Path Traversal
Path traversal exploits occur when applications use user-controlled input to construct file system paths without proper validation.
How It Works
Path traversal exploits occur when applications use user-controlled input to construct file system paths without proper validation. Attackers inject special sequences like ../ (dot-dot-slash) to escape the intended directory and navigate to arbitrary locations in the file system. Each ../ sequence moves up one directory level, allowing an attacker to break out of a restricted folder and access sensitive files elsewhere on the server.
Attackers employ various encoding techniques to bypass basic filters. Simple URL encoding transforms ../ into %2e%2e%2f, while double encoding becomes %252e%252e%252f (encoding the percent sign itself). Other evasion methods include nested sequences like ....// (which become ../ after filter removal), null byte injection (%00 to truncate path validation), and OS-specific path separators (backslashes on Windows). Absolute paths like /etc/passwd may also work if the application doesn't enforce relative path constraints.
The typical attack flow begins with identifying input parameters that reference files—such as file=, path=, template=, or page=. The attacker then tests various traversal payloads to determine if path validation exists and what depth is needed to reach system files. Success means reading configuration files, credentials, source code, or even writing malicious files if the application allows file uploads or modifications.
Impact
- Credential exposure: Access to configuration files containing database passwords, API keys, and authentication tokens
- Source code disclosure: Reading application code reveals business logic, additional vulnerabilities, and hardcoded secrets
- System file access: Retrieving
/etc/passwd,/etc/shadow, or Windows SAM files for credential cracking - Configuration tampering: If write access exists, attackers modify settings or inject malicious code
- Remote code execution: Writing web shells or executable files to web-accessible directories enables full system compromise
Real-World Examples
ZendTo file sharing application (CVE-2025-34508) contained a path traversal vulnerability allowing unauthenticated attackers to read arbitrary files from the server. The flaw existed in file retrieval functionality where user input directly influenced file path construction without adequate validation, exposing sensitive configuration data and potentially system files.
Web application frameworks frequently suffer from path traversal in template rendering engines. When applications allow users to specify template names or include files, insufficient validation permits attackers to read source code from other application modules or framework configuration files, revealing database credentials and session secrets.
File download features in content management systems represent another common vector. Applications that serve user-requested files from disk often fail to restrict paths properly, enabling attackers to download backup files, logs containing sensitive data, or administrative scripts that weren't intended for public access.
Mitigation
- Avoid user input in file paths: Use indirect references like database IDs mapped to filenames on the server side
- Canonicalize and validate: Convert paths to absolute canonical form, then verify they remain within the allowed base directory
- Allowlist permitted files: Maintain an explicit list of accessible files rather than trying to blocklist malicious patterns
- Chroot jails or sandboxing: Restrict application file system access to specific directories at the OS level
- Strip dangerous sequences: Remove
../,..\\, and encoded variants, though this alone is insufficient
Recent CVEs (7729)
wangxutech MoneyPrinterTurbo 1.2.6 allows path traversal via /api/v1/download/ URIs such as /api/v1/download//etc/passwd. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Relative path traversal vulnerability due to improper input validation in Digilent WaveForms that may result in arbitrary code execution. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Elevation of Privileges in the cleaning feature of Gen Digital CCleaner version 6.33.11465 on Windows allows a local user to gain SYSTEM privileges via exploiting insecure file delete operations. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
dstack is a software development kit (SDK) to simplify the deployment of arbitrary containerized apps into trusted execution environments. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability was identified in erjinzhi 10OA 1.0. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Path Traversal vulnerability in the archive extraction component in Google SecOps SOAR Server (versions 6.3.54.0, 6.3.53.2, and all prior versions) allows an authenticated attacker with permissions. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The User Meta - User Profile Builder and User management plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the postInsertUserProcess. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A security flaw has been discovered in Display Painéis TGA up to 7.1.41. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability has been found in binary-husky gpt_academic up to 3.91. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A security vulnerability has been detected in kalcaddle kodbox 1.61. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A weakness has been identified in 299ko up to 2.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Mockoon provides way to design and run mock APIs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) a Path Traversal: '.../...//' vulnerability. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
oasys v1.1 is vulnerable to Directory Traversal in ProcedureController. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
The upload endpoint insufficiently validates the 'Upload-Key' request header. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In pfSense CE /suricata/suricata_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related strings/characters. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to write files to restricted components. Rated high severity (CVSS 7.6). No vendor patch available.
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Copyparty is a portable file server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CRESTRON TOUCHSCREENS x70 allows Relative Path Traversal.000.0110.001 before 3.001.0031.001. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In pfSense CE /usr/local/www/snort/snort_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related characters/strings before being used to check if a file. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Relative Path Traversal vulnerability [CWE-23] in FortiWeb 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.2 through 7.0.11 may allow an authenticated attacker to perform an. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Vite is a frontend tooling framework for JavaScript. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
ITCube CRM in versions from 2023.2 through 2025.2 is vulnerable to path traversal. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
internetarchive is a Python and Command-Line Interface to Archive.org In versions 5.5.0 and below, there is a directory traversal (path traversal) vulnerability in the File.download() method of the. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Podman versions 4.0.0 through 5.6.0 allow authenticated remote attackers to overwrite arbitrary host files via symlink-based path traversal during 'kube play' operations. Attackers with low-privilege Kubernetes YAML deployment rights can craft Secret or ConfigMap volume mounts containing symlinks that redirect writes to host filesystem targets. While attackers control which file is overwritten, they cannot control the written content, enabling denial-of-service or integrity attacks against critical system files. Fixed in v5.6.1 with extensive Red Hat advisory coverage across RHEL distributions. EPSS score of 0.05% (15th percentile) suggests low observed exploitation probability despite confirmed patch availability.
Path Traversal vulnerability in Stefan Keller WooCommerce Payment Gateway for Saferpay allows Path Traversal.4.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An attacker with authenticated and privileged access could modify the contents of a non-sensitive file by traversing the path in the limited shell of the CLI. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In testGrantSlicePermission of SliceManagerTest.java, there is a possible permanent denial of service due to a path traversal error. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In multiple locations, there is a possible Android/data access due to a path traversal error. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity.
A problem has been discovered in appRain CMF 4.0.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Soft Serve is a self-hostable Git server for the command line. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in glib. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
CData API Server MySQL Misconfiguration Information Disclosure Vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Anritsu ShockLine CHX File Parsing Directory Traversal Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
MobSF is a mobile application security testing tool used. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
MobSF is a mobile application security testing tool used. Rated low severity (CVSS 1.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A security vulnerability has been detected in SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
The eHRD CTMS developed by Sunnet has an Arbitrary File Reading vulnerability, allowing remote attackers with administrator privileges to exploit Relative Path Traversal to download arbitrary system. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress allows Path Traversal.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A path traversal vulnerability has been reported to affect VioStor. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A path traversal vulnerability has been reported to affect Qsync Central. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A path traversal vulnerability has been reported to affect Qsync Central. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A path traversal vulnerability has been reported to affect Qsync Central. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A path traversal vulnerability has been reported to affect Qsync Central. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A path traversal vulnerability has been reported to affect several QNAP operating system versions. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A path traversal vulnerability has been reported to affect several QNAP operating system versions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A path traversal vulnerability has been reported to affect several QNAP operating system versions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Opencast is a free, open-source platform to support the management of educational audio and video content. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A vulnerability has been found in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Slider Revolution plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.7.36 via the 'used_svg' and 'used_images' parameters. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The QbiCRMGateway developed by Ai3 has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in extendons WooCommerce csv import export allows Path Traversal.0.6. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Dmitry V. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Files or directories accessible to external parties issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.8 via the ajax_downloadfile() function. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
QiAnXin TianQing Management Center versions up to and including 6.7.0.4130 contain a path traversal vulnerability in the rptsvr component that allows unauthenticated attackers to upload files to. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SPON IP Network Broadcast System, a digital audio transmission platform developed by SPON Communications, contains an arbitrary file read vulnerability in the rj_get_token.php endpoint. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
LiveBOS, an object-oriented business architecture middleware suite developed by Apex Software Co., Ltd., contains an arbitrary file upload vulnerability in its UploadFile.do;.js.jsp endpoint. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A path traversal vulnerability exists in the Dahua Smart Park Integrated Management Platform (also referred to as the Dahua Smart Campus Integrated Management Platform), affecting the SOAP-based GIS. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the backup restore functionality of Cisco Nexus Dashboard could allow an authenticated, remote attacker to conduct a path traversal attack on an affected device. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Path Traversal: '.../...//' vulnerability in Printeers Printeers Print & Ship allows Path Traversal.17.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows 'import/export', allowing an authenticated attacker to import the template file and perform path traversal. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Directory traversal vulnerability in AbanteCart version 1.4.2 allows unauthenticated attackers to gain access to sensitive system files via the template parameter to index.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
n8n-workflows Main Commit ee25413 allows attackers to execute a directory traversal via the download_workflow function within api_server.py. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A path traversal vulnerability in unauthenticated upload functionality allows a malicious actor to upload binaries and scripts to the server’s configuration and web root directories, achieving remote. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PerfreeBlog v4.0.11 has a directory traversal vulnerability in the getThemeFilesByName function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security flaw has been discovered in lostvip-com ruoyi-go up to 2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Custom Query Shortcode plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.4.0 via the 'lens' parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A path traversal vulnerability in the NPM package installation process of Google Cloud Dataform allows a remote attacker to read and write files in other customers' repositories via a maliciously. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Input Validation vulnerability in Salesforce Tableau Server on Windows, Linux (tabdoc api - create-data-source-from-file-upload modules) allows Absolute Path Traversal.1.3, before 2024.2.12,. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salesforce Tableau Server on Windows, Linux (abdoc api - create-data-source-from-file-upload modules). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (establish-connection-no-undo modules) allows Absolute Path Traversal.1.3, before. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (Flow Editor modules) allows Absolute Path Traversal.1.3, before 2024.2.12, before. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
dpanel is an open source server management panel written in Go. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In MindManager Windows versions prior to 24.1.150, attackers could potentially write to unexpected directories in victims' machines via directory traversal if victims opened file attachments located. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Quick Facts
- Typical Severity
- HIGH
- Category
- web
- Total CVEs
- 7729