Path Traversal

Directory traversal in Spring Cloud Config server module allows remote unauthenticated attackers to read arbitrary files from the file system using specially crafted URLs. Affects Spring Cloud Config versions 3.1.0-3.1.13, 4.1.0-4.1.9, 4.2.0-4.2.6, 4.3.0-4.3.2, and 5.0.0-5.0.2, with patches available across all branches. The vulnerability achieves CVSS 9.1 (Critical) due to remote exploitation without authentication (AV:N/AC:L/PR:N/UI:N) and high confidentiality/integrity impact, though EPSS and KEV data are not available to confirm active exploitation status. VMware/Spring has released fixes for all affected versions.

Path traversal in FileBrowser allows unauthenticated attackers possessing a valid public share hash with delete permissions to delete arbitrary files anywhere within the share owner's storage scope. The vulnerability exists in both stable and development versions due to user-controlled path input being joined with trusted base paths before sanitization in middleware.go:111 and resource.go:274. Proof-of-concept exploit code is publicly available via GitHub advisory GHSA-fwj3-42wh-8673. Vendor-released patch available in commit 112740bdd41de7d5eb01e13ba49d406bfc463f69.

Path traversal in Rancher's UI Extensions mechanism allows authenticated administrators to write arbitrary files to the Rancher server filesystem, potentially overwriting binaries, tampering with cluster state in /var/lib/rancher/, or compromising the host node if hostPath volumes are mounted. This affects Rancher versions 2.10.11 through 2.14.0. While exploitation requires high privileges (administrator access by default) and user interaction to install a malicious extension, the changed scope (S:C) in CVSS 3.1 indicates potential container escape or cross-component impact. Vendor-released patches are available across all affected release branches (2.11.13, 2.12.9, 2.13.5, 2.14.1). No public exploit identified at time of analysis, though the attack technique (CAPEC-126 path traversal) is well-documented.

Arbitrary PDF file read vulnerability in Gotenberg versions up to 8.31.0 allows unauthenticated remote attackers to extract PDF content via path traversal in stampExpression and watermarkExpression parameters on six conversion routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown). The vulnerability exists because these routes accept user-controlled file paths without validation when stamp or watermark source is set to PDF, unlike the dedicated stamp/watermark routes which enforce file upload requirements. An attacker can read any PDF accessible to the Gotenberg process by specifying its filesystem path, gaining access to potentially sensitive documents in containerized deployments or systems with mounted directories.

Angular SSR applications fail to properly validate URL-encoded path traversal sequences in the X-Forwarded-Prefix header, allowing attackers to trigger open redirects or steer server-side HTTP requests to unintended endpoints when the application is configured to trust proxy headers and deployed behind an unsanitized proxy. Exploitation requires the upstream proxy to forward the X-Forwarded-Prefix header without stripping encoded dots (%2e%2e), and the Angular application must perform internal redirects or use relative URLs in server-side HttpClient requests. Vendor-released patches are available for all supported versions.

{ "/api/orders/**": { proxy: { to: "http://upstream/orders/**" } } } ``` is intended to limit the proxy to URLs under `/api/orders/`. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal (`..%2f`) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. Example exploit: ``` GET /api/orders/..%2fadmin%2fconfig.json ``` Nitro sees `..%2f` as opaque characters at match time, the `/api/orders/**` rule matched, and the raw path was forwarded to the upstream as `/orders/..%2fadmin/config.json`. An upstream that decodes `%2F` to `/` then resolved `..` and can serve `/admin/config.json` outside the intended scope. Users may be affected if **ALL** of the following are true: 1. Their project uses Nitro's `routeRules` with a `proxy` entry (`{ proxy: { to: "..." } }`). 2. The proxy `to` value uses a `/**` wildcard suffix to forward sub-paths. 3. The **upstream** behind the proxy decodes `%2F` as `/` before routing or filesystem lookup. 4. Proxy route rules are _not_ handled natively at CDN (nitro v3 and vercel) Whether the bypass actually leaks data depends on the upstream. Modern JS frameworks keep `%2F` opaque per RFC 3986 and are safe by construction. - **Safe examples:** H3 v2, Express v5, Hono v4 - modern JS frameworks keep `%2F` opaque per RFC 3986. - **Vulnerable examples:** naive imlementations that decodes the URL, static file servers, CGI dispatchers, Python `os.path`-based routing, anything sitting behind another layer that decodes `%2F` (common in microservice meshes). Any HTTP path reachable from the Nitro server to the upstream could be requested, regardless of the configured `/**` scope. In typical deployments (API gateway, BFF, microservice proxy) this could expose internal admin endpoints, secrets endpoints, or other services the developer believed the scope rule fenced off. Upgrade to one of: - [2.13.4](https://github.com/nitrojs/nitro/releases/tag/v2.13.4) or later (https://github.com/nitrojs/nitro/pull/4223) - [3.0.260429-beta](https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta) or later (https://github.com/nitrojs/nitro/pull/4222) The fix canonicalizes the incoming pathname before building the upstream URL and rejects requests with `400 Bad Request` if the resolved path would escape the rule's base. The bytes forwarded upstream are unchanged when the request is allowed. > Note: the fix assumes the upstream does not double-decode percent-encoding. If your upstream decodes twice (`%252F → %2F → /`), it remains your responsibility to harden it. **Single-decode is standard**. Reported by [@mHe4am](https://github.com/mHe4am) ([@he4am on HackerOne](https://hackerone.com/he4am)) via the [Vercel Open Source](https://hackerone.com/vercel-open-source?type=team) program.

Path traversal in Mako Templates (Python library) on Windows platforms allows attackers to read arbitrary files outside configured template directories via backslash-based directory traversal sequences. Affects Mako versions ≤1.3.11 when applications accept user-controlled template names on Windows systems. Vendor-released patch available in version 1.3.12 (confirmed by GitHub commit 72e10c5). No public exploit code identified at time of analysis, though exploitation conditions are straightforward when prerequisites are met.

FlightPHP Core's default error handler exposes full exception messages, stack traces, and absolute filesystem paths in HTTP 500 responses without any debug-mode gating. All versions before 3.18.1 leak internal application structure, vendor package names, and any secrets interpolated into exception messages to unauthenticated remote attackers. This information disclosure primes follow-on attacks like LFI and path traversal by revealing server paths and configuration file locations. Vendor-released patch in version 3.18.1 introduces a flight.debug setting (default false) that suppresses verbose output in production. CVSS 7.5 reflects network-accessible information disclosure with no privileges required.

{ $io->info('Creating directory ' . dirname($controllerPath), true); mkdir(dirname($controllerPath), 0755, true); // un-normalized, runs before validation } ``` ``` $ php vendor/flightphp/runway/runway make:controller '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwn' Creating directory .../app/controllers/../../../../tmp/CONTROLLER_TRAVERSAL_TEST Nette\InvalidArgumentException: Value '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwnController' is not valid class name. $ ls /home/user/tmp/CONTROLLER_TRAVERSAL_TEST (directory exists - created before the exception was thrown) ``` - **Arbitrary directory creation outside the project root**, executable by any local actor that can run the Flight CLI (developer machine, shared CI build agent, compromised dev container). - Primes log-file planting for chained LFI exploitation (e.g. creating a directory where an attacker can later drop a `.php` file to be included via a distinct template-include weakness). - On Windows, the `\` separator opens additional traversal surface. The controller name is now normalized with `basename()` and validated against `^[A-Za-z_][A-Za-z0-9_]*$` before any `mkdir` side effect runs. Discovered by **@Rootingg**.

Hugo static site generator versions 0.43.0 through 0.160.x allow unrestricted file system access when building sites with Node-based asset pipelines (PostCSS, Babel, TailwindCSS), enabling arbitrary code execution through these tools to read or write files outside the project directory. The vulnerability affects only users who deploy Node asset pipelines; those building trusted sites or not using these pipelines are unaffected. A vendor-released patch in v0.161.0 enforces Node's permission model with strict filesystem defaults.

Path traversal vulnerability in Magic Wormhole receive command allows authenticated attackers to write files outside the intended output directory when the specified output directory already exists, enabling arbitrary file write with low complexity via network delivery of a specially crafted transfer request.

Path traversal in GitPython versions ≤3.1.47 enables arbitrary file write and deletion outside repository boundaries when applications pass attacker-controlled reference paths to reference creation, rename, or delete operations. A fully-functional proof-of-concept demonstrates successful exploitation by crafting reference names with '../../../' sequences to escape the `.git` directory and manipulate files with the process owner's permissions. Applications exposing GitPython reference APIs to user input-particularly Git automation services, CI/CD pipelines, and multi-tenant developer platforms-are at immediate risk, as no authentication is required at the library boundary. Fixed in version 3.1.48 per GitHub advisory GHSA-7545-fcxq-7j24.

Path traversal in NanoClaw's container filesystem boundary allows compromised containers or prompt-injected agents to escape isolation and read arbitrary host files via crafted message IDs and attachment paths, with potential for recursive deletion of host directories during outbox cleanup. The vulnerability exploits insufficient validation of outbound attachment filenames and symlink resolution in the host-side message handling code. Upstream fix available (GitHub commit 7814e45) but released patched version not independently confirmed. No public exploit identified at time of analysis, though proof-of-concept test cases demonstrate both file exfiltration and destructive cleanup paths.

Local privilege escalation in ZTE PROCESS Guard Service allows authenticated local users to escalate privileges and achieve arbitrary code execution through improper access control enforcement, affecting the cloud computer client. The vulnerability requires local access and authenticated user context but operates across system boundaries, potentially compromising system integrity. No active exploitation has been confirmed at time of analysis, though the combination of privilege escalation and RCE capability makes this a moderate-priority local threat.

Path traversal vulnerability in Apache Wicket's FolderUploadsFileManager allows unauthenticated attackers to read arbitrary files or write files outside the intended upload directory by exploiting unsanitized uploadFieldId and clientFileName parameters. Affected versions 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0 are vulnerable to remote file access and modification without authentication or user interaction. Vendor-released patch available in version 10.9.0.

Oracle OCI CLI version 3.77 allows local attackers with user interaction to place imported files outside the intended directory, compromising file integrity and enabling potential code execution or data exfiltration. The vulnerability requires local access and user interaction but carries high integrity impact through arbitrary file placement. No active exploitation or public exploit code has been identified at the time of analysis.

Fluent Forms plugin for WordPress up to version 6.2.1 allows authenticated administrators to read arbitrary files readable by the web server through path traversal in the getAttachments() method of EmailNotificationActions. The vulnerability stems from insufficient validation of file-upload URLs in admin notification configurations, permitting attackers to supply traversal sequences like <upload_baseurl>/../../<target> to access sensitive files such as wp-config.php containing database credentials and authentication salts. While unauthenticated users can trigger email notifications, the exploit requires administrator-level access to configure the malicious notification attachment.

Unauthenticated path traversal in Grav CMS FormFlash component allows remote attackers to create arbitrary directories and write configuration files (index.yaml) with controlled content. Confirmed actively exploited (CISA KEV). The vulnerability affects all Grav v1.7.x installations with form-enabled pages (default in standard deployments). Attack complexity is low-requires only manipulating the __form-flash-id POST parameter with traversal sequences. Vendor-released patch available in v2.0.0-beta.2 (commit d904efc33) applies strict alphanumeric sanitization to session identifiers. EPSS exploitation probability data not available, but GitHub advisory confirms zero-day status prior to patch, with public proof-of-concept demonstrating directory creation in user/config/ paths leading to configuration injection and potential DoS via inode exhaustion.

Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.

Absolute path traversal in pyLoad download manager allows authenticated users to write files to arbitrary filesystem locations via unsanitized package folder names in the set_package_data() API function. Users with Perms.MODIFY can redirect downloads to sensitive directories (e.g., /etc, /root, system directories) bypassing intended download directory restrictions, enabling configuration overwrite or denial of service through disk exhaustion. Publicly available exploit code exists with complete proof-of-concept in the GitHub security advisory. CVSS 8.1 (High) reflects high integrity and availability impact limited by low-privilege authentication requirement.

Path traversal in PyLoad-ng package folder name sanitization allows authenticated users with ADD permission to write files outside the intended download directory via insufficient string replacement logic. The sanitizer replaces `../` with `_`, but the pattern `....//` bypasses this filter by becoming `.._` after replacement, leaving exploitable `..` sequences that the OS later resolves. CVSS 6.5 (network-accessible, low complexity, requires low-privilege authentication, high integrity impact). Publicly available proof-of-concept code demonstrates exploitation against default credentials.

Arbitrary file write in wireshark-mcp up to version 1.1.5 allows remote attackers to write files to any filesystem location via prompt injection in pcap payloads that trigger the wireshark_export_objects MCP tool. The vulnerability exploits missing mandatory path restrictions when the WIRESHARK_MCP_ALLOWED_DIRS environment variable is not configured (default state). An attacker can craft a malicious pcap with embedded HTTP objects bearing filenames like authorized_keys, manipulate an AI model using the MCP server into calling export_objects with dest_dir=/home/user/.ssh/, and achieve SSH access, cron hijacking, or web shell placement. Publicly available proof of concept confirms exploitation against version 1.1.5 with tshark 4.6.4; no vendor-released patch exists at time of analysis.

Path traversal in django-s3file's S3FileMiddleware allows attackers to manipulate HTTP requests and force Django applications to load arbitrary files from unintended S3 locations into request.FILES, bypassing pre-signed upload location restrictions. Affects all versions <=7.0.1. Vendor-confirmed vulnerability with patch released in version 7.0.2. No active exploitation confirmed (not in CISA KEV). CVSS metrics not available, but path traversal combined with file handling operations presents moderate confidentiality and integrity risk depending on application-specific file processing logic.

Path traversal in MinIO's ReadMultiple internode storage-REST endpoint allows authenticated cluster peers or root-credential holders to read arbitrary files from the host filesystem outside configured drive roots. Distributed-erasure (multi-node) deployments are affected; single-node standalone deployments are not. The vulnerability exists in all releases from RELEASE.2022-07-24T01-54-52Z through RELEASE.2025-09-07T16-13-09Z and has been fixed as of MinIO AIStor RELEASE.2024-10-23T19-38-07Z (with security patch RELEASE.2026-04-14T21-32-45Z recommended). No public exploit code or active exploitation has been identified at time of analysis.

Path traversal and authentication bypass in s3-proxy allows remote unauthenticated attackers to read, write, or delete objects in protected S3 namespaces via percent-encoded slashes (%2F) and dot-segment traversal. Three distinct bypass mechanisms exploit mismatches between encoded/decoded path handling: (1) wildcard glob patterns lacking path separators match across directory boundaries, (2) percent-encoded slashes collapse into decoded paths after authentication checks, and (3) dot-segment sequences bypass prefix-based access controls. Vendor-released patches available in commits 1320e4abd and af5ff57d. CVSS 9.4 (AV:N/AC:L/PR:N/UI:N) reflects critical network-accessible unauthenticated access, though exploitation requires specific resource path configurations using wildcards or prefix patterns.

Path traversal in Langflow's Knowledge Bases API allows authenticated attackers to delete arbitrary directories on the server filesystem via crafted DELETE requests to /api/v1/knowledge_bases. The vulnerability (CVSS 9.6, Critical) stems from insufficient input validation in the delete_knowledge_bases_bulk function, which passes user-supplied knowledge base names directly to shutil.rmtree() without path containment checks. Publicly available exploit code exists (PoC disclosed in GHSA-9whx-c884-c68q), enabling cross-tenant data destruction and service disruption. Fixed in version 1.9.0 via PR #12243.

Authenticated users can access, modify, and delete files in sibling directories outside Jupyter Server's configured root_dir by exploiting a flawed string prefix check in path validation (CWE-22). Jupyter Server <=2.17.0 incorrectly uses startswith() validation, allowing attackers to traverse to directories like 'testtest/' when root is 'test/'. Publicly available exploit code exists. This primarily threatens multi-tenant deployments with predictable naming schemes (e.g., user1, user10-user19) where low-privileged users can escalate to access other users' workspaces. CVSS 7.1 reflects network-accessible attack requiring low privileges but high attack complexity; EPSS data not provided but real-world risk is significant for affected multi-tenant environments.

Remote code execution in Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to write arbitrary files anywhere on the host filesystem via path traversal in the Submodel HTTP API's file upload fileName parameter, leading to complete system compromise. The vulnerability receives the maximum CVSS score of 10.0 due to network-accessible exploitation requiring no authentication, privileges, or user interaction, with scope change enabling impact beyond the vulnerable component. EPSS data not available; KEV status not confirmed; exploitation status depends on release recency and deployment exposure of this industrial automation SDK.

Path traversal in OpenClaw's screen_record tool allows authenticated users to write files outside workspace boundaries via crafted outPath parameters, bypassing filesystem security controls. OpenClaw versions before 2026.4.10 are affected. Vendor-released patch available (version 2026.4.10 and later, including current release 2026.4.14). No active exploitation confirmed (CISA KEV negative), but publicly documented vulnerability with working proof-of-concept code in GitHub commit diff. CVSS 7.1 with high integrity impact reflects potential for unauthorized file system modifications outside intended workspace scope.

Arbitrary file deletion via path traversal in Betheme WordPress theme version 28.4 and earlier allows authenticated contributors and above to delete arbitrary files on the server by manipulating the mfn-icon-upload parameter in the upload_icons() function. The vulnerability requires valid WordPress account credentials at contributor level or higher but exploits an unconstrained filesystem move operation to bypass upload directory restrictions. No public exploit code or active KEV listing identified at analysis time.

Path Traversal in Forminator Forms plugin allows unauthenticated remote attackers to read arbitrary files from WordPress servers, potentially exposing database credentials, configuration files, and sensitive user data. Exploitation requires a publicly accessible form with File Upload field and specific 'Save and Continue' behavior settings enabled. CVSS 7.5 (High) with network vector and no authentication required. No CISA KEV listing or public exploit identified at time of analysis, suggesting limited active exploitation despite high theoretical severity.

Path traversal vulnerability in 54yyyu code-mcp's MCP File Handler (function is_safe_path in src/code_mcp/server.py) allows remote unauthenticated attackers to access files outside intended directories with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; the project uses rolling releases without versioned releases, and the vendor has not yet responded to early disclosure.

Path traversal in UsamaK98 python-notebook-mcp allows remote unauthenticated attackers to read, write, and manipulate notebook files outside their intended directory via crafted input to the create_notebook, read_notebook, edit_cell, and add_cell functions in server.py. Public exploit code is available. The project uses rolling releases with no versioning, and the vendor has not yet responded to the initial issue report despite early notification.

EmailKit plugin for WordPress versions up to 1.6.5 allows authenticated attackers with Author-level access to read arbitrary files from the server due to a path traversal vulnerability in the create_template() method. The vulnerability exploits a PHP 8.x type coercion flaw where realpath() returns false for non-existent directories, causing strpos() validation to incorrectly evaluate and bypass directory restrictions. Attackers can retrieve sensitive files such as wp-config.php by submitting absolute paths via the emailkit-editor-template REST API parameter. No public exploit code identified at time of analysis, though the vulnerability mechanism is trivial to weaponize once authentication is obtained.

Loco Translate plugin for WordPress versions up to 2.8.2 allows authenticated attackers with Translator-level access to read arbitrary files outside the intended translation directory via path traversal in the `fsReference` AJAX endpoint. The vulnerability exploits insufficient validation of directory traversal sequences (`../`) in the `findSourceFile()` method, enabling disclosure of sensitive `.php`, `.js`, `.json`, and `.twig` files including wp-config.php-adjacent files. No public exploit code has been identified at time of analysis, and the attack requires administrative capability assignment (`loco_admin` capability) granted to translators by default.

Arbitrary file writing via directory traversal in Nix versions before 2.34.7 allows unauthenticated remote attackers to overwrite files on systems running vulnerable versions of nix-prefetch-url or nix store prefetch-file with the --unpack flag. The vulnerability exploits improper path validation during archive extraction, enabling an attacker to craft malicious packages that write to arbitrary filesystem locations when unpacked. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N) reflects network-based exploitation without authentication, though real-world impact depends on file permissions and deployment context. No active exploitation has been confirmed in CISA KEV at time of analysis.

Path traversal vulnerability in Apache Thrift Node.js web_server.js (versions prior to 0.23.0) allows remote unauthenticated attackers to read arbitrary files, write to unauthorized locations, and potentially execute code. Disclosed via oss-security mailing list pre-NVD publication. EPSS score of 0.01% indicates low observed exploitation probability despite network-accessible attack vector and no authentication requirement. CISA SSVC framework classifies this as automatable with partial technical impact but no confirmed exploitation. Patch available in version 0.23.0.

Path traversal vulnerability in RTGS2017 NagaAgent up to version 5.1.0 allows remote unauthenticated attackers to manipulate the Name argument in the Skills Endpoint (apiserver/routes/extensions.py) to access arbitrary files on the server with limited confidentiality impact. Exploit code has been publicly disclosed and the vendor was informed via issue report but has not responded with a patch.

Path traversal in Axle-Bucamp MCP-Docusaurus document handling functions allows remote unauthenticated attackers to manipulate the DOCS_DIR path parameter in update_document, continue_document, delete_document, and get_content endpoints, enabling unauthorized file access and manipulation. The vulnerability affects all versions up to commit 404bc028e15ec304c9a045528560f4b5f27a17e0, with publicly available exploit code disclosed via GitHub issues.

Symlink-following path traversal in apko (versions 0.14.8 through <1.2.5) allows malicious APK archives to write arbitrary files to host paths during build operations. A crafted .apk can install a symlink entry pointing outside the build root, then traverse that symlink via subsequent file-write or directory-creation operations to reach any path writable by the build user. Affects disk-backed operations in apko build-cpio and downstream tools like melange; in-memory tarfs paths (apko build, apko publish) are not vulnerable. Vendor-released patch available in apko v1.2.5. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates network-reachable unauthenticated exploitation, though practical attack requires convincing a target to process the malicious APK during a build. No EPSS or KEV data available; publicly available exploit code exists in the form of regression tests demonstrating each primitive.

Path traversal in AzuraCast's Flow.js media upload endpoint allows authenticated users with media management permissions to write arbitrary PHP files outside designated storage directories, achieving remote code execution. The vulnerability exists in versions ≤0.23.5 where the unsanitized `currentDirectory` parameter bypasses filename sanitization, and a `finally` block writes uploaded files before MIME validation completes. Only local filesystem storage (default configuration) is affected-remote S3/cloud backends are not vulnerable. Vendor-confirmed patch available in version 0.23.6. No public exploit or CISA KEV listing identified at time of analysis, but detailed proof-of-concept exists in GitHub advisory GHSA-vp2f-cqqp-478j demonstrating webshell upload to web root.

Path normalization bypass in fast-uri 3.1.0 and earlier allows remote attackers to circumvent path-based access controls through percent-encoded path traversal sequences. The normalize() and equal() functions decode URL-encoded separators (%2F) and dot segments (%2E) before applying normalization rules, causing distinct URIs to collapse onto identical normalized paths. Applications relying on fast-uri for URL validation in authorization checks can be tricked into allowing access to restricted resources. EPSS exploitation probability not yet calculated given recent disclosure; no active exploitation confirmed (not in CISA KEV), but attack vector is trivial (CVSS AV:N/AC:L/PR:N/UI:N) and patch is available in version 3.1.1.

Path traversal (Zip Slip) vulnerability in OpenMRS Core ≤ 2.7.8 and 2.8.0-2.8.5 allows authenticated administrators to achieve remote code execution by uploading a malicious .omod module archive to the REST API endpoint POST /openmrs/ws/rest/v1/module. Attackers can write arbitrary JSP files to the Tomcat webroot via crafted ZIP entries containing directory traversal sequences (e.g., web/module/../../../../malicious.jsp), which bypass incomplete path validation in WebModuleUtil.startModule(). The vulnerability also bypasses the module.allow_web_admin security control, as the REST API does not enforce this restriction despite Legacy UI being protected. No vendor-released patch identified at time of analysis for either affected version range.

Path traversal in Detect-It-Easy archive extraction allows local attackers to write arbitrary files outside intended directories and achieve persistent code execution by overwriting user startup scripts. Affects all versions prior to 3.21. Exploitation requires user interaction to open a specially crafted archive file. Vendor-released patch available in version 3.21, with fixes applied across multiple repository components (DIE-engine, Formats, XArchive). No public exploit identified at time of analysis, though the vulnerability class is well-understood and exploitation techniques are documented.

Path traversal in OpenMRS Core's ModuleResourcesServlet allows unauthenticated attackers to read arbitrary files from the server filesystem, including sensitive configuration files and system files like /etc/passwd. The vulnerability exists in versions ≤ 2.7.8 and 2.8.0-2.8.5, with exploitation requiring Apache Tomcat < 8.5.31 where path parameter bypass protections are absent. Fix available in version 2.8.6 for the 2.8.x branch; no patch released for 2.7.x series at time of analysis. CVSS 7.5 (High) reflects network-accessible unauthenticated exploitation with high confidentiality impact.

OpenC3 COSMOS before versions 6.10.5 and 7.0.0-rc3 allows authenticated users to write arbitrary files to the shared /plugins directory via path traversal sequences in tool configuration filenames, potentially overwriting other plugins' configuration files. The vulnerability exists in the save_tool_config() function which canonicalizes filenames but does not restrict writes to plugin-specific subdirectories, enabling lateral movement between plugins. CVSS 4.3 reflects low severity due to authentication requirement and limited scope (integrity only), though real-world impact depends on whether plugin configurations contain sensitive data.

Arbitrary file write vulnerability in PPTAgent prior to commit 418491a allows authenticated users with UI interaction to write files outside the intended workspace via path traversal in the save_generated_slides function, potentially overwriting arbitrary files on the system. CVSS 4.6 (low integrity and availability impact); no public exploit code identified at time of analysis.

PPTAgent prior to commit 418491a allows authenticated users to write arbitrary files and create directories outside intended workspace boundaries via path traversal in the markdown_table_to_image function. An attacker with login access can supply crafted file paths containing directory traversal sequences to escape the configured workspace and write malicious files to arbitrary locations on the system. The vulnerability requires user interaction (UI:R in CVSS vector) and affects confidentiality and availability, with no public exploit code identified at time of analysis.

Path traversal in Evolver's skill fetch command enables arbitrary file writes via unvalidated --out= flag. Authenticated attackers can overwrite system files or create malicious files in sensitive locations (e.g., cron directories) by using directory traversal sequences like '../../../etc/cron.d'. The vulnerability exists in index.js where user-provided paths from --out= are extracted without sanitization and passed directly to fs.mkdirSync(). Patch released in version 1.69.3. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation.

Path traversal in puchunjie doc-tools-mcp 1.0.18 MCP Interface allows authenticated remote attackers to access arbitrary files on the system via manipulation of the filePath argument in create_document and open_document functions. The vulnerability has a low CVSS score (2.1) due to authentication requirements and limited confidentiality impact, but publicly available exploit code exists. The vendor has not responded to the early disclosure.

Magic Export & Import WordPress plugin before version 1.2.0 stores exported CSV files in a publicly accessible web directory, allowing unauthenticated remote attackers to enumerate and download sensitive user data without authentication. The vulnerability affects all versions prior to 1.2.0, has publicly available proof-of-concept code, and carries moderate real-world risk due to the low attack complexity and high automatable nature of exploitation, though the actual severity is constrained by the fact that CSV export must first occur and require that files remain accessible.

Path traversal in ryanjoachim mcp-rtfm 0.1.0 allows authenticated remote attackers to read, write, and delete arbitrary files by manipulating the docFile parameter in the get_doc_content, read_doc, update_doc, and related MCP interface functions. Publicly available exploit code exists, and the vulnerability affects all versions of the product without a patched release identifier provided. An authenticated user can exploit this with no user interaction required via network access to escape the intended .handoff_docs directory and access files outside the designated documentation scope.

Path traversal in ravenwits mcp-server-arangodb up to version 0.4.7 allows authenticated remote attackers to manipulate the outputDir argument in the arango_backup function, enabling unauthorized file system access with limited confidentiality and integrity impact. The vulnerability affects the MCP Interface component and has publicly available exploit code; however, the low CVSS score (2.1) reflects constrained real-world risk due to the requirement for authenticated access and limited technical impact scope.

Path traversal vulnerability in AV Stumpfl Pixera Two Media Server up to version 25.1 R2 allows adjacent network attackers to access arbitrary files via manipulation of an unknown function on Service Port 1338. The vulnerability has a low CVSS score of 2.1 due to adjacency requirement (AV:A) and confidentiality-only impact, but publicly available exploit code exists and the vendor has released a patch in version 25.2 R3.

Path traversal in jsbroks COCO Annotator up to version 0.11.1 allows authenticated remote attackers to access arbitrary files on the server by manipulating the folder argument in the Data Endpoint (backend/webserver/api/datasets.py). The vulnerability requires valid user credentials and an attacker can only read files with limited technical impact, but publicly available exploit code exists and the vendor has not responded to disclosure attempts.

Path traversal vulnerability in kerwincui FastBee up to version 1.2.1 allows authenticated remote attackers to read arbitrary files on the server via manipulation of the fileName parameter in the ToolController.download endpoint. The vulnerability has publicly available exploit code and affects the Tool Download functionality, enabling unauthorized file disclosure with low CVSS impact (4.3) due to authentication requirements and limited scope.

Path traversal in the MCP Interface export_state function of ruvnet sublinear-time-solver 1.5.0 allows remote unauthenticated attackers to manipulate file paths, resulting in information disclosure and integrity compromise. Public exploit code is available and the vulnerability has CVSS 6.5 (medium severity) with proof-of-concept publicly disclosed, though the vendor has not yet responded to early notification.

Arbitrary file read in Salon Booking System plugin for WordPress (versions ≤10.30.25) allows unauthenticated remote attackers to exfiltrate sensitive local files by injecting malicious file paths into booking form fields, which are then attached to confirmation emails sent by the system. Wordfence identified this path traversal vulnerability (CWE-22) with a CVSS score of 7.5, exploitable without authentication or user interaction. The vulnerability is confirmed patched in version 10.30.26 via changeset 3512110, though no CISA KEV listing or public exploit code has been identified at time of analysis.

Path traversal in 8nite metatrader-4-mcp 1.0.0 allows authenticated remote attackers to access arbitrary files via manipulation of the ea_name argument in the CallToolRequestSchema function of src/index.ts. The vulnerability affects the sync_ea_from_file component, has publicly available exploit code, and impacts confidentiality with a CVSS score of 2.1. The vendor has not responded to early disclosure notification.

Path traversal in Dayoooun hwpx-mcp 0.2.0 allows authenticated remote attackers to manipulate the output_path argument in save_document, export_to_text, and export_to_html functions, enabling arbitrary file write or read operations outside intended directories. The vulnerability affects the MCP Interface component (mcp-server/src/index.ts) with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure.

Path traversal in Flux159 mcp-game-asset-gen 0.1.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files via manipulation of the statusFile parameter in the image_to_3d_async function. The vulnerability is confirmed actively exploited with publicly available exploit code (GitHub issue #3). CVSS 7.3 reflects network-accessible attack with low confidentiality, integrity, and availability impact. Despite early responsible disclosure via issue report, the maintainer has not responded, leaving the open-source project unpatched.

Path traversal in the CSV Export endpoint of ghantakiran's splunk-mcp-integration allows remote unauthenticated attackers to access arbitrary files on the server by manipulating the job_name parameter in the create_csv_export function. The vulnerability affects all versions up to commit 0b86b09d5e5adf0433acd43c975951224613a1a6, with publicly available exploit code disclosed via GitHub issue; no vendor patch has been released despite early notification.

Path traversal in ggerve coding-standards-mcp server.py allows remote unauthenticated attackers to access arbitrary files by manipulating the Language parameter in the get_style_guide and get_best_practices functions. The vulnerability has publicly available exploit code and affects the product's rolling-release model where specific vulnerable versions are not formally documented. The project maintainer has not yet responded to the early vulnerability disclosure.

Path traversal in Fujian Apex LiveBOS through the /feed/UploadImage.do endpoint allows remote attackers to manipulate the filename parameter and write files to arbitrary locations on the server. Versions up to 2.0 are affected. Public exploit code is available. Upgrading to version 2.1 resolves the vulnerability.

Remote unauthenticated arbitrary file write in AGL (Automotive Grade Linux) app-framework-main through version 17.1.12 allows attackers to achieve code execution or system compromise via malicious widget packages. A crafted ZIP archive combining path traversal (../ sequences in filenames) with a time-of-check-time-of-use race condition allows files to be written anywhere on the filesystem before signature validation occurs. Even when signature checks fail, malicious files persist outside the temporary directory. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. Public technical analysis available via GitHub Gist reference suggests proof-of-concept may exist.

Path traversal in Wireshark's profile import feature enables local attackers to achieve denial of service and potentially execute arbitrary code on Windows, macOS, and Linux systems running versions 4.6.0-4.6.4 or 4.4.0-4.4.14. The vulnerability (CWE-22) requires user interaction to import a maliciously crafted profile configuration file, with attack complexity rated high due to specific exploitation prerequisites. No public exploit code or active exploitation confirmed at time of analysis, though EPSS data not available for comprehensive risk assessment.

Path traversal in IBM Langflow Desktop versions 1.8.4 and earlier allows authenticated remote attackers to read arbitrary files on the system by crafting URLs containing directory traversal sequences (/../). The vulnerability affects the file handling mechanism and could expose sensitive configuration, source code, or other confidential files accessible to the Langflow process. A vendor-released patch is available.

Authenticated attackers can exploit a path traversal vulnerability in IBM Langflow Desktop 1.2.0 through 1.8.4 to write arbitrary files to the system by crafting URLs containing directory traversal sequences (/../). The vulnerability requires prior authentication but allows complete bypass of file system restrictions, enabling file overwrite or creation outside intended directories with no integrity protections.

Unauthenticated remote file write in Shopizer v3.2.5 allows attackers to upload arbitrary files to any writable system path via path traversal in the /content/images/add endpoint. With CVSS 10.0 and network-based exploitation requiring no authentication or user interaction, this enables immediate remote code execution by uploading malicious executables or web shells. No public exploit confirmed at time of analysis, though the attack vector is straightforward for a path traversal vulnerability. EPSS data not available, but the technical characteristics (AV:N/PR:N/AC:L) indicate high exploitability once details become widely known.

Path traversal in JeeSite 5.15.1 allows authenticated users with file upload permissions to write arbitrary files to any filesystem location during chunked uploads by manipulating the fileMd5 parameter in /a/file/upload. Attackers can bypass directory restrictions to plant webshells, modify configuration files, or overwrite executables with whitelisted extensions, achieving remote code execution and full system compromise. Scope change in CVSS vector indicates container escape or cross-tenant impact in multi-tenant deployments. No active exploitation confirmed (not in CISA KEV) but vulnerability disclosed via GitHub issue #530.

Path traversal in ColorOS Assistant allows local attackers to manipulate file downloads and cause high availability impact via an unauthenticated download channel. The vulnerability (CWE-23) enables writing files to arbitrary paths when a user is socially engineered to trigger the malicious download. OPPO has published a security advisory. No active exploitation confirmed; EPSS data not available for this recent 2026 CVE.

Path traversal in JeeSite v5.15.1's file upload endpoint allows authenticated users with file upload permissions to write arbitrary files to any filesystem location, enabling remote code execution by uploading malicious files (e.g., JSP webshells) outside intended directories. The vulnerability exists in the fileEntityId parameter of /a/file/upload, bypassing directory restrictions while respecting file extension whitelists. EPSS score of 0.01% (3rd percentile) indicates low predicted exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis, though vendor issue tracker discussion provides technical details that could facilitate POC development.

Path traversal in ZMCPTools up to version 0.2.2 allows authenticated remote attackers to read or manipulate files outside intended directories via the dirname argument in the MCP Log Resource Handler component. The vulnerability is exploitable over the network by authenticated users with low privileges, has publicly available exploit code, and carries a CVSS score of 2.1 reflecting low confidentiality and integrity impact with no scope expansion.

Versions of `i18next-http-middleware` prior to 3.9.3 pass the user-controlled `lng` and `ns` values from `getResourcesHandler` directly into `i18next.services.backendConnector.load(languages, namespaces, …)` without any sanitisation. Depending on which backend is configured, the unvalidated path segments enable one of two attacks: - **Filesystem path traversal** when the middleware is paired with `i18next-fs-backend` (or any backend that interpolates `lng` / `ns` into a filesystem path). - **Server-Side Request Forgery (SSRF)** when the middleware is paired with `i18next-http-backend` (or any backend that interpolates into an HTTP URL). Example request: ``` GET /locales/resources.json?lng=../../etc/passwd&ns=root ``` with `i18next-fs-backend` reads the attacker-chosen file from disk; with `i18next-http-backend` reshapes the outgoing URL to target an internal service. - **Arbitrary file read** via `fs`-style backends - any file the Node process can read becomes reachable (source, configuration, `.ssh` keys, `.env`, Docker secrets, etc.). - **SSRF** via `http`-style backends - requests to internal IPs / hostnames not normally reachable from the internet; combined with cloud metadata endpoints this can escalate to credential theft. - **Unbounded growth of `i18next.options.ns`** - a now-incidental amplification: the pre-patch `getResourcesHandler` pushed every unique `ns` value into the shared `i18next.options.ns` singleton array without validation or bounds, enabling memory exhaustion from repeated unique payloads. The severity is bounded by the backend in place, but the middleware itself exposed the unsanitised path; this is the "weakest link" layer. `< 3.9.3`. Fixed in **3.9.3**. The patch introduces `utils.isSafeIdentifier` and applies it in `getResourcesHandler` before `lng` and `ns` reach the backend connector: ```js languages = languages.filter(utils.isSafeIdentifier) namespaces = namespaces.filter(utils.isSafeIdentifier) ``` `isSafeIdentifier` uses a denylist approach - it still accepts any legitimate i18next language-code shape ([i18next FAQ](https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted)) - rejecting: - `..` sequences (relative path traversal) - path separators (`/`, `\`) - control characters (C0/C1) - prototype keys (`__proto__` / `constructor` / `prototype`) - empty strings and values longer than 128 characters Unsafe values are dropped; only safe values reach the backend. The fix is a defence-in-depth layer on top of any sanitisation the backend itself may apply. No workaround short of upgrading. Front-proxying the middleware with a WAF rule that rejects requests containing `..`, `/`, `\`, or URL-structure characters in `lng` / `ns` is a partial mitigation. Upgrading the configured backend (`i18next-fs-backend` ≥ 2.6.4, `i18next-http-backend` ≥ 3.0.5) also closes the same attack at the next layer. - [GHSA-5fgg-jcpf-8jjw](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw) - prototype pollution via `setPath` and `missingKeyHandler`. Independently fixable, filed separately per CNA rules. - [GHSA-c3h8-g69v-pjrg](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-c3h8-g69v-pjrg) - HTTP response splitting + XSS-filter bypass (CVE-2026-41683). Discovered via an internal security audit of the i18next ecosystem. - [CWE-22: Path Traversal](https://cwe.mitre.org/data/definitions/22.html) - [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) (specific sub-case when paired with an HTTP backend) - [i18next FAQ: language code formatting](https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted)

A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with `..` values, along with a resource of type `stac-collection` defined in configuration. The issue has been patched in master branch and made available as part of the 0.23.3 release. The commit/fix can be found in [bf25b8695edbdd5476eeffc102b633d1d3e45f52](https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52). Users can safeguard existing applications by disabling STAC collection based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.

Path traversal in Admidio's document add mode allows authenticated attackers to register arbitrary server files into document folders via unvalidated `name` parameter, enabling arbitrary file read when combined with CSRF. A low-privileged user can trick a documents administrator into clicking a malicious link to register sensitive files like `install/config.php` (containing database credentials) into a publicly accessible documents folder, then download those files using the attacker's own session. The vulnerability chains insufficient input validation (accepts `../` sequences), missing CSRF protection on the `add` action, and `SameSite=Lax` cookies that permit cross-site GET requests from administrators.

Path traversal in Admidio ecard_preview.php allows authenticated users to read arbitrary server files including database credentials by bypassing filename validation on the ecard_template POST parameter. An authenticated attacker can supply path traversal payloads such as ../config.php to read adm_my_files/config.php containing unencrypted database host, username, and password, or traverse further to access system files. Exploitation requires only a regular member account with no special privileges, making this a high-impact vulnerability accessible to any registered user.

Path traversal in mcpo-simple-server 0.2.0 and earlier enables unauthenticated remote attackers to delete arbitrary files via the delete_shared_prompt function. The vulnerability affects the prompt_manager module's base_manager.py file, where improper validation of the 'detail' parameter allows directory traversal sequences. A public proof-of-concept exploit exists (GitHub issue #4), making this an immediate threat to internet-exposed instances. EPSS data not available, but the combination of network exploitability (AV:N), no authentication required (PR:N), and public POC significantly elevates real-world risk despite moderate CVSS 7.3 score. Vendor has not responded to early disclosure.

Path traversal in geldata gel-mcp 0.1.0 allows remote unauthenticated attackers to read arbitrary files via manipulation of the rule_name argument in the list_rules and fetch_rule functions. The vulnerability has a CVSS score of 5.3 (Low confidentiality impact) with network accessibility and no authentication requirements. Public exploit code exists and the vendor has not responded to early disclosure.

A security vulnerability has been detected in geekgod382 filesystem-mcp-server 1.0.0. This issue affects the function is_path_allowed of the file server.py of the component read_file_tool/write_file_tool. Such manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.1.0 is capable of addressing this issue. The name of the patch is 45364545fc60dc80aadcd4379f08042d3d3d292e. Upgrading the affected component is advised.

A weakness has been identified in florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. This vulnerability affects the function Upload of the file bioinfo_mcp_platform/app.py of the component Upload Endpoint. This manipulation of the argument Name causes path traversal. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. Writing to sensitive locations such as cron directories or Python module paths leads to remote code execution. CVSS 9.0 Critical (network-accessible, high privilege required, scope changed). Patch available in v4.14.4; no active exploitation identified.

A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/wecom.py of the component WeChat Work Platform Adapter. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

A post-authentication Path Traversal vulnerability in SonicOS allows an attacker to interact with usually restricted services.

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mail_mcp_server.py. Executing a manipulation of the argument message_ids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 1.3.4 is able to address this issue. This patch is called 638b162b26532e32fa8d8047f638537dbdfe197a. Upgrading the affected component is recommended.

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Path Traversal. This issue affects Pardus Software Center: before 1.0.3.

A vulnerability was detected in ezequiroga mcp-bases 357ca19c7a49a9b9cb2ef639b366f03aba8bea39/c630b8ab0f970614d42da8e566e9c0d15a16414c. This impacts the function search_papers of the file research_server.py. Performing a manipulation of the argument topic results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory. An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker‑chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables. Critically, when chained with CVE‑2026‑42248 (Missing Signature Verification for Updates), an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

Cockpit CMS versions 2.13.5 and earlier allow authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets via directory traversal in the Buckets component. The vulnerability requires valid user authentication and does not impact confidentiality, but enables integrity compromise through malicious file placement or asset replacement. A proof-of-concept exists, though the SSVC framework rates automatable exploitation as unlikely, suggesting manual attack steps are required.