Skip to main content

Path Traversal

web HIGH

Path traversal exploits occur when applications use user-controlled input to construct file system paths without proper validation.

How It Works

Path traversal exploits occur when applications use user-controlled input to construct file system paths without proper validation. Attackers inject special sequences like ../ (dot-dot-slash) to escape the intended directory and navigate to arbitrary locations in the file system. Each ../ sequence moves up one directory level, allowing an attacker to break out of a restricted folder and access sensitive files elsewhere on the server.

Attackers employ various encoding techniques to bypass basic filters. Simple URL encoding transforms ../ into %2e%2e%2f, while double encoding becomes %252e%252e%252f (encoding the percent sign itself). Other evasion methods include nested sequences like ....// (which become ../ after filter removal), null byte injection (%00 to truncate path validation), and OS-specific path separators (backslashes on Windows). Absolute paths like /etc/passwd may also work if the application doesn't enforce relative path constraints.

The typical attack flow begins with identifying input parameters that reference files—such as file=, path=, template=, or page=. The attacker then tests various traversal payloads to determine if path validation exists and what depth is needed to reach system files. Success means reading configuration files, credentials, source code, or even writing malicious files if the application allows file uploads or modifications.

Impact

  • Credential exposure: Access to configuration files containing database passwords, API keys, and authentication tokens
  • Source code disclosure: Reading application code reveals business logic, additional vulnerabilities, and hardcoded secrets
  • System file access: Retrieving /etc/passwd, /etc/shadow, or Windows SAM files for credential cracking
  • Configuration tampering: If write access exists, attackers modify settings or inject malicious code
  • Remote code execution: Writing web shells or executable files to web-accessible directories enables full system compromise

Real-World Examples

ZendTo file sharing application (CVE-2025-34508) contained a path traversal vulnerability allowing unauthenticated attackers to read arbitrary files from the server. The flaw existed in file retrieval functionality where user input directly influenced file path construction without adequate validation, exposing sensitive configuration data and potentially system files.

Web application frameworks frequently suffer from path traversal in template rendering engines. When applications allow users to specify template names or include files, insufficient validation permits attackers to read source code from other application modules or framework configuration files, revealing database credentials and session secrets.

File download features in content management systems represent another common vector. Applications that serve user-requested files from disk often fail to restrict paths properly, enabling attackers to download backup files, logs containing sensitive data, or administrative scripts that weren't intended for public access.

Mitigation

  • Avoid user input in file paths: Use indirect references like database IDs mapped to filenames on the server side
  • Canonicalize and validate: Convert paths to absolute canonical form, then verify they remain within the allowed base directory
  • Allowlist permitted files: Maintain an explicit list of accessible files rather than trying to blocklist malicious patterns
  • Chroot jails or sandboxing: Restrict application file system access to specific directories at the OS level
  • Strip dangerous sequences: Remove ../, ..\\, and encoded variants, though this alone is insufficient

Recent CVEs (7723)

EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Path traversal via the download_backups endpoint in Frappe framework exposes arbitrary server-side files to authenticated high-privilege users. Affected versions span the entire v15 branch prior to 15.109.0 and the v16 branch prior to 16.19.0 (CPE: cpe:2.3:a:frappe:frappe:*). An attacker holding administrator-level credentials can craft a traversal payload in the backup download request to read files outside the intended backup directory, achieving high confidentiality impact with no integrity or availability consequence. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Path Traversal Frappe
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local file inclusion in the Frappe Framework's Chrome PDF Generator (versions prior to 16.18.3) allows an authenticated user to abuse the 'secure local resource access' mechanism to traverse the filesystem and read arbitrary local files on the server. The flaw is a CWE-22 path traversal disclosed via GitHub Security Advisory GHSA-234v-jfr8-v2f8 and carries a CVSS 4.0 base score of 7.1 (VC:H - confidentiality-only impact). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network vector with only low privileges makes it a meaningful information-disclosure risk on multi-tenant deployments.

Path Traversal Google Frappe
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Unauthenticated arbitrary file write in EverOS, an AI-agent memory runtime by EverMind-AI, affects all versions prior to 1.0.1 via the POST /api/v1/memory/add ingestion endpoint. Because the per-message sender_id field is not sanitized as a path-safe identifier (unlike app_id and project_id), an attacker can supply ../ sequences that redirect where extracted memory episodes are written, letting a remote unauthenticated caller create or overwrite .md files outside the memory root with partially attacker-controlled content. No public exploit identified at time of analysis, and no EPSS score was provided, but the CVSS 8.2 rating and unauthenticated network reach make it a meaningful integrity risk for exposed instances.

Path Traversal Everos
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Arbitrary file deletion in Snipe-IT prior to 8.6.2 allows an authenticated attacker holding both import and assets.update permissions to delete any file readable by the server process via a path traversal string injected into the asset image field during CSV import. The vulnerability is triggered in a two-stage pattern: first importing a crafted CSV, then invoking the image deletion action, which follows the unsanitized path without boundary checks. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog. The fix is confirmed in the v8.6.2 release.

Path Traversal Snipe It
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

DSN string injection in grav-plugin-database prior to version 1.2.0 allows an administrator with Grav CMS plugin configuration access to manipulate PDO database connection strings by injecting unsanitized YAML field values. The vulnerable `Database::__call` method concatenates fields such as host, dbname, charset, server, database, directory, and filename directly into DSN strings without validation, enabling DSN attribute injection or path traversal to redirect database connections to unintended targets. No public exploit code or active exploitation has been identified at time of analysis; the fix is available in version 1.2.0.

Path Traversal Grav
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Code execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper sanitization of the project workspace ID to write or reference files outside the intended workspace directory, culminating in arbitrary code execution. The flaw was self-reported by JetBrains and a fix is available; no public exploit has been identified at time of analysis. The NVD-assigned CVSS of 9.8 (network, no privileges, no user interaction) is notably high for a desktop IDE flaw and warrants scrutiny given that IDE project-handling bugs typically require a victim to open a crafted project.

Path Traversal RCE Intellij Idea
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Path traversal in PraisonAI's FastContext feature (praisonaiagents before 1.6.78) enables low-privileged network attackers to read arbitrary files outside the intended workspace sandbox. FastContextAgent.execute_tool() applies the workspace_path prefix only to relative paths, neither rejecting absolute path arguments nor canonicalizing joined paths before enforcing containment - meaning file-operation tools (grep_search, glob_search, read_file, list_directory) can be exploited with '../' sequences or direct absolute paths to exfiltrate host files. No public exploit has been identified at time of analysis, but the vulnerability is straightforward to trigger given the mechanics, and CVSS 4.0 rates the confidentiality impact on the vulnerable system as High.

Path Traversal Praisonai
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Path traversal in PraisonAI's ContextGatherer component (all versions before 4.6.78) allows an attacker who can supply or manipulate .praisoncontext or .praisoninclude files to read arbitrary files outside the intended workspace directory, including sensitive system files accessible to the user running PraisonAI. The vulnerability stems from a complete absence of path validation before file inclusion, permitting both absolute paths and relative traversal sequences. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; however, the attack is conceptually simple and requires no special tooling once an attacker can influence project workspace files.

Path Traversal Praisonai
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Path traversal in PraisonAI (pip package praisonaiagents) before version 1.6.78 allows an untrusted checked-out repository to overwrite arbitrary files on a developer's machine by embedding a malicious `.praisonai/config.toml` that sets `defaults.output.output_file` to an absolute or directory-traversal path. When the developer subsequently constructs an Agent and calls `agent.start()` without an explicit output parameter, PraisonAI resolves the attacker-supplied path - creating parent directories as needed - and writes agent output there with the privileges of the running user. No public exploit code or CISA KEV listing has been identified; a vendor patch at version 1.6.78 and an upstream fix commit are available per GitHub Security Advisory GHSA-qjw5-xwrp-xwpq.

Path Traversal Praisonai
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Path traversal in phpMyFAQ's PDF export pipeline allows authenticated FAQ editors to read arbitrary server-side files by storing HTML with crafted image paths that exploit a type-juggling flaw in concatenatePaths(). When the substring 'content' is absent from an attacker-controlled path, strpos() returns false, which PHP silently coerces to integer 0, causing the full unsanitized path to pass through to file_get_contents() without canonicalization. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, but the root cause is a low-complexity PHP type-juggling antipattern that is straightforward to weaponize once the attack surface is understood.

Path Traversal PHP Phpmyfaq
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal in Dell Unisphere for PowerMax 10.3.0.5 and prior exposes arbitrary files on the underlying server to remote attackers holding low-privileged credentials. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms high confidentiality impact with no integrity or availability consequence, consistent with a read-only directory traversal flaw. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis, though the low attack complexity raises concern for rapid weaponization if credentials are compromised.

Dell Path Traversal Unisphere For Powermax
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Arbitrary file write in Apache IoTDB (versions 1.0.0 through 2.0.9) lets remote attackers plant files anywhere the IoTDB process can write by abusing an unsafe API that fails to sanitize user-supplied pathnames. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with high confidentiality and integrity impact, and controlled file placement can escalate to code execution or overwrite of critical files. No public exploit has been identified at time of analysis, and EPSS is low (0.16%, 5th percentile) despite the 9.1 severity.

Path Traversal Apache Apache Iotdb
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file read in the Hide My WP Lite WordPress plugin (versions ≤ 1.3) lets unauthenticated attackers disclose any file readable by the web server - including wp-config.php with database credentials and secret keys - by abusing the he_wrapper_js and he_wrapper_css parameters handled by elementor_assets_filter(). Reported by Wordfence and rated CVSS 7.5, the flaw is confidentiality-only but exposes crypto salts and DB secrets that enable deeper compromise. There is no public exploit identified at time of analysis, and exploitation depends on the site also running Elementor with the plugin's 'Hide Elementor' feature enabled.

WordPress Path Traversal Hide My Wp Lite
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Path traversal in Samsung's SemClipboardService exposes arbitrary system-privileged files to local low-privileged attackers on Samsung Mobile Devices running Android 14, 15, and 16. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H) confirms that a local application with minimal privileges can exploit the service to read protected system files, bypassing Android's permission model. No public exploit code or active exploitation has been identified at time of analysis; a vendor patch is available via SMR Jul-2026 Release 1.

Path Traversal
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM This Month

Path traversal in Samsung Mobile's Wallpaper service exposes arbitrary files readable under the system server privilege to local privileged attackers. Affected devices run Android 14, 15, and 16 with firmware prior to the SMR Jul-2026 Release 1. The CVSS 4.0 vector (AV:L/PR:H/VC:H) confirms a local, high-privilege attack path with confidentiality-only impact and no integrity or availability consequence. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Path traversal in zhayujie CowAgent versions up to 2.1.0 allows remote low-privilege authenticated attackers to write files outside the intended skill installation directory by manipulating the `Name` argument in the Skill Installation Handler. The flaw resides in the `_add_url` and `_add_package` functions within `agent/skills/service.py`, which fail to sanitize path components before constructing filesystem paths during skill installation. No public exploit or active exploitation confirmed (no CISA KEV listing); a vendor-released patch exists in version 2.1.2.

Path Traversal
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM This Month

Path traversal via the unsanitized 'X-FILENAME' HTTP header in the ARMember WordPress membership plugin allows unauthenticated remote attackers to upload and overwrite files outside the intended 'wp-content/uploads/armember' directory on affected WordPress installations running versions 4.0.27 and earlier. The integrity impact is limited by the plugin's handling of 'certain files (e.g., CSS)' rather than arbitrary file types, capping the CVSS score at 5.3 Medium; however, successful exploitation can enable website defacement or manipulation of frontend assets without any authentication. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

WordPress Path Traversal
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

Path traversal in halo-dev/halo through version 2.24.2 allows authenticated administrators to write files outside the intended theme directory by supplying a crafted `metadata.name` value during theme installation. The flaw resides in the `ThemeUtils.unzipThemeTo()` function in `ThemeUtils.java`, which fails to sanitize the metadata name before constructing extraction paths. A public proof-of-concept exploit exists, but real-world impact is substantially constrained by the PR:H prerequisite - the attacker must already hold admin-level credentials - yielding a CVSS 4.0 score of only 2.0 and no CISA KEV listing.

Java Path Traversal Halo
NVD VulDB GitHub
EPSS 1% CVSS 7.5
HIGH This Week

An unauthenticated path traversal vulnerability exists in the web management interface of WTI (Wireless Technology, Inc.) version 3.5.0.r 2024/05/24 00:00:00. An unauthenticated attacker can craft malicious HTTP requests containing traversal sequences to access files outside of the intended web root directory. This may allow disclosure of sensitive system files and configuration data

Path Traversal N A
NVD GitHub
MEDIUM POC PATCH This Month

Path traversal in psd-tools through v1.17.0 exposes any application processing untrusted PSD files to arbitrary file write and secondary arbitrary file read via the SmartObject API. SmartObject.save() consumes the embedded smart-object filename verbatim from the PSD binary - without basename stripping, absolute-path rejection, or directory-escape filtering - allowing a crafted PSD to write attacker-supplied bytes to any path the process can reach. A secondary issue in SmartObject.open() for external-kind objects uses the attacker-controlled fullPath descriptor as a read source, enabling file exfiltration to the write destination. A standalone proof-of-concept is publicly confirmed in the advisory; the fix is vendor-confirmed in v1.17.1 (PR #657). No public exploit identified at time of analysis beyond the advisory-embedded POC, and no CISA KEV listing was found.

Python Path Traversal Buffer Overflow +3
NVD GitHub
CVSS 5.4
MEDIUM PATCH This Month

Path traversal in rattler_cache and py-rattler exposes the victim's filesystem to out-of-bounds file writes when package metadata from an untrusted conda channel contains path separators or directory traversal sequences in the build string. Users who install packages from a malicious channel trigger cache materialization logic that joins the unsanitized build string into a filesystem path, allowing package contents to land outside the configured cache directory. No public exploit has been identified and no CISA KEV listing exists; exploitation requires deliberate use of an untrusted channel (CVSS UI:R), meaningfully limiting real-world exposure.

Path Traversal
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

Authenticated path traversal in SiYuan personal knowledge management system (versions prior to 3.7.1) lets a low-privileged user read arbitrary workspace files by abusing the /snippets/*filepath handler. Because serveSnippets in kernel/server/serve.go single-decodes the request path and joins it to the snippets directory without containment or sensitive-file checks, a request like /snippets/%2e%2e/%2e%2e/conf/conf.json returns workspace secrets and the document database. No public exploit identified at time of analysis, though the fixing commit publicly reveals the vulnerable code path.

Path Traversal Siyuan
NVD GitHub
CRITICAL POC PATCH Act Now

PHP object injection in YesWiki's BazaR import feature allows an attacker to reach an unsafe unserialize() sink in tools/bazar/services/CSVManager.php, where attacker-supplied base64 data is deserialized without allowed_classes=false, instantiating arbitrary classes and triggering magic methods (__destruct, and __toString via array_map('strval')). Because the importentries mode lacks CSRF protection (the assigned root cause CWE-352), a remote attacker can host an auto-POSTing HTML page that, when visited by a logged-in wiki admin, drives the deserialization using the admin's session - chaining published Doctrine PHPGGC gadgets into remote code execution on the host. Publicly available exploit code exists demonstrating the object-injection primitive, but no full end-to-end RCE chain is published and this is not confirmed actively exploited (not in CISA KEV).

Deserialization Path Traversal CSRF +3
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Arbitrary file deletion in the UsersWP WordPress plugin (versions ≤ 1.2.65) lets authenticated Subscriber-level users delete any file on the server, including wp-config.php, which can escalate into full site takeover. The flaw stems from unsanitized directory-traversal sequences in file-field metadata reaching an unlink() call in the upload_file_remove() AJAX handler. Reported by Wordfence with no public exploit identified at time of analysis and no active-exploitation (KEV) listing; an upstream code fix is available.

WordPress Path Traversal
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal in Mockoon prior to 9.7.0 allows unauthenticated network clients to read arbitrary files from sibling paths outside the configured static serving directory. The vulnerability exists in the `getSafeFilePath` function in `packages/commons-server/src/libs/server/server.ts`, which enforces directory confinement using a bare string-prefix check (`resolvedPath.startsWith(staticBaseDir)`) without a path-separator boundary. Because any path whose absolute form begins with the base directory string - including sibling directories sharing a common prefix - passes this check, crafted `../`-escaped values embedded in request data can escape the sandbox across HTTP sendFile, WebSocket, and callback channels. No public exploit code identified at time of analysis and no CISA KEV listing.

Path Traversal Mockoon
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Path traversal in Open WebUI's terminal proxy (versions 0.9.6 through 0.9.x, fixed in 0.10.0) lets an authenticated attacker reach files and resources outside the intended proxy scope. The _sanitize_proxy_path routine in backend/open_webui/routers/terminals.py decoded incoming proxy paths exactly eight times, so a nine-times percent-encoded ../ sequence survived normalization and was decoded a final time by the upstream terminal server, defeating the traversal check. No public exploit or CISA KEV listing exists at time of analysis, but the scope-changing CVSS 3.1 score of 7.7 (S:C/C:H) signals meaningful confidentiality impact on the backend terminal component.

Path Traversal Open Webui
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Path traversal in the TOTOLINK X5000R router's OpenVPN Export CGI handler exposes arbitrary router filesystem files to remote unauthenticated attackers. The `exportOvpn` function within `/web/cgi-bin/cstecgi.cgi` fails to sanitize user-controlled path input, allowing directory traversal sequences to escape the intended export directory. A public proof-of-concept exists (GitHub: meishigana/CVE, referenced 2026-06-09), and the CVSS 4.0 supplemental metric E:P confirms exploit code is available, elevating practical risk beyond the moderate 5.5 base score.

Path Traversal
NVD GitHub VulDB
EPSS 1% CVSS 7.1
HIGH This Week

Arbitrary file deletion in the Bit Form WordPress plugin (all versions through 3.1.1) lets low-privileged authenticated users delete any file on the server via an unsanitized path passed to the deleteFiles function. Because a subscriber-level attacker can remove critical files such as wp-config.php, this path traversal escalates into a full site takeover / remote code execution scenario. Reported by Wordfence with a CVSS of 7.1; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Path Traversal RCE +1
NVD
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Arbitrary file write and information disclosure in the Cloud Foundry BOSH CLI tool (versions prior to v7.10.4) stems from insufficient sanitization of the path key inside blobs.yml, letting a crafted release blob spec escape the intended blobstore directory. When an operator syncs or downloads blobs from a malicious or tampered release, the CLI can write files to attacker-controlled locations on the host and expose sensitive files. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor-assigned CVSS 4.0 base score is 8.5 (High).

Bosh Cli Tool Path Traversal
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Path traversal in tumf mcp-text-editor up to version 1.0.2 allows remote attackers to read, write, or delete files outside the intended directory by supplying manipulated file path arguments to the `_validate_file_path` function in `mcp_text_editor/text_editor.py`. A public exploit has been disclosed (confirmed by VulDB and reflected in the CVSS 4.0 E:P modifier), and the vendor has closed the tracking GitHub issue without explanation, leaving the vulnerability unpatched. The CVSS 4.0 base score of 2.1 reflects limited confidentiality, integrity, and availability impact alongside a required user interaction step.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 6.2
MEDIUM This Month

Directory traversal and arbitrary file write in the decompress npm package (versions before 4.2.2) stem from a prefix-confusion flaw in path boundary validation using String.indexOf() at two locations in index.js. An attacker supplying a crafted archive can write files to filesystem directories adjacent to the intended extraction target - for example, escaping /tmp/app into /tmp/app_config - bypassing both the safeMakeDir function and the extraction path validation. This is a confirmed bypass of the prior fix for CVE-2020-12265; no public exploit has been identified at time of analysis and EPSS is low at 0.26% (17th percentile), though the integrity impact is rated high by CVSS.

Path Traversal N A
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Unauthenticated arbitrary file/directory deletion in the Appium storage plugin (versions prior to 1.1.6) allows a remote client to recursively delete writable files outside the storage root via the POST /storage/delete endpoint. The handler feeds the user-supplied name into path.join(storageRoot, name) and fs.rimraf() without sanitization, so ../ sequences escape the intended directory. No public exploit was identified at time of analysis, but the fix is straightforward to reverse-engineer from the published patch (commit 5fee017 / PR #22362).

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Arbitrary file write in the AsyncSSH Python library (versions prior to 2.23.1) allows a malicious or compromised SSH server to plant files anywhere on an SCP client's filesystem when a user initiates a file-copy operation against it. Because the SCP client trusts server-supplied filenames verbatim, a hostile server can return names containing ../ sequences to escape the intended download directory, enabling code execution or system tampering. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.

Python Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

{ENV}) unblocked, enabling escape via Python's Path.expanduser() and _expand_val() expansion. No public exploit has been identified at time of analysis, and CVSS AC:H reflects the prerequisite server-side configuration; however, successful exploitation achieves high integrity impact by enabling authentication with key material from arbitrary filesystem locations.

Python Path Traversal
NVD GitHub VulDB
CVSS 5.5
MEDIUM PATCH This Month

Path traversal via the COAR Notify / Linked Data Notifications (LDN) service in DSpace 8.0-8.3 and 9.0-9.2 allows an authenticated DSpace administrator to reference arbitrary filesystem paths as LDN inbound-pattern templates, causing those files to be read and interpreted as Apache Velocity templates. While no public exploit or active exploitation has been identified, the vulnerability was demonstrated as part of a proven attack chain in which an administrator stages a malicious Velocity payload in a predictable file location and triggers its execution, enabling either sensitive file disclosure or arbitrary Java code execution via Velocity template injection. No special conditions (KEV, public PoC) are confirmed at time of analysis.

Java Path Traversal Tomcat +1
NVD GitHub
CVSS 5.5
MEDIUM PATCH This Month

Path traversal in DSpace's Curation Task reporter parameter exposes authenticated Collection, Community, and Site Administrators to file write operations at arbitrary server-side paths writable by the DSpace/Tomcat OS user. Affected are DSpace versions through 7.6.6, 8.0-8.3, and 9.0-9.2, where the attack surface widened when web UI access was granted to admin roles beyond CLI-only system administrators. No public exploit or CISA KEV listing exists; the vendor-assigned CVSS 3.1 score of 5.5 (PR:H, A:H) correctly reflects that high-privilege credentials are required but the availability impact from overwriting configuration or binary files can be severe.

Java Path Traversal Denial Of Service +1
NVD GitHub
CVSS 8.0
HIGH PATCH This Week

Remote code execution in DSpace 8.0-8.3 and 9.0-9.2 allows an authenticated administrator to execute arbitrary Java via Velocity templates used to render COAR Notify/LDN messages, using reflection to escape the templating sandbox. Exploitation requires valid DSpace administrator credentials and is most impactful when chained with the related LDN path-traversal flaw (GHSA-9qm4-rh6w-pq5x). No public exploit identified at time of analysis, and CVSS is 8.0 (High).

Path Traversal Code Injection Tomcat +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Path traversal in Progress MOVEit Transfer's Admin Settings module (versions before 2025.0.7 and 2025.1.0 before 2025.1.3) lets remote attackers supply relative '../' sequences to read files outside the intended directory, exposing sensitive configuration or system data. The CVSS 3.1 vector scores it 7.5 with confidentiality-only impact (C:H/I:N/A:N) and no listed authentication (PR:N), though the 'Admin Settings' location warrants scrutiny of that claim. No public exploit identified at time of analysis; EPSS is low (0.20%, 10th percentile) and CISA SSVC records no known exploitation.

Path Traversal Moveit Transfer
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Arbitrary file write in Composer (the PHP dependency manager) before 2.2.29 and 2.10.2 allows a malicious package served from an untrusted, third-party repository to write attacker-controlled files outside the vendor directory and outside the project root during an install or update. The flaw stems from an invalid package name that is not validated before dependency-resolution results are written to disk (CWE-22 path traversal), and no public exploit has been identified at time of analysis. Exploitation requires the victim to have configured a non-default, untrusted repository (not Packagist.org or Private Packagist) and to run composer install/update, so it is not a default-configuration remote attack.

Path Traversal PHP Composer
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Path traversal in Composer's binary installation flow allows a malicious PHP package to cause arbitrary host files to be chmod'd world-readable and world-executable. Any user running `composer install`, `composer update`, or `composer require` against a package whose `bin` entry contains `..` path segments is vulnerable - Composer follows the traversal and applies chmod outside the intended package install directory. This is a supply chain attack vector affecting Composer prior to 2.2.29 and 2.10.2; no public exploit or CISA KEV listing is identified at time of analysis, but the impact to developer and CI/CD environments is significant given the confidentiality risk of exposing sensitive host files.

Path Traversal PHP Composer
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Path traversal in LiteLLM's Skills archive extraction enables authenticated users with access to specific LLM API routes to write arbitrary files outside the intended server extraction directory by uploading a crafted ZIP archive containing path traversal entries. Affected versions are all LiteLLM releases prior to 1.83.7-stable; the CPE confirms the entire berriai/litellm product line is in scope. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the integrity and availability impact is rated High in the vendor-provided CVSS 4.0 vector, making this a meaningful risk for any LiteLLM deployment that exposes the Skills upload feature to untrusted authenticated users.

Path Traversal Litellm
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Path traversal in Mistune's Include plugin allows reading arbitrary files from the server filesystem when processing attacker-controlled markdown. Applications using md.read() with the Include plugin on markdown content supplied by external users are exposed: a crafted include directive can escape the intended markdown base directory to access any file readable by the running process. No public exploit has been identified at time of analysis, but a vendor-released patch is available in version 3.3.0.

Python Path Traversal Mistune
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Trust-boundary bypass in Copier 9.5.0 through 9.15.1 lets an attacker-controlled template execute arbitrary commands without the usual --trust confirmation. The flaw stems from the trust prefix check using a raw str.startswith on the un-normalized template URL, so a reference that textually begins with a trusted prefix but contains '..' is granted trust while actually resolving to a different template whose tasks/migrations/jinja_extensions then run. No public exploit identified at time of analysis, and it is not in CISA KEV; fixed in 9.15.2.

Path Traversal Copier
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Local file inclusion in Repomix's git clone HTTP endpoint lets unauthenticated remote attackers read arbitrary tracked file contents from git repositories on the server's filesystem. The isValidRemoteValue validation in src/core/git/gitRemoteParse.ts does not reject file:// scheme URLs, so a supplied file:///path/to/repo value is passed directly to git clone. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High) driven by high confidentiality impact with no authentication required.

Authentication Bypass Path Traversal Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-bucket object disclosure in SeaweedFS S3 API gateway (versions prior to 4.34) allows an authenticated identity scoped to a single bucket to read objects from other buckets by injecting dot-dot (../) path segments into the X-Amz-Copy-Source header of CopyObject and UploadPartCopy requests. Because the gateway performs a server-side copy without normalizing or rejecting traversal segments, the bucket-level access boundary is bypassed. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the fix in 4.34 is confirmed via the vendor security advisory and source commit.

Path Traversal
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Symlink-based path traversal in File Browser prior to 2.63.16 allows an authenticated low-privilege user with Create and Modify permissions to write attacker-controlled files outside their designated scope. The flaw resides in ScopedFs, which validates only the nearest existing ancestor of a dangling symlink - leaving it in-scope - and then follows the symlink during file creation, landing the resulting file in an arbitrary location on the underlying filesystem. No public exploit has been identified at time of analysis, but the scope-change characteristic (S:C in the CVSS vector) means successful exploitation extends impact beyond the web application's permission boundary.

Path Traversal
NVD GitHub
EPSS 0% CVSS 3.1
LOW Monitor

Path traversal in BBOT's github_workflows module allows a crafted CODE_REPOSITORY URL to write a downloaded artifact outside the operator-configured output directory by bypassing a path-containment check that failed to resolve `..` sequences. Affected versions span all BBOT releases per CPE data, with a fix available via upstream commit. The write primitive is constrained to at most two directory levels above the output location, and the destination is shaped by the operator's own configuration rather than fully attacker-controlled, significantly limiting real-world impact. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal Bbot
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unrestricted file upload in Grav API Plugin 1.0.0 allows authenticated users to store arbitrary content - including PHP scripts, SVG with embedded JavaScript, and polyglot payloads - via the avatar upload endpoint by supplying a forged client-declared MIME type beginning with 'image/'. The endpoint performs no server-side content inspection and imposes no extension restriction, so malicious files are written to user/accounts/avatars/ with predictable filenames. Immediate exploitation is partially mitigated by an .htaccess rule that returns HTTP 403 on direct access, but the files persist on disk and represent a latent RCE or stored XSS vector if a co-resident path traversal flaw or server misconfiguration bypasses that control. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal XSS PHP +2
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Path traversal in Flowise's Faiss and SimpleStore vector store implementations allows any holder of a valid API token to write vector store data to arbitrary filesystem locations, creating a practical path to remote code execution or data exfiltration on the hosting server. All Flowise deployments prior to version 3.1.0 are affected when either of these two vector store backends is configured. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the post-authentication exploitation path is low-complexity, making timely patching critical especially in multi-tenant or shared deployments where API tokens are broadly distributed.

Path Traversal RCE
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Unauthorized file modification in Dell PowerProtect Data Domain allows a high-privileged remote attacker to write files outside the intended restricted directory via path traversal. Affected across multiple release trains spanning versions 7.7.1.0 through 8.7, including LTS2024, LTS2025, and LTS2026 branches. Dell has published advisory DSA-2026-278 addressing this flaw; no public exploit code or active exploitation has been identified at time of analysis.

Dell Path Traversal Data Domain Operating System
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Omnissa Workspace ONE Tunnel for Windows lets an authenticated low-privileged local user abuse a path-traversal weakness (CWE-22) to gain higher (likely SYSTEM) privileges on the endpoint. The flaw affects the Windows Tunnel client used for per-app VPN in Workspace ONE managed fleets; no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high across confidentiality, integrity, and availability, but exploitation is confined to attackers who already have a local foothold on the machine.

Privilege Escalation Path Traversal Microsoft +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated arbitrary file read in Bulk Order Update for WooCommerce (versions up to and including 1.6) exposes the first line of any server-side file to remote attackers without credentials. The plugin's AJAX handler bouw_fetch_csv_data() is registered on the wp_ajax_nopriv_ hook - meaning WordPress serves it to unauthenticated users - and passes attacker-controlled filesystem paths directly to fopen()/fgetcsv(), reflecting parsed output in the JSON response. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the attack requires no authentication and no interaction, making it straightforward to exploit against any site with the plugin active.

WordPress Oracle Path Traversal +1
NVD VulDB
EPSS 1% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the Simple Coherent Form WordPress plugin (all versions up to and including 2.4.13) allows unauthenticated attackers to delete any file the web server can reach, and deleting wp-config.php can cascade into full remote code execution. The plugin's two intended access controls are illusory: the scf_get_id_upload endpoint hands a valid scf_upload_file_removal nonce to any anonymous visitor, and the secondary hash check can be reproduced offline because it derives from a salt hardcoded in the plugin source. There is no public exploit identified at time of analysis, but the flaw carries a high 9.1 CVSS and reflects a genuine unauthenticated-network attack path.

WordPress Path Traversal RCE +2
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in the Jssor Slider by jssor.com WordPress plugin (all versions through 3.1.24) lets unauthenticated remote attackers traverse the filesystem via the 'url' parameter and read the contents of any file the web server can access, such as wp-config.php. Wordfence disclosed the flaw and points to the plugin's admin controller code; no public exploit is identified at time of analysis and it is not listed in CISA KEV. EPSS was not provided, but the network-reachable, unauthenticated nature of the bug makes it an attractive scanning target.

WordPress Path Traversal Jssor Slider By Jssor Com
NVD VulDB
CVSS 7.7
HIGH POC This Week

Path traversal in Goploy's `/deploy/fileDiff` endpoint (versions <=1.17.5) enables any authenticated low-privilege member to read arbitrary files on both the Goploy host and every SFTP-managed remote server registered in the system. The dual file read returns local content in the `srcText` response field and remote server content in `distText`, multiplying the blast radius across all managed deployment targets. Publicly available exploit code exists per the GitHub Security Advisory; this is not listed in CISA KEV, but exploitation conditions are trivially met under default Goploy configuration.

Python Path Traversal Microsoft +3
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Arbitrary file deletion in DataEase (open-source data visualization and analytics platform) before 2.10.24 lets authenticated users delete arbitrary writable files inside the application container via a path traversal in the font management module. The stored fileTransName value is concatenated with the font storage directory and passed unsanitized to FileUtils.deleteFile() when a font record is deleted. No public exploit identified at time of analysis; the CVSS 4.0 base score is 7.2 (VI:H/VA:H), reflecting integrity and availability impact without confidentiality loss.

Path Traversal Dataease
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Path traversal leading to full system compromise affects Dell PowerProtect Data Domain (DD OS) versions 7.7.1.0 through 8.7, plus the LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches. Per the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N), an unauthenticated remote attacker can traverse outside the intended directory to gain unauthorized access and, according to Dell, take complete control of the system. Dell rates this critical (9.8) and its tags note an authentication-bypass characteristic; no public exploit identified at time of analysis and it is not currently in CISA KEV.

Authentication Bypass Dell Path Traversal +1
NVD
CRITICAL PATCH Act Now

Remote code execution in EGroupware lets an attacker chain a broken authorization check with an arbitrary file write and an arbitrary file read to fully compromise the server. An authenticated user can forge the participant_role field in a SmallPartMediaRecorder::ajax_upload() request to impersonate a course teacher, then use path traversal to read and overwrite header.inc.php with valid but attacker-controlled PHP, yielding code execution after OPcache refresh or a setup-password change. Where self-registration is enabled the entire chain becomes reachable pre-authentication. No public exploit has been identified, but the advisory documents a complete, reproducible technique.

File Upload Path Traversal RCE +1
NVD GitHub
EPSS 1% CVSS 8.0
HIGH This Week

Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4. Because ad_gpo_extract_smb_components() fails to sanitize '..' sequences in the gPCFileSysPath LDAP attribute (CWE-23), an actor holding AD GPO management rights can force an SSSD-enrolled host to write attacker-controlled files outside the GPO cache as root, injecting Kerberos configuration to bypass authentication. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Authentication Bypass Red Hat Path Traversal +7
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Relative path traversal in the MicroRealEstate file upload functionality lets an authenticated low-privilege user supply crafted filenames containing directory-traversal sequences to write outside the intended upload directory and potentially overwrite system files. All releases through 1.0.0-alpha3 are affected. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 7.1, driven primarily by high availability impact.

Path Traversal File Upload
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Path traversal leading to remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated user to abuse insufficient filename sanitization in the PostgreSQL initialization-script generator (generate_init_scripts() in app/Actions/Database/StartPostgresql.php) to write files outside the intended directory and execute commands during database init. Any user with sufficient privileges to provision a PostgreSQL resource can escalate to code execution on the Coolify host. No public exploit identified at time of analysis, though the fix commit and security advisory publicly disclose the vulnerable code path.

PostgreSQL Path Traversal PHP +1
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Arbitrary file read in HashiCorp Terraform Enterprise allows an authenticated user to escape the intended repository boundary during VCS-based registry module ingestion, pulling files from outside the source repository into a packaged module and downloading them. Because the ingestion process runs with its own filesystem privileges, an attacker can exfiltrate sensitive files (secrets, configuration, tokens) readable by that process. Reported by HashiCorp with no public exploit identified at time of analysis; the CVSS 7.7 (scope-changed) score reflects high confidentiality impact against a self-hosted enterprise platform.

Hashicorp Path Traversal Terraform Enterprise
NVD VulDB
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Server-side file disclosure in Langroid's SQLChatAgent (Python, pip package `langroid` <= 0.65.0) lets an attacker who can influence the agent's LLM-generated SQL bypass the `_validate_query` safety guard and execute PostgreSQL file-read functions such as `pg_read_file`. The default `allow_dangerous_operations=False` blocklist relies on a raw-text regex requiring `pg_...` names to be immediately followed by `(`, which is evaded by quoted identifiers, inline comments, or schema qualification while still parsing as a permitted SELECT. This is a bypass of the earlier CVE-2026-25879 / GHSA-pmch-g965-grmr regex fix; a working reproduction harness is published in the GHSA advisory, though there is no public exploit identified as being used in active attacks and no CISA KEV listing.

PostgreSQL SQLi Python +1
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Arbitrary file read and write via archive extraction in the Node.js @xhmikosr/decompress library (and the unmaintained upstream decompress package) lets a crafted tar, tar.gz, tar.bz2, or zip archive escape the intended output directory. The flaw combines unchecked hardlink/symlink targets, a broken string-prefix containment check that allows escape into sibling directories, and mode application that preserves setuid/setgid/sticky bits - enabling attackers to read sensitive files, overwrite files outside the target, and plant privileged binaries when extraction runs as root. No public exploit identified at time of analysis, but the closely related upstream CVE-2020-12265 demonstrates the exploitability of this class.

Path Traversal
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Arbitrary file write in Crawl4AI (the open-source LLM-friendly web crawler by unclecode) before version 0.9.0 lets a malicious website or download control where crawled files land on disk, and because the file contents are also attacker-controlled this escalates to remote code execution. Both the HTTP crawler path (trusting the response Content-Disposition filename) and the browser crawler path (trusting the download's suggested filename) are affected. CVSS is 9.6 (Critical); no public exploit is identified at time of analysis and it is not listed in CISA KEV, but a fix commit and GHSA advisory are published.

Path Traversal RCE Crawl4ai
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Unauthenticated file disclosure in Esri ArcGIS Server (all versions 12.0 and prior) lets remote attackers read sensitive files by supplying crafted path parameters that escape the intended directory. The flaw is network-reachable with no authentication or user interaction and, per CISA's SSVC framework, is automatable with total technical impact, though no public exploit has been identified and EPSS exploitation probability remains modest at 0.72%. Esri disclosed and patched the issue in its May 2026 ArcGIS security bulletin.

Path Traversal Arcgis Server
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file write via path traversal in pnpm prior to 10.34.4 and 11.7.0 lets a crafted lockfile place or overwrite files outside the intended hoisted node_modules directory when a victim installs dependencies. A malicious pnpm-lock.yaml can supply an alias containing traversal sequences (e.g. ../) to escape the module directory, or use reserved aliases like .bin or .pnpm to clobber pnpm-owned layout, enabling integrity compromise of the install tree. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is remotely deliverable through shared repositories or packages and requires only that a user run an install.

Path Traversal Pnpm
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Arbitrary out-of-tree file/symlink write via path traversal in pnpm before 10.34.4 and 11.8.0 allows a malicious repository to escape node_modules/.pnpm-config by committing a crafted pnpm-lock.yaml whose env-lockfile configDependencies section carries a traversal-shaped package name. When a victim runs pnpm install, pnpm trusts that attacker-controlled name and creates a config-dependency symlink at the derived path, letting an attacker place symlinks outside the intended directory. No public exploit is identified at time of analysis, but exploitation only requires the victim to install dependencies from the poisoned repo (UI:R); CVSS is 8.2 (High) with a scope change.

Path Traversal Pnpm
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file deletion in pnpm before 10.34.4 and 11.7.0 allows a malicious project to delete any file reachable by the user when they run 'pnpm patch-remove'. A crafted patch entry escapes the configured patches directory via path traversal (CWE-22), so cloning or installing an attacker-controlled repository and running the patch-remove command destroys files outside the project. No public exploit identified at time of analysis and it is not on CISA KEV; exploitation requires the victim to run the specific command against poisoned configuration.

Path Traversal Pnpm
NVD GitHub
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Remote code execution in ownCloud 10 (before 10.15.3) lets an authenticated administrator abuse a relative path traversal weakness to write or reference files outside intended directories and execute arbitrary code on the server. The high-privilege requirement (PR:H) and high attack complexity (AC:H) constrain who can trigger it, but successful exploitation yields full compromise with a scope change beyond the application context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV.

Path Traversal RCE Owncloud 10
NVD GitHub VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Path traversal in LangSmith Client SDK's TracingMiddleware (versions prior to 0.8.18) enables a trust-boundary crossing where any party with LangSmith workspace trace-read access can exfiltrate arbitrary files from servers running the middleware. An attacker sends a crafted HTTP request to a TracingMiddleware-instrumented server, causing it to read a local filesystem path and upload the contents to LangSmith as a trace attachment, which the attacker then retrieves via their workspace access. No public exploit has been identified at time of analysis, but the low complexity and broadly scoped file read make this a meaningful risk for any multi-tenant or contractor-accessible LangSmith deployment.

Path Traversal Langsmith Sdk
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Symlink traversal in pydantic-settings 2.12.0-2.14.1 allows a local low-privileged attacker with write access to the configured secrets directory to read arbitrary files from the host filesystem into application settings when secrets_nested_subdir=True. The same code path also bypasses the secrets_dir_max_size loading cap, undermining an advertised safety control. No public exploit or CISA KEV listing exists; the vendor-released fix is version 2.14.2.

Path Traversal Pydantic Settings
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Path traversal in the T-Systems TAO 2.0 suite - spanning Archivo, MyTAO, Estima, and BuroWeb - allows an authenticated low-privileged attacker to escape the application's intended file scope via crafted paths submitted to web-based file management or upload features, yielding high confidentiality impact. The CVSS 4.0 vector confirms network accessibility with low privileges required and an additional attack prerequisite (AT:P), tempering the otherwise straightforward exploitation profile. A vendor patch is available per INCIBE advisory; no public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal Archivo Mytao +2
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can reach the internal DataNode RPC port to smuggle path-traversal sequences in an uploaded Trigger JAR filename, writing files outside the Trigger installation directory with the IoTDB process's privileges. Because the write is attacker-controlled, it can plausibly be escalated to remote code execution by overwriting configuration or startup artifacts. There is no public exploit identified at time of analysis, and the EPSS score is low (0.15%, 4th percentile), consistent with exploitation being gated on an exposed internal port rather than a default-reachable service.

Authentication Bypass Path Traversal Apache +1
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Argument injection and directory traversal in Apache Camel's camel-docling component (4.15.0 before 4.18.3) let attackers who can influence the CamelDoclingCustomArguments or path-bearing exchange headers inject unintended docling CLI flags and traversal-laden path values into the externally executed docling tool. Because the original DoclingProducer validation relied on a flag denylist and only rejected literal '../' sequences, crafted arguments could reach the subprocess and resolve files outside the intended directory, yielding high confidentiality and integrity impact but no OS command injection (ProcessBuilder uses the list form, so no shell interprets the values). There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; EPSS is low (0.79%, 52nd percentile).

Command Injection Path Traversal Microsoft +2
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Path traversal in NousResearch hermes-agent 2026.5.29.2 allows low-privilege authenticated remote attackers to read files outside the intended directory by supplying crafted path traversal sequences in the `Name` argument of the `skill_view` function within `tools/skills_tool.py`. Impact is confined to limited confidentiality exposure - no integrity or availability effect - consistent with the CVSS 4.0 score of 2.1 (Low). A public exploit has been disclosed (CVSS E:P), though no active exploitation has been confirmed via CISA KEV.

Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Path traversal in AIL Framework's PDF object handling lets an authenticated user read files outside the intended PDF storage directory. The PDF.get_filepath() function joined the configured PDF_FOLDER with an attacker-influenced object identifier without validating the resolved location, so crafted relative traversal sequences or absolute path components could point AIL at arbitrary files readable by the service account, exposing configuration, credentials, or other local secrets. No public exploit identified at time of analysis, and the vendor notes exploitation is only potential because additional errors must be overcome before the traversal executes.

Path Traversal Ail Framework
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Path traversal in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows authenticated remote attackers to manipulate filesystem paths via the unsanitized `folder` argument in the Vendor Image Manager's `do_upload_others_images` function. The flaw in `application/modules/vendor/controllers/AddProduct.php` permits directory traversal sequences to redirect file-write operations outside the intended upload directory, resulting in limited integrity and availability impact. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Path Traversal PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Path traversal in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap exposes server-side files and upload directories to manipulation via the unsanitized `folder` parameter in the Vendor Multi-Image Endpoint (AddProduct.php), enabling remote attackers to read or write files outside the designated upload path. A public exploit has been released per GitHub Security Advisory GHSA-6whv-r5hm-vcjr and the CVSS 4.0 E:P modifier confirms proof-of-concept availability, with a base score of 6.9 reflecting low-complexity network exploitation. No CISA KEV listing was identified; however, all deployed instances cloned prior to patch commit 2a9497ff are exposed, as this is a rolling-release project with no discrete versioned releases.

Path Traversal PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Path traversal in NousResearch hermes-agent (all versions through 2026.5.16) exposes arbitrary server-side files via the Live Webhook Endpoint's `extract_media` function in `gateway/platforms/base.py`. Remote, unauthenticated attackers can read files outside the intended directory, resulting in low-confidentiality-impact disclosure - potentially exposing configuration files, credentials, or internal data. A public proof-of-concept exploit is available on GitHub; however, this vulnerability has not been listed in CISA KEV, indicating active exploitation is not yet confirmed at time of analysis.

Path Traversal Hermes Agent
NVD VulDB GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Path traversal in Apache Airflow's Google provider (apache-airflow-providers-google before 22.2.1) lets a principal with write access to a source GCS bucket overwrite arbitrary files on the SFTP server (GCSToSFTPOperator) or the worker host (GCSTimeSpanFileTransformOperator) by crafting a GCS object name containing `..` segments. Because the bucket writer is frequently a lower-trust party than the DAG author (partner uploads, ingest-only service accounts, public-data buckets), exploitation crosses a trust boundary that operators may not have modeled. No public exploit is identified at time of analysis, and CISA SSVC rates exploitation as none, so this is a real but non-default, targeted-risk integrity flaw rather than a mass-exploitable one.

Apache Path Traversal Google +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Absolute path traversal in Microsoft Edge for Android (Chromium-based) prior to version 150.0.4078.48 enables local, unauthenticated information disclosure by allowing crafted paths to escape the application's intended directory scope. The CVSS vector (AV:L/C:H/I:N/A:N) confirms the impact is limited to confidentiality loss on the local device, with no integrity or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Path Traversal Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Relative path traversal in Microsoft Edge for Android (Chromium-based) before version 150.0.4078.48 permits a local, unprivileged attacker to read sensitive files outside the application's intended directory scope, achieving high confidentiality impact with minor integrity exposure. The flaw (CWE-23) stems from insufficient sanitization of relative path sequences in Edge's Android file-handling logic. No public exploit code or active exploitation has been identified at time of analysis, though a vendor patch is available and should be prioritized given the high confidentiality impact rating.

Path Traversal Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 7.1
HIGH PATCH This Week

Code execution via relative path traversal in Microsoft Edge (Chromium-based) allows a remote unauthenticated attacker to run arbitrary code when a user is lured into interacting with attacker-controlled content, consistent with the CVSS PR:N/UI:R vector. Rated CVSS 7.1 with high integrity impact (I:H), low availability impact (A:L), and no confidentiality impact (C:N). No public exploit identified at time of analysis (exploit maturity Unproven, E:U) and the CVE is not in CISA KEV, but an official vendor fix is available (RL:O).

Path Traversal Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.

Path Traversal Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Path traversal in Dell PowerProtect Data Domain allows a locally authenticated high-privileged attacker to read files outside restricted directories, resulting in information disclosure. Affected deployments span multiple release trains - standard releases 7.7.1.0 through 8.6, LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, and LTS2024 7.13.1.0-7.13.1.70. No public exploit identified at time of analysis; the low CVSS score of 2.3 correctly reflects the high privilege and local access prerequisites that substantially constrain real-world exploitation scope.

Dell Path Traversal Information Disclosure +1
NVD VulDB
EPSS 1% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the Printcart Web to Print Product Designer for WooCommerce WordPress plugin (versions up to and including 2.5.2) lets unauthenticated attackers delete any file on the server, potentially escalating to remote code execution. The store_design_data() function builds a filesystem path from the attacker-controlled 'nbd_item_key' POST value and the nonce guarding the AJAX action can be freely retrieved by anonymous users, so exploitation needs no login. No public exploit has been identified at time of analysis, but the network-reachable, no-privilege profile makes this a high-priority patch.

WordPress Path Traversal RCE +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file read in the AR for WooCommerce WordPress plugin (all versions through 8.40) lets unauthenticated attackers traverse directories via the 'file' parameter of AJAX-driven secure-download handlers, exposing wp-config.php, credentials, and other sensitive server files. The vulnerability is notable because three independent access controls - nonce validation, AES-256-CBC payload encryption, and a Referer check - each fail on default free installations, collapsing what looks like a defended endpoint into an open file-disclosure primitive. No public exploit identified at time of analysis, but the flaw is trivially reachable and was reported by Wordfence.

WordPress Path Traversal Ar For Woocommerce
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in the AR for WordPress plugin (versions up to and including 8.40) lets unauthenticated remote attackers read any file the web server can access via a path-traversal payload in the 'file' parameter of its secure-download handler. Exploitation is gated by a nonce and encryption-key check, but both can be satisfied remotely on default free or unlicensed installations, exposing wp-config.php and other secrets. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the vendor (Wordfence) documents the full unauthenticated bypass path.

WordPress Path Traversal Ar For Wordpress
NVD
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Path traversal in the Apache Lucene.Net.Replicator library (versions 4.8.0-beta00005 through 4.8.0-beta00017) allows a remote, unauthenticated attacker to read files outside the intended index-replication directory by supplying crafted pathnames during index synchronization. The flaw is a CWE-22 restricted-directory bypass confined to file disclosure; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the vendor-supplied CVSS 4.0 base score of 8.9 reflects high confidentiality impact across a scope boundary. Exploitation is gated by high attack complexity and specific attack requirements, making practical abuse less trivial than the raw score suggests.

Path Traversal Apache Lucene Net
NVD
Prev Page 2 of 86 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
7723

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy