`. ### Patch Fixed in **3.9.3**. The patch introduces `utils.isSafeIdentifier` and applies it in `getResourcesHandler` before `lng` and `ns` reach the backend connector: ```js languages = languages.filter(utils.isSafeIdentifier) namespaces = namespaces.filter(utils.isSafeIdentifier) ``` `isSafeIdentifier` uses a denylist approach - it still accepts any legitimate i18next language-code shape ([i18next FAQ](https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted)) - rejecting: - `..` sequences (relative path traversal) - path separators (`/`, `\`) - control characters (C0/C1) - prototype keys (`__proto__` / `constructor` / `prototype`) - empty strings and values longer than 128 characters Unsafe values are dropped; only safe values reach the backend. The fix is a defence-in-depth layer on top of any sanitisation the backend itself may apply. ### Workarounds No workaround short of upgrading. Front-proxying the middleware with a WAF rule that rejects requests containing `..`, `/`, `\`, or URL-structure characters in `lng` / `ns` is a partial mitigation. Upgrading the configured backend (`i18next-fs-backend` ≥ 2.6.4, `i18next-http-backend` ≥ 3.0.5) also closes the same attack at the next layer. ### Related advisories fixed in the same release - [GHSA-5fgg-jcpf-8jjw](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw) - prototype pollution via `setPath` and `missingKeyHandler`. Independently fixable, filed separately per CNA rules. - [GHSA-c3h8-g69v-pjrg](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-c3h8-g69v-pjrg) - HTTP response splitting + XSS-filter bypass (CVE-2026-41683). ### Credits Discovered via an internal security audit of the i18next ecosystem. ### Resources - [CWE-22: Path Traversal](https://cwe.mitre.org/data/definitions/22.html) - [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) (specific sub-case when paired with an HTTP backend) - [i18next FAQ: language code formatting](https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted)
### Impact A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with `..` values, along with a resource of type `stac-collection` defined in configuration. ### Patches The issue has been patched in master branch and made available as part of the 0.23.3 release. The commit/fix can be found in [bf25b8695edbdd5476eeffc102b633d1d3e45f52](https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52). ### Workarounds Users can safeguard existing applications by disabling STAC collection based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.
Path traversal in Admidio's document add mode allows authenticated attackers to register arbitrary server files into document folders via unvalidated `name` parameter, enabling arbitrary file read when combined with CSRF. A low-privileged user can trick a documents administrator into clicking a malicious link to register sensitive files like `install/config.php` (containing database credentials) into a publicly accessible documents folder, then download those files using the attacker's own session. The vulnerability chains insufficient input validation (accepts `../` sequences), missing CSRF protection on the `add` action, and `SameSite=Lax` cookies that permit cross-site GET requests from administrators.
Path traversal in Admidio ecard_preview.php allows authenticated users to read arbitrary server files including database credentials by bypassing filename validation on the ecard_template POST parameter. An authenticated attacker can supply path traversal payloads such as ../config.php to read adm_my_files/config.php containing unencrypted database host, username, and password, or traverse further to access system files. Exploitation requires only a regular member account with no special privileges, making this a high-impact vulnerability accessible to any registered user.
Path traversal in mcpo-simple-server 0.2.0 and earlier enables unauthenticated remote attackers to delete arbitrary files via the delete_shared_prompt function. The vulnerability affects the prompt_manager module's base_manager.py file, where improper validation of the 'detail' parameter allows directory traversal sequences. A public proof-of-concept exploit exists (GitHub issue #4), making this an immediate threat to internet-exposed instances. EPSS data not available, but the combination of network exploitability (AV:N), no authentication required (PR:N), and public POC significantly elevates real-world risk despite moderate CVSS 7.3 score. Vendor has not responded to early disclosure.
Path traversal in geldata gel-mcp 0.1.0 allows remote unauthenticated attackers to read arbitrary files via manipulation of the rule_name argument in the list_rules and fetch_rule functions. The vulnerability has a CVSS score of 5.3 (Low confidentiality impact) with network accessibility and no authentication requirements. Public exploit code exists and the vendor has not responded to early disclosure.
VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows authenticated attackers to disclose arbitrary files by injecting path traversal. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
LifeSize ClearSea 3.1.4 contains directory traversal vulnerabilities that allow authenticated attackers to download and upload arbitrary files by manipulating path parameters in the smartgui. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A security vulnerability has been detected in geekgod382 filesystem-mcp-server 1.0.0. This issue affects the function is_path_allowed of the file server.py of the component read_file_tool/write_file_tool. Such manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.1.0 is capable of addressing this issue. The name of the patch is 45364545fc60dc80aadcd4379f08042d3d3d292e. Upgrading the affected component is advised.
A weakness has been identified in florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. This vulnerability affects the function Upload of the file bioinfo_mcp_platform/app.py of the component Upload Endpoint. This manipulation of the argument Name causes path traversal. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. Writing to sensitive locations such as cron directories or Python module paths leads to remote code execution. CVSS 9.0 Critical (network-accessible, high privilege required, scope changed). Patch available in v4.14.4; no active exploitation identified.
A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/wecom.py of the component WeChat Work Platform Adapter. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
A post-authentication Path Traversal vulnerability in SonicOS allows an attacker to interact with usually restricted services.
A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mail_mcp_server.py. Executing a manipulation of the argument message_ids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 1.3.4 is able to address this issue. This patch is called 638b162b26532e32fa8d8047f638537dbdfe197a. Upgrading the affected component is recommended.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Path Traversal. This issue affects Pardus Software Center: before 1.0.3.
A vulnerability was detected in ezequiroga mcp-bases 357ca19c7a49a9b9cb2ef639b366f03aba8bea39/c630b8ab0f970614d42da8e566e9c0d15a16414c. This impacts the function search_papers of the file research_server.py. Performing a manipulation of the argument topic results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.
Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory. An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker‑chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables. Critically, when chained with CVE‑2026‑42248 (Missing Signature Verification for Updates), an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
Cockpit CMS versions 2.13.5 and earlier allow authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets via directory traversal in the Buckets component. The vulnerability requires valid user authentication and does not impact confidentiality, but enables integrity compromise through malicious file placement or asset replacement. A proof-of-concept exists, though the SSVC framework rates automatable exploitation as unlikely, suggesting manual attack steps are required.
A flaw has been found in elinsky execution-system-mcp 0.1.0. The impacted element is the function _get_context_file_path of the file src/execution_system_mcp/server.py of the component add_action Tool. This manipulation of the argument context causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used.
A vulnerability was detected in elie mcp-project 0.1.0. The affected element is the function search_papers of the file research_server.py. The manipulation of the argument topic results in path traversal. Attacking locally is a requirement. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
A flaw has been found in eiceblue spire-pdf-mcp-server 0.1.1. This impacts the function get_pdf_path of the file src/spire_pdf_mcp/server.py of the component PDF File Handler. Executing a manipulation of the argument filepath can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
A vulnerability was detected in eiceblue spire-doc-mcp-server 1.0.0. This affects the function get_doc_path of the file src/spire_doc_mcp/api/base.py. Performing a manipulation of the argument document_name results in path traversal. The attack can be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file and upload_image endpoints to access files beyond the intended workspace-only filesystem policy.
OpenClaw before version 2026.4.2 allows authenticated attackers to delete arbitrary remote directories during mirror mode synchronization operations by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values. An attacker with login credentials can craft malicious OpenShell config paths that cause the mirror sync function to delete unintended remote directory contents before replacing them with uploaded workspace data, resulting in data loss and potential service disruption.
Path traversal in DV0x creative-ad-agent server component (up to commit 751b9e5146604dc65049bd0f62dcbdad6212f8a3) allows remote unauthenticated attackers to read arbitrary files via manipulation of req.params arguments in server/sdk-server.ts. Public exploit code is available. CVSS 5.5 reflects low confidentiality impact with network-accessible attack vector and no authentication requirement.
Path traversal in WilliamCloudQi matlab-mcp-server allows remote unauthenticated attackers to manipulate the scriptPath argument in the generate_matlab_code and execute_matlab_code functions, enabling unauthorized file system access with confidentiality and integrity impact. The vulnerability affects versions up to commit ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca, has publicly available exploit code, and the vendor has not yet responded to early disclosure notification.
Path traversal in AgiFlow scaffold-mcp's write-to-file tool allows remote unauthenticated attackers to read, write, or delete arbitrary files on the server by manipulating the file_path parameter. Versions up to 1.0.27 are affected. Public exploit code exists (GitHub issue #88), enabling attackers to bypass directory restrictions and access sensitive files or overwrite critical system files. CVSS 7.3 (High) with network attack vector and no authentication required. Vendor-released patch available in version 1.1.0 (commit c4d23592).
Path traversal vulnerability in ErlichLiu claude-agent-sdk-master allows remote unauthenticated attackers to read arbitrary files by manipulating the outputFile parameter in app/api/agent-output/route.ts. The vulnerability has a CVSS score of 5.3 (low integrity impact) and publicly available exploit code exists, though the project uses rolling releases and the maintainer has not yet responded to disclosure.
Path traversal in browser-operator-core versions up to 0.6.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files on the server by manipulating the request.url parameter in the startsWith function of server.js. Publicly available exploit code exists (GitHub issue #96), enabling trivial exploitation with no user interaction. CVSS 7.3 reflects network-exploitable attack with low impact across confidentiality, integrity, and availability. No vendor response or patch released despite early responsible disclosure via issue report. This is a critical supply chain risk for any systems running the affected BrowserOperator component server.
Absolute path traversal in Deepractice PromptX up to version 2.4.0 allows remote unauthenticated attackers to read arbitrary files from the server by manipulating the path argument in document file handling functions (read_docx, read_xlsx, read_pptx, list_xlsx_sheets, read_pdf). Publicly available exploit code exists and the vendor has not responded to early disclosure, though CVSS 5.3 (AV:N/AC:L/PR:N/UI:N) indicates moderate information disclosure risk with no integrity or availability impact.
Path traversal in processing-claude-mcp-bridge's create_sketch tool allows remote unauthenticated attackers to read, write, or delete arbitrary files on the server by manipulating the sketch_name parameter in processing_server.py. Public exploit code exists via GitHub issue #1, enabling straightforward attacks against exposed instances. EPSS data not available, but CVSS 7.3 (High) with network vector and no authentication requirements indicates significant risk for internet-facing deployments. Project maintainer has not responded to vulnerability disclosure, leaving no vendor-confirmed patch timeline.
Path traversal in eghuzefa engineer-your-data up to version 0.1.3 allows remote attackers to read, write, list, and obtain information about arbitrary files via manipulation of the WORKSPACE_PATH argument in the read_file, write_file, list_files, and file_inf functions within src/server.py. Publicly available exploit code exists, and the vendor has been notified but has not yet responded with a fix.
Path traversal in ef10007 MLOps_MCP 1.0.0 allows remote unauthenticated attackers to write files to arbitrary filesystem locations via manipulation of the filename/destination argument in the save_file tool of fastmcp_server.py. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification, leaving affected deployments without an official patch.
Path traversal in duartium papers-mcp-server allows remote unauthenticated attackers to access arbitrary files on the server by manipulating the topic argument in the search_papers function. The vulnerability affects commit 9ceb3812a6458ba7922ca24a7406f8807bc55598 and is publicly exploitable with proof-of-concept code available; the vendor has been notified via issue report but has not yet responded.
Quick Facts
- Typical Severity
- HIGH
- Category
- web
- Total CVEs
- 7724