Skip to main content

Path Traversal

web HIGH

Path traversal exploits occur when applications use user-controlled input to construct file system paths without proper validation.

How It Works

Path traversal exploits occur when applications use user-controlled input to construct file system paths without proper validation. Attackers inject special sequences like ../ (dot-dot-slash) to escape the intended directory and navigate to arbitrary locations in the file system. Each ../ sequence moves up one directory level, allowing an attacker to break out of a restricted folder and access sensitive files elsewhere on the server.

Attackers employ various encoding techniques to bypass basic filters. Simple URL encoding transforms ../ into %2e%2e%2f, while double encoding becomes %252e%252e%252f (encoding the percent sign itself). Other evasion methods include nested sequences like ....// (which become ../ after filter removal), null byte injection (%00 to truncate path validation), and OS-specific path separators (backslashes on Windows). Absolute paths like /etc/passwd may also work if the application doesn't enforce relative path constraints.

The typical attack flow begins with identifying input parameters that reference files—such as file=, path=, template=, or page=. The attacker then tests various traversal payloads to determine if path validation exists and what depth is needed to reach system files. Success means reading configuration files, credentials, source code, or even writing malicious files if the application allows file uploads or modifications.

Impact

  • Credential exposure: Access to configuration files containing database passwords, API keys, and authentication tokens
  • Source code disclosure: Reading application code reveals business logic, additional vulnerabilities, and hardcoded secrets
  • System file access: Retrieving /etc/passwd, /etc/shadow, or Windows SAM files for credential cracking
  • Configuration tampering: If write access exists, attackers modify settings or inject malicious code
  • Remote code execution: Writing web shells or executable files to web-accessible directories enables full system compromise

Real-World Examples

ZendTo file sharing application (CVE-2025-34508) contained a path traversal vulnerability allowing unauthenticated attackers to read arbitrary files from the server. The flaw existed in file retrieval functionality where user input directly influenced file path construction without adequate validation, exposing sensitive configuration data and potentially system files.

Web application frameworks frequently suffer from path traversal in template rendering engines. When applications allow users to specify template names or include files, insufficient validation permits attackers to read source code from other application modules or framework configuration files, revealing database credentials and session secrets.

File download features in content management systems represent another common vector. Applications that serve user-requested files from disk often fail to restrict paths properly, enabling attackers to download backup files, logs containing sensitive data, or administrative scripts that weren't intended for public access.

Mitigation

  • Avoid user input in file paths: Use indirect references like database IDs mapped to filenames on the server side
  • Canonicalize and validate: Convert paths to absolute canonical form, then verify they remain within the allowed base directory
  • Allowlist permitted files: Maintain an explicit list of accessible files rather than trying to blocklist malicious patterns
  • Chroot jails or sandboxing: Restrict application file system access to specific directories at the OS level
  • Strip dangerous sequences: Remove ../, ..\\, and encoded variants, though this alone is insufficient

Recent CVEs (7707)

EPSS 0% CVSS 6.5
MEDIUM This Month

Path traversal in the Tax Exempt for WooCommerce plugin (versions <= 1.9.3) by Addify enables authenticated customer-level users to read arbitrary files from the server's filesystem. The vulnerability carries a CVSS 6.5 Medium score with high confidentiality impact, as a low-privileged account (a standard customer/shopper) can traverse directory boundaries to access sensitive files such as wp-config.php containing database credentials. No public exploit code or active CISA KEV listing has been identified at time of analysis.

WordPress Path Traversal Tax Exempt For Woocommerce
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file read in the Ninja Forms - File Uploads WordPress add-on (versions ≤ 3.3.29) lets unauthenticated remote attackers exfiltrate any file readable by the web server. A client-supplied saveProgress flag causes the process() method to return early, so a raw attacker-controlled 'files' array reaches attach_files() and get_files_for_attachment() without upload validation, path normalization, or database record creation - an attacker-chosen file_path is then passed to wp_mail() as an email attachment guarded only by a file_exists() check. No public exploit has been identified at time of analysis; there is no CISA KEV listing and no EPSS score was supplied.

WordPress Path Traversal Ninja Forms File Uploads
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Arbitrary file copy in the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions ≤ 1.5.1) exposes any file readable by the PHP process to unauthenticated network attackers. The `create_entry_el()` function accepts attacker-controlled POST data as a file path and passes it directly to PHP's `copy()`, which transparently accepts both local filesystem paths and remote URLs - enabling server file exfiltration or remote resource staging. Exploitation requires Elementor Pro to be installed and active alongside the vulnerable plugin; no public exploit or CISA KEV listing has been identified at time of analysis, though the unauthenticated network vector and high confidentiality impact make this a credible priority for mixed Elementor Pro deployments.

WordPress Path Traversal PHP +1
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in the Perfmatters WordPress performance plugin (versions ≤ 2.6.4) lets unauthenticated attackers traverse the filesystem via the 's' parameter and read sensitive server files such as wp-config.php. The flaw only surfaces in a specific non-default configuration (Local Google Fonts enabled with pretty permalinks and RSS feed links active), and there is no public exploit identified at time of analysis. Reported by Wordfence with a CVSS of 7.5 (high).

WordPress Path Traversal Google +1
NVD VulDB
EPSS 1% CVSS 9.4
CRITICAL PATCH Act Now

Privilege-escalating remote code execution in the Git Service shared by Altium Enterprise Server and Altium 365 lets an authenticated user with basic git access abuse post-clone file-manipulation operations to move arbitrary files outside the repository, plant executable script content, and run code as the Git Service account. On multi-tenant Altium 365 cloud nodes this also created a cross-tenant data-exposure path. No public exploit identified at time of analysis; the CVSS 4.0 score of 9.4 (Critical) reflects full confidentiality, integrity and availability impact with only low privileges required.

Path Traversal RCE
NVD
CVSS 7.1
HIGH PATCH This Week

Arbitrary CWD-file read and inode-tampering in the oras-go v2 content/file tar extractor allows an attacker who controls an OCI artifact to hardlink files from the pulling process's working directory into the extract tree. When a victim runs 'oras pull' (or any Go program using oras-go/v2/content/file) against a malicious layer marked with the io.deis.oras.content.unpack annotation, the flawed ensureLinkPath helper validates a resolved hardlink target but passes the original relative Linkname to os.Link, causing link(2) to resolve it against the process CWD instead of the extract base. Publicly available exploit code exists (detailed PoC and regression test in the advisory); this is not listed in CISA KEV and no active exploitation is confirmed.

Linux Ubuntu Path Traversal +1
NVD GitHub
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Arbitrary file read in Gradio before 6.16.0 lets remote unauthenticated attackers escape the FileExplorer component's configured root_dir by submitting path segments with traversal sequences ('../') or absolute paths, exploiting how os.path.join discards the root prefix when handed an absolute path. Any Gradio app exposing a FileExplorer is exposed, enabling exposure of sensitive files (source code, secrets, credentials) outside the intended directory. There is no public exploit identified at time of analysis, but the flaw was reported by VulnCheck and a vendor patch is available.

Path Traversal Gradio
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file disclosure in Horde IMP webmail before 7.0.1 lets an authenticated user read any file the web server can access by planting directory-traversal sequences after a CKEditor path prefix inside an image src URL when composing mail. A weak stripos() prefix check fails to block traversal appended after the allowed prefix, so file_get_contents() pulls in files like /etc/passwd or configuration secrets and attaches them as MIME parts on the outgoing message. No public exploit identified at time of analysis, but VulnCheck published an advisory and the flaw is CSRF-triggerable against a live session, raising practical exposure for internet-facing Horde deployments.

CSRF Path Traversal PHP +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file read in Cisco Catalyst Center lets an unauthenticated, remote attacker retrieve files from a restricted container by sending a crafted HTTP request that abuses insufficient input validation (path traversal, CWE-22). Rated CVSS 7.5 (confidentiality-only impact), it exposes sensitive container-side data without any credentials or user interaction. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal Cisco
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Plugin directory guard bypass in HashiCorp Vault and Vault Enterprise allows a highly privileged, authenticated attacker to read files outside the intended audit plugin directory via path traversal. Exploitation requires network access, high-privilege credentials, and the use of the legacy file audit path option - a non-default configuration. Fixed versions are 2.0.1, 1.21.6, 1.20.11, and 1.19.17; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Hashicorp Path Traversal Vault +1
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Arbitrary file deletion in the VikBooking Hotel Booking Engine & PMS WordPress plugin (versions up to and including 1.8.12) is reachable via a cross-site request forgery flaw that lets an attacker abuse a path-traversal-capable file operation. By tricking a logged-in administrator into visiting a malicious page, a remote unauthenticated attacker can forge a request that deletes arbitrary files on the WordPress host, potentially disabling the site. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.

CSRF Path Traversal Vikbooking Hotel Booking Engine Pms
NVD VulDB
EPSS 0% CVSS 2.4
LOW PATCH Monitor

Zip slip (relative path traversal) in ClearML's StorageManager._extract_to_cache() allows a network-positioned attacker to write arbitrary files to the host filesystem, with confirmed RCE potential via cron job injection, SSH authorized_keys overwrite, or web shell deployment. Affected are all versions up to and including 1.16.5; the official CVSS score of 2.4 with I:L severely understates the real-world impact given the documented RCE paths. No KEV listing and no EPSS data were provided, but the presence of a public bounty report and a confirmed fix commit indicates the issue is verified. The fix is available in version 2.1.6.

Path Traversal RCE Allegroai Clearml
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Path traversal and path disclosure in MyComplianceOffice MCO's file handling functionality expose authenticated high-privilege users' ability to write files to arbitrary server locations and leak absolute server paths through error messages. Confirmed in version 25.3.3.1 via CERT-PL research, with other versions potentially affected given unsuccessful vendor contact. No public exploit code or active exploitation identified at time of analysis; the high privilege prerequisite (PR:H) substantially constrains real-world attack surface.

Path Traversal Mco
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the WP-BusinessDirectory (Business Directory) plugin for WordPress (versions ≤ 4.0.1) lets unauthenticated remote attackers delete any file the web server can access, including wp-config.php. The flaw stems from the frontend-accessible task=upload.remove endpoint accepting an unsanitized _filename parameter that permits ../ path traversal. No public exploit is identified at time of analysis, but the CVSS 9.1 rating and trivial exploitation (network, no auth, no user interaction) make it high priority; deleting wp-config.php can force WordPress into its installer, enabling site takeover.

WordPress Path Traversal PHP +1
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

ImageMagick before 7.1.2-24 fails to correctly enforce path restrictions configured in its security policy (policy.xml), enabling file creation and truncation outside designated filesystem boundaries. In sandboxed image conversion services - a common deployment pattern for web applications accepting user-submitted images - this incorrect policy check can be exploited by attackers who submit crafted images to write arbitrary files accessible to the conversion process. No public exploit has been identified at time of analysis and this is not listed in CISA KEV, but the wide use of ImageMagick in web application stacks makes the affected population substantial.

Path Traversal Imagemagick
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a path-traversal flaw in the builder upload proxy to reach internal administrative endpoints. By appending traversal sequences to the upload path - which the WHATWG URL parser normalizes - an attacker pivots requests carrying the privileged BUILDER_API_KEY header, turning limited build access into SSRF and elevated server-side privileges. Reported by VulnCheck with a CVSS 4.0 score of 8.7; no public exploit identified at time of analysis.

Privilege Escalation Path Traversal Capgo
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Emergency

Path traversal in OFFIS DCMTK (DICOM Toolkit) lets a malicious or compromised DICOM server write attacker-controlled files to arbitrary locations on a DCMTK client host whenever that client retrieves objects using bit-preserving C-GET storage mode. Because the client trusts server-supplied storage paths, both relative (../) and absolute paths escape the chosen output directory, enabling overwrite of client-side files and potential code execution. Reported via CISA ICS-CERT (medical advisory ICSMA-26-181-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Dcmtk Toolkit
NVD GitHub
EPSS 0% CVSS 8.8
HIGH Act Now

Path traversal in OFFIS DCMTK DICOM toolkit lets an unauthenticated network attacker read DICOM Modality Worklist records stored outside the intended per-Application-Entity (AE) directory. In multi-area or multi-tenant deployments this breaks departmental and clinic-level data separation, exposing patient scheduling and demographic data across boundaries; the issue was disclosed through CISA's ICS Medical advisory ICSMA-26-181-01 with no public exploit identified at time of analysis.

Path Traversal Dcmtk Toolkit
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Open redirect in the TP-Link Archer AX20 V2 embedded web server allows unauthenticated attackers to craft URLs containing URL-encoded path traversal sequences that cause the device to issue HTTP 3xx redirects toward attacker-controlled external domains. All firmware versions through 2.1.9 Build 20230829 on the V2.0 hardware revision are confirmed affected per TP-Link's own advisory and CPE data. No public exploit identified at time of analysis, and a vendor-released patch is available; active exploitation has not been confirmed by CISA KEV.

Path Traversal Open Redirect Archer Ax20 V2 0
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Directory traversal (CWE-22) in the administrative console's integrated help system of IBM WebSphere Application Server (traditional) 8.5 and 9.0 lets remote attackers read sensitive files outside the intended help-content directory, disclosing confidential information. CVSS 7.5 reflects unauthenticated network reach with high confidentiality impact but no integrity or availability effect. There is no public exploit identified at time of analysis, and the low EPSS score (0.27%, 19th percentile) plus SSVC 'Exploitation: none' indicate no observed exploitation to date.

IBM Path Traversal Websphere Application Server
NVD VulDB
CVSS 5.3
MEDIUM POC PATCH This Month

Path traversal in CefSharp's `FolderSchemeHandlerFactory` (NuGet: cefsharp.common, assembly version 147.0.100) allows an embedded browser to serve local files from outside the configured `rootFolder` when sibling directories share a common name prefix. The root cause is a raw C# string prefix check (`filePath.StartsWith(rootFolder, StringComparison.OrdinalIgnoreCase)`) that does not enforce directory boundaries, meaning a canonicalized path into a sibling directory such as `www2` passes validation intended to restrict access to `www`. A detailed proof-of-concept with exact request paths is publicly documented in the GitHub Security Advisory GHSA-85jm-cwp2-mvpv; no CISA KEV listing exists at time of analysis, indicating no confirmed active exploitation.

Path Traversal Microsoft
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC PATCH This Week

Cross-tenant object deletion in SeaweedFS before 4.34 lets an authenticated S3 principal holding write access to just one bucket destroy arbitrary objects in other tenants' buckets through the S3 gateway's DeleteMultipleObjectsHandler. By embedding ../ sequences in object keys inside the DeleteObjects XML request body, an attacker exploits a confused-deputy gap where path validation never inspected body keys. Publicly available exploit code exists (reported by VulnCheck) and a vendor patch shipped in release 4.34; the flaw is not listed in CISA KEV.

Path Traversal Seaweedfs
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Path traversal in Vibe-Trading before version 0.1.10 allows low-privileged authenticated network attackers to write arbitrary Markdown files outside the application's intended memory root directory. The `remember` tool fails to sanitize the `memory_type` parameter before constructing filesystem paths, enabling traversal sequences to escape the memory root and land files at attacker-controlled locations on the server. No public exploit or CISA KEV listing has been identified, but the high integrity impact and low attack complexity make patching urgent for any internet-exposed deployment.

Path Traversal Vibe Trading
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Path traversal in Vibe-Trading's swarm run directory handler allows low-privileged network attackers to read and overwrite arbitrary run.json files on the host filesystem. All releases before 0.1.10 are affected via the MCP swarm tools interface, where a crafted run identifier is passed to the run_dir function in agent/src/swarm/store.py without sanitization, enabling directory escape. No public exploit is identified at time of analysis and the vulnerability is not in the CISA KEV catalog; a vendor-released patch is available as v0.1.10.

Path Traversal Vibe Trading
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Trading mandate forgery in HKUDS Vibe-Trading before 0.1.10 lets an admitted (low-privileged) caller supply a proposal identifier containing path traversal sequences so the application loads an attacker-controlled JSON file as an authoritative live trading mandate. Because ceiling/limit validation is skipped when ceilings are absent, the attacker fully controls the committed mandate, enabling unauthorized live trades. A vendor patch exists and the issue was reported by VulnCheck, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal File Upload Vibe Trading
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Arbitrary file write and delete in OpenBMB ChatDev through 2.2.0 lets unauthenticated remote attackers control destination paths on the server by abusing the multipart filename in the upload session endpoint. Because save_upload_file joins the attacker-supplied filename onto the temp directory without sanitization, a traversal or absolute-path filename redirects both the write and the subsequent cleanup unlink to arbitrary host locations. Publicly available exploit code exists and a vendor fix is available (commit 4fd4da6); there is no public exploit identified as actively exploited in CISA KEV at time of analysis.

Path Traversal File Upload Chatdev
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Path traversal in Rancher Fleet's ImageScan subsystem (CWE-23) allows authenticated remote attackers to escape intended directory boundaries and trigger denial of service across four active release branches (0.12.x through 0.15.x). The flaw appears to have been introduced in the 0.12.0 series and persisted undetected through at least sixteen subsequent patch releases, indicating the ImageScan component lacked adequate path sanitization for an extended period. No public exploit code or active exploitation has been identified; the CVSS 4.0 vector (PR:L) confirms exploitation requires authenticated access, materially limiting opportunistic attack surface.

Path Traversal Denial Of Service Rancher
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Path traversal in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets remote attackers (PR:N) read arbitrary files outside the intended web scope and perform limited writes, with no user interaction required. The scope-change (S:C) and high confidentiality impact drive a 9.3 critical rating, meaning a successful read can expose secrets - configuration, credentials, and source - that compromise components beyond ColdFusion itself. No public exploit is identified at time of analysis and the issue is not in CISA KEV, but ColdFusion's history of weaponized path-traversal and file-disclosure bugs makes prompt patching prudent.

Path Traversal Coldfusion
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Path traversal in Adobe ColdFusion 2025.9 and 2023.20 (and earlier) allows unauthenticated remote attackers to bypass path restrictions and gain limited read and write access to files and directories outside the intended web root. The vulnerability is classified as a security feature bypass under CWE-22, exploitable over the network without user interaction. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low-complexity, zero-authentication attack surface makes it attractive for opportunistic actors targeting ColdFusion deployments.

Path Traversal Coldfusion
NVD VulDB
EPSS 1% 5.0 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Path traversal in Adobe ColdFusion 2025.9, 2023.20 and earlier enables remote, unauthenticated attackers to write or access files outside intended directories and achieve arbitrary code execution in the context of the current user. Rated CVSS 10.0 with a changed scope and no user interaction required, this is among the most severe ColdFusion flaws possible. No public exploit identified at time of analysis, but the impact and trivial attack complexity make it a top patching priority.

Path Traversal RCE Coldfusion
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Arbitrary file disclosure in GLib's GDBus client affects the DBUS_COOKIE_SHA1 SASL authentication mechanism, where the client fails to validate the server-supplied cookie_context parameter. A malicious or compromised D-Bus server can send a cookie_context containing path traversal sequences, forcing the client to read attacker-chosen files and leak their contents by confirming guessed values against the returned authentication hash. No public exploit has been identified and it is not in CISA KEV; EPSS is low at 0.30% (22th percentile), consistent with the SSVC assessment of no known exploitation.

Path Traversal Information Disclosure Glib +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Arbitrary file write in Net::BitTorrent 2.0.1 and earlier allows a malicious BitTorrent peer to place attacker-controlled content at attacker-chosen filesystem paths outside the designated download directory. The library validates path components on the .torrent ingest path but omits identical validation for peer-supplied metadata received via the BEP09 ut_metadata extension, causing file names containing '..' segments to resolve to traversal targets when passed to Storage::add_file. Because the attacking peer controls both the piece hashes and the served bytes, content verification passes silently, making the write invisible to the application. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.

Path Traversal Net
NVD GitHub VulDB
EPSS 1% CVSS 6.5
MEDIUM This Month

Arbitrary file write via directory traversal in the PixMagix WordPress Image Editor plugin (all versions through 1.7.2) allows any authenticated Author-level WordPress user to write attacker-controlled content to arbitrary filesystem paths accessible by the web server process. The vulnerability stems from unsanitized use of the `layers[].id` parameter inside the `move_image_on_server` function, which concatenates user input directly into a PHP `copy()` call without path validation. Because the `save_template` REST endpoint requires only the `create_projects` permission - automatically granted to Author-level users on plugin activation - any contributor-tier account can exploit this to plant PHP webshells and escalate to remote code execution. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.

WordPress Path Traversal Pixmagix Wordpress Image Editor
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Local privilege escalation to root in LinuxCNC (linuxcnc-uspace) before 2.9.9 lets any unprivileged local user execute arbitrary code as root. The SUID-root rtapi_app helper accepts a user-supplied module name and passes it to dlopen() without sufficient validation, so path traversal lets an attacker load an arbitrary attacker-controlled shared library while the process is still privileged. No public exploit identified at time of analysis and the issue is not in CISA KEV; an upstream fix is available in version 2.9.9.

Privilege Escalation Path Traversal Linuxcnc
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in NLTK 3.9.4 lets remote attackers read any file accessible to the Python process by passing percent-encoded path-traversal sequences (e.g. ..%2f) into nltk.data.load() or nltk.data.find(). The flaw is an incomplete fix for GitHub Issue #3504: the _UNSAFE_NO_PROTOCOL_RE guard only matches literal ../ while url2pathname() decodes the encoded form after the check runs, so the validation is bypassed. No public exploit identified at time of analysis, though it was reported through a huntr.com bounty; it is not listed in CISA KEV and no EPSS score was supplied.

Python Path Traversal Nltk Nltk +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Arbitrary file read in the Zephyr RTOS HTTP server (subsys/net/lib/http) lets an unauthenticated remote client retrieve any readable file on the mounted filesystem volume by abusing path-traversal sequences against a registered static-filesystem resource. Affecting Zephyr v4.0.0 through v4.4.0 with CONFIG_FILE_SYSTEM enabled and a static-FS resource registered, the flaw stems from the raw request path being concatenated to the web root without canonicalization in both the HTTP/1 and HTTP/2 front-ends. No public exploit identified at time of analysis, but the bug is trivial to trigger (CVSS 7.5, AV:N/AC:L/PR:N/UI:N) and a vendor patch is available.

Path Traversal Information Disclosure Zephyr
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal (CWE-22) in Apple's WebKit-based browser engine exposes sensitive user information when processing maliciously crafted web content in Safari, iOS, iPadOS, and macOS Tahoe prior to version 26.5.2. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms that an unauthenticated remote attacker needs only to induce a user to visit a malicious page, with no authentication or elevated privileges required. Apple has released fixes across all three platforms; no public exploit or CISA KEV listing has been identified at time of analysis.

Apple Path Traversal Ios And Ipados
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Path traversal in the H-VUE web management subsystem of Gigamon GigaVUE-OS (GVOS) versions 5.16.1 and earlier allows remote attackers to read arbitrary files outside the intended web root, exposing sensitive system data. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, low-complexity, unauthenticated exploitation with high confidentiality impact but no integrity or availability effect. A researcher GitHub repository tracking this CVE suggests proof-of-concept material may exist, but there is no public exploit explicitly confirmed and no CISA KEV listing at time of analysis.

Path Traversal Gigavue Os
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

{{.id}} to sensitive endpoints such as /admin/secrets. Carries a CVSS 4.0 base score of 9.3 (critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Mcp Toolbox For Databases
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Path traversal in Snowflake CLI versions prior to 3.19 enables arbitrary local file exfiltration to Snowflake cloud services when a victim processes attacker-controlled project or repository content. The CLI fails to restrict file path resolution during deployment or SQL template processing, allowing crafted project files to reference and transmit content from outside the intended project directory boundary to Snowflake-hosted artifacts. No public exploit has been identified and this CVE is not listed in the CISA KEV catalog; upgrade to version 3.19 is required as the vendor documents no supported workarounds.

Path Traversal Snowflake Cli
NVD
EPSS 1% CVSS 7.7
HIGH PATCH This Week

Sandbox escape and code execution in Anthropic's Claude Code CLI (versions 2.1.38 through 2.1.162) lets a malicious repository break out of the macOS seatbelt sandbox by abusing git worktree handling. By creating a worktree named ".git" and combining symlink manipulation with git fsmonitor execution, an attacker can overwrite files in the user's home directory such as .zshenv to achieve code execution outside the sandbox. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation is realistic since it only requires a user to clone and open a booby-trapped repo; it is fixed in 2.1.163.

Path Traversal RCE Claude Code
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Arbitrary file deletion in the VideoWhisper Paid Videochat Turnkey Site WordPress plugin (versions <= 7.4.8) lets an authenticated low-privilege 'Performer' account delete files outside the intended directory via path traversal. Because deleting critical WordPress files such as wp-config.php can force the site into setup mode and enable full takeover, the impact crosses a security boundary (scope change) and is rated CVSS 9.9. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Paid Videochat Turnkey Site
NVD
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

Remote code execution in FrontAccounting before 2.4.20 lets an authenticated user abuse the attachment upload handler to plant a PHP web shell. The handler fails to validate the unique_name parameter, so traversal sequences write attacker-controlled files outside the attachments directory and into the web root, and because file extensions are not validated, an uploaded PHP file executes as the web server user. Publicly available exploit code exists and a vendor patch is available, though the issue is not listed in CISA KEV.

Path Traversal RCE PHP +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Authenticated path traversal in the Epiphyt Embed Privacy WordPress plugin (versions up to and including 1.12.3) lets a low-privileged user supply a crafted pathname that escapes the plugin's intended directory, enabling arbitrary file deletion on the host as reflected by the Patchstack advisory title. The CVSS 7.1 vector (C:N/I:L/A:H) shows the primary danger is availability — deleting files such as wp-config.php or core assets can break or take down the site. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Arbitrary file overwrite in libzypp before 17.38.10 lets a remote attacker who controls a software repository plant crafted repository metadata (repomd/SUSE content files) with '../' location paths that escape the repo root, allowing files anywhere on the system to be overwritten when a victim adds and refreshes that repository. Because zypper-based refresh operations typically run as root, this can escalate to privilege escalation or denial of service. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation Path Traversal Denial Of Service +1
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Path traversal in spice-vdagent enables a malicious or compromised SPICE host to write arbitrary files to any location on the guest operating system during file transfer operations. Affecting Red Hat Enterprise Linux versions 6 through 10, the flaw stems from unsanitized filenames supplied by the SPICE host before use by the vdagent process, allowing writes at the privilege level of the logged-in guest user. No public exploit is identified at time of analysis, and exploitation requires prior control of the SPICE host - a high-privilege precondition that substantially constrains realistic risk despite the high integrity impact.

Path Traversal Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated remote file and directory exposure in agentejo Cockpit CMS 0.12.2 and earlier allows attackers to access files outside the web root via path traversal through the htaccess Handler's YAML configuration loader. The root cause is CWE-552 (Files or Directories Accessible to External Parties), triggered by unsafe processing of /config/config.yaml via the Spyc::YAMLLoad function, which can expose sensitive configuration data including credentials or internal path structures. A public exploit proof-of-concept exists on GitHub; no vendor patch has been issued, as the vendor did not respond to coordinated disclosure.

Path Traversal Information Disclosure Cockpit Cms
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Path traversal in the ruoyi-vue-pro file upload endpoint exposes unauthenticated remote attackers to arbitrary file read and write operations via the `generateUploadPath` function in `FileServiceImpl.java`. All versions up to 2026.04-jdk8-SNAPSHOT are confirmed affected across both the YunaiV (GitHub) and zhijiantianya (Gitee) vendor distributions. Publicly available exploit code exists via GitHub issue #1146; no CISA KEV listing is present, but the unauthenticated network vector combined with a public proof-of-concept materially elevates operational risk above the CVSS 4.0 base score of 6.9 alone.

Java Path Traversal File Upload +1
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Path traversal in RAGapp's Knowledge File Handler (versions up to 0.1.5) allows authenticated low-privilege users to read, write, or delete files outside the intended data/ directory by supplying crafted filenames containing sequences such as '../' to the upload or remove file API endpoints. The vulnerability exists in the FileHandler.upload_file and FileHandler.remove_file functions in src/ragapp/backend/controllers/files.py, where client-supplied filenames were interpolated directly into file paths without sanitization. A proof-of-concept exploit has been publicly disclosed; however, no vendor-released patched version is available as of analysis date - only an unmerged upstream pull request (PR #294) addresses the issue.

Path Traversal
NVD GitHub VulDB
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Path traversal in ANTLR4 up to 4.13.2 exposes arbitrary file read via the tokenVocab grammar option handler. The vulnerable function getImportedVocabFile in TokenVocabParser.java fails to sanitize user-controlled grammar option values, allowing an attacker to supply a crafted .g4 grammar file that causes the tool to read files outside the intended working directory. A publicly available proof-of-concept exploit exists (GitHub issue reference), and no vendor patch has been released - the vendor did not respond to disclosure. No active exploitation is confirmed in CISA KEV, but the CVSS 4.0 E:P flag confirms exploit code is public.

Java Path Traversal Antlr4 +2
NVD VulDB GitHub
EPSS 1% CVSS 9.3
CRITICAL Emergency

Path traversal in Daktronics Controller Firmware for the VFC-DMP-5000, DMP-5000, and DMP-8000 display media players lets remote users break out of the intended directory and enumerate arbitrary file system paths, exposing the device's internal layout to attackers. Both authenticated and unauthenticated requests are accepted, and the flaw is reachable over the network with no user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, though the issue was reported through ICS-CERT and carries a CVSS 4.0 base score of 9.3.

Path Traversal Vfc Dmp 5000 Dmp 5000 +1
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Arbitrary file read in Kestra orchestration platform (versions prior to 1.0.43 and 1.3.19) lets an authenticated user with execution privileges read any file accessible to the Kestra process via a URL-encoded path-traversal in kestra:// storage URIs. The parentTraversalGuard checks only the literal URI string, so %2E%2E bypasses it before URI.getPath() decodes it back to '..', exposing /etc/passwd, mounted secrets, and other tenants' execution outputs. No public exploit identified at time of analysis; rated CVSS 7.7 with a scope change reflecting cross-tenant and host-filesystem exposure.

Path Traversal Kestra
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authenticated path traversal in Kestra's local internal-storage backend (versions prior to 1.0.45 and 1.3.23) lets any low-privilege user with execution-view access read arbitrary files on the host. The flaw stems from validation ordering: the guard checks for '..' sequences before backslashes are normalized to forward slashes, so a Windows-style '..\..\..\' payload bypasses the check and is rewritten to a real traversal only after validation. There is no public exploit identified at time of analysis, and EPSS/KEV signals are absent, but the confidentiality impact is severe because it breaks the multi-tenant storage isolation boundary.

Path Traversal Microsoft Kestra
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Trusted-directory validation bypass in Notepad++ 8.9.6.1 lets a crafted executable path defeat the isInTrustedDirectory() check added by the prior CVE-2026-48800 fix, allowing arbitrary code execution via the Run command. Because the check uses a prefix match (PathIsPrefix-style) without canonicalizing the path first, a string beginning with a trusted directory but containing ..\..\ traversal resolves to an untrusted location yet still passes validation, causing ShellExecute() to launch an attacker-controlled binary. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; it requires local user interaction and is fixed in 8.9.6.2.

Path Traversal Notepad Plus Plus
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket write arbitrary objects into other tenants' buckets, fully breaking multi-tenant isolation. The flaw lives in the Snowball auto-extract feature and chains three weaknesses (unsanitized tar entry keys, IAM wildcard matching on raw paths, and filesystem path cleaning that resolves ../ across bucket boundaries). No public exploit is identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal Rustfs
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Path traversal in Patool's safe_extract() function allows an attacker-controlled archive to write files to arbitrary locations on the filesystem when extracted by a victim running Patool before 4.0.5 on Python before 3.12. The flaw exists because the is_within_directory() helper in patoolib/programs/py_tarfile.py uses os.path.commonprefix() for character-level string prefix matching rather than path-component-level comparison, making it trivially bypassable with crafted member paths. No public exploit or CISA KEV listing has been identified at time of analysis, but the low-complexity exploitation conditions and complete integrity bypass make this a meaningful risk for affected deployments.

Python Path Traversal Patool
NVD GitHub VulDB
CVSS 4.8
MEDIUM PATCH This Month

Apptainer's `limit container paths` security directive in setuid mode fails to enforce path boundaries correctly because it uses string prefix matching rather than full path-component comparison, allowing local users to run containers from sibling directories whose names begin with an allowed path string. A system configured to allow only `/data/safe` will inadvertently also permit `/data/safe-but-unsafe` or any other path sharing that prefix. This affects only installations running Apptainer in setuid mode with the `limit container paths` directive explicitly configured; no public exploit has been identified at time of analysis, and the vendor-confirmed fix is available in version 1.5.1.

Path Traversal Suse
NVD GitHub
CVSS 9.9
CRITICAL POC PATCH Act Now

Arbitrary file write in the Incus daemon (incusd) via path traversal in the `Incus-Image-Hash` header allows a low-privileged attacker controlling a malicious image server to write attacker-controlled content to any path on the host filesystem as root, leading to arbitrary command execution. Affected versions are all Incus releases prior to 7.2.0; the vulnerability exists in the `source.type=url` image import code path. A full public proof-of-concept exploit exists demonstrating cron-based root command execution; no confirmed active exploitation in CISA KEV at time of analysis.

Path Traversal
NVD GitHub
CVSS 9.9
CRITICAL POC PATCH Act Now

Arbitrary host file write in Incus before 7.1.0 lets a holder of S3 bucket credentials escape the storage volume via a path-traversal-laden multipart upload ID and plant files anywhere the daemon (typically root) can write, escalating to remote code execution. The flaw lives in the local S3 storage backend's multipart upload handling, where the attacker-supplied uploadId is concatenated onto the uploads directory without sanitization. A complete working PoC exists that drops a /etc/cron.d job for root command execution; no CISA KEV listing or EPSS score is provided, so this is publicly available exploit code rather than confirmed active exploitation.

Path Traversal Canonical OpenSSL
NVD GitHub
EPSS 0% CVSS 8.6
HIGH Monitor

Arbitrary file read/write in the Node.js extract-zip library (max-mapper/extract-zip) arises because symlink entries inside zip archives are extracted without validating their targets. An attacker who supplies a crafted archive containing a symlink with a traversal target such as '../../../../etc/passwd' can cause files to be placed or resolved outside the intended extraction directory, leading to disclosure or modification of sensitive files depending on how the host application uses the extracted output. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, though the CVSS 4.0 base score of 8.6 reflects high confidentiality and integrity impact.

Path Traversal Extract Zip
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

{tag}` placeholder used to dynamically build output file paths. When an instance ingests logs from untrusted sources and references `${tag}` in a path parameter (e.g., the `out_file` plugin), an attacker can inject `../` traversal sequences to write or overwrite arbitrary files with attacker-controlled content, which the vendor states is directly escalatable to full RCE. The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N) and a vendor patch (v1.19.3) is available; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Path Traversal RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Path-based access control bypass in the LabStack Echo Go web framework (versions prior to 4.15.3 and 5.2.0) lets remote attackers retrieve protected static files without authorization. The flaw stems from the router matching routes on the raw encoded path (keeping %2F literal) while StaticDirectoryHandler decodes %2F to '/' before filesystem resolution, so a crafted URL slips past route-level guards. There is no public exploit identified at time of analysis and no CISA KEV listing; CVSS is 7.5 (confidentiality-only).

Path Traversal Echo
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Arbitrary file deletion in the H5P WordPress plugin (versions 1.17.7 and earlier) lets a low-privileged authenticated user with Contributor-level access delete arbitrary files on the server via path traversal. The CVSS:3.1 vector (AV:N/PR:L) confirms remote, low-privilege exploitation with high availability impact, and no public exploit has been identified at time of analysis. Deleting critical files such as wp-config.php can break the site or, in some setups, enable a reinstallation-based takeover.

Path Traversal
NVD
EPSS 0% CVSS 5.8
MEDIUM This Month

Unauthenticated path traversal file deletion affects ShortPixel Adaptive Images WordPress plugin versions 3.11.4 and earlier, allowing remote attackers without any credentials to delete files outside the plugin's intended directory scope. The CVSS vector (PR:N, AC:L, S:C) confirms no authentication is required and that the impact crosses component boundaries, potentially reaching WordPress core files or other hosted content. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and zero privilege requirement make opportunistic exploitation straightforward once the vulnerability is known.

Path Traversal
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Path traversal in Mattermost's Go server module allows authenticated remote attackers to redirect API calls to unintended endpoints by embedding path traversal components (e.g., '../') within crafted ID parameters. The affected library is github.com/mattermost/mattermost/server/public versions prior to v0.1.22, which fails to sanitize path parameters before constructing API route paths. Exploitation yields limited confidentiality and integrity impact (CVSS 5.4 Medium); no public exploit code and no CISA KEV listing have been identified at time of analysis.

Mattermost Path Traversal
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Path traversal in Apache IoTDB (1.0.0 before 1.3.6 and 2.0.0 before 2.0.7) allows remote attackers to read and write files outside the intended restricted directory by supplying crafted pathnames, leading to high confidentiality and integrity impact. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N) indicating network-reachable, unauthenticated exploitation against affected versions. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; fixed versions 1.3.6 and 2.0.7 are available from the Apache vendor.

Path Traversal Apache Apache Iotdb
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Path traversal in Apache IoTDB (versions 1.0.0–1.3.5 and 2.0.0–2.0.5) lets remote unauthenticated attackers reference files outside the intended directory using crafted '../' sequences in a pathname, yielding high-impact disclosure and modification of files (C:H/I:H). With a CVSS 3.1 score of 9.1 and PR:N/UI:N, the flaw is exploitable over the network against affected instances with no credentials or user interaction. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV.

Path Traversal Apache Apache Iotdb
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file read in GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition appliances (firmware V1.12 and earlier) lets a remote, unauthenticated attacker traverse the filesystem via the get_fcont.cgi endpoint and retrieve any file readable by the CGI process. Because the CGI fails to validate the user-supplied file path, a single crafted HTTP request can disclose configuration files, credentials, or other sensitive data. There is no public exploit identified at time of analysis, but the network-reachable, no-authentication nature (CVSS 7.5) makes it straightforward to weaponize.

Path Traversal Information Disclosure Gv Lpclpc2011 2211
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Path traversal in Printcart Web to Print Product Designer for WooCommerce (all versions through 2.4.8) exposes arbitrary server directory listings to unauthenticated remote attackers with no interaction required. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial network-based exploitation against any internet-facing WooCommerce store running this plugin. A publicly available exploit exists via WPScan, materially lowering the technical barrier despite the Medium CVSS score of 5.3; no confirmed patched version is available at time of analysis.

WordPress Path Traversal Printcart Web To Print Product Designer For Woocommerce
NVD WPScan VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Arbitrary file write leading to remote code execution in FlowiseAI Flowise (versions <= 2.2.7) lets unauthenticated remote attackers overwrite any file on the host via the /api/v1/document-store/loader/process endpoint. The fileName parameter is passed unsanitized into path.join() inside storageUtils.ts, so ../ sequences escape the storage directory; overwriting package.json injects a malicious start script that executes on the next application restart. Publicly available exploit code exists (vendor GHSA PoC overwriting package.json), and the issue carries a CVSS 4.0 base score of 10.0; no public active-exploitation listing was identified at time of analysis.

Path Traversal RCE Flowise
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL Act Now

Unauthenticated arbitrary file upload in Flowise (versions through 2.2.7) lets remote attackers write malicious files to arbitrary locations on the server via the whitelisted /api/v1/attachments endpoint when storageType is set to local (the default). Because the chatId and chatflowId parameters are vulnerable to path traversal, an attacker can escape the intended upload directory and drop a webshell or other executable payload, leading to remote code execution and full server compromise. No public exploit identified at time of analysis, but the flaw is trivially reachable (CVSS 4.0 9.3) and was reported by VulnCheck with a vendor security advisory.

File Upload Path Traversal RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated arbitrary file read in Flowise before 3.0.6 lets remote attackers traverse outside the storage directory via the unvalidated chatId parameter on the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints, reading sensitive files such as /root/.flowise/database.sqlite and dumping the entire application database in default deployments. The flaw was reported by VulnCheck with a vendor security advisory (GHSA-99pg-hqvx-r4gf), and while no public exploit was identified at time of analysis, the root cause and code path are fully documented in the advisory, lowering the barrier to weaponization. CVSS 4.0 base score is 8.7 (High), reflecting network-reachable, no-authentication, no-interaction exploitation with high confidentiality impact.

Path Traversal Flowise
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH Act Now

Arbitrary file write in the pynetdicom library's qrscp storage SCP application allows a remote, unauthenticated attacker to plant files at attacker-chosen paths on the receiving host. The qrscp C-STORE handler trusts a value taken from an incoming DICOM dataset and passes it into os.path.join() without sanitization, so a crafted instance identifier containing path-traversal sequences escapes the intended storage directory. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 8.8 and unauthenticated network reachability make this a high-priority issue for any exposed DICOM endpoint.

Path Traversal Pynetdicom Library
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Sandbox escape leading to non-sandboxed remote code execution affects the Cursor AI code editor prior to version 3.0, where agent terminal commands run in a sandbox that grants write access to the command's working directory. By manipulating the working_directory parameter, a malicious or prompt-injected agent can cause the sandbox to expose writable paths outside the intended workspace, then overwrite the cursorsandbox helper so subsequent commands execute outside the sandbox entirely. There is no public exploit identified at time of analysis, but the vendor rates this 9.3 (CVSS 4.0) with high confidentiality, integrity, and availability impact and notes it requires no user interaction beyond a benign prompt.

Path Traversal RCE Cursor
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Cross-bucket read/write in SeaweedFS before 4.30 lets remote attackers escape a bucket's namespace because the S3 API gateway and the Iceberg REST catalog gateway build their gorilla/mux routers with SkipClean(true), letting a literal '..' segment survive routing before downstream path joins collapse it server-side. A request like 'GET /bucket-A/../evil-bucket/key' is routed as bucket=bucket-A but resolves to evil-bucket, allowing an actor to read or write objects in buckets they should not reach. There is no public exploit identified at time of analysis; the issue is fixed in 4.30 via PR #9687.

Path Traversal Seaweedfs
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM POC PATCH This Month

Arbitrary filesystem write via zip-slip in K3s etcd snapshot restoration affects all K3s versions prior to 1.35.3+k3s1, 1.34.6+k3s1, and v1.33.10+k3s1. A maliciously crafted zip archive with path-traversal entries in member filenames (e.g., '../../etc/cron.d/evil') can overwrite arbitrary files on the host filesystem when an administrator performs a compressed etcd snapshot restore. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Path Traversal Kubernetes K3S
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Arbitrary file deletion in File Browser before 2.63.16 lets a scoped, non-admin user holding only the Create permission destroy files outside their assigned scope - including other tenants' data and the application's own database. The flaw lives in the failed-upload cleanup path, where ScopedFs.RemoveAll is the single dereferencing operation that omits the symlink guard enforced everywhere else, so an attacker who plants an escaping directory symlink inside their scope can delete out-of-scope targets while only authenticated as a create-only user. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a disclosed-but-not-yet-exploited integrity and availability risk.

Path Traversal Filebrowser
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Path traversal in pnpm before 10.34.0 and 11.4.0 lets a malicious registry package smuggle '../' segments inside a transitive dependency alias, which pnpm then trusts as a filesystem path while linking dependency nodes. During a normal install - even with `pnpm install --ignore-scripts` - this allows a published package to replace paths inside the victim's project with symlinks pointing at attacker-controlled dependency directories, corrupting project integrity and enabling downstream code execution. No public exploit is identified at time of analysis; risk is amplified because the bug fires without lifecycle scripts, defeating the `--ignore-scripts` safety habit.

Path Traversal Pnpm
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Arbitrary file write and deletion in pnpm package manager (versions prior to 10.34.0 and 11.4.0) lets a malicious contributor abuse the @pnpm/patch-package pipeline, which applies `.patch` files without validating the file paths in their `diff --git` headers. Because patch diff headers are opaque to most code reviewers, an attacker can slip `../../` traversal sequences into a pull request and, when a maintainer runs `pnpm install`, write attacker-controlled content to or delete arbitrary files with the privileges of the installing user. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the moderate-to-high CVSS of 7.3 reflects high integrity and availability impact gated by required user interaction.

Path Traversal Pnpm
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Path traversal in pnpm's `pnpm stage download` command (versions 11.3.0 through 11.5.2) lets a malicious or compromised registry overwrite arbitrary files reachable by the user running the command. The tool built a local tarball filename directly from registry-controlled package name and version fields, so a crafted manifest (e.g. a version like `1.0.0/../../evil`) escaped the intended download directory. This is fixed in 11.5.3; no public exploit identified at time of analysis, though the fixing PR (#12303) includes proof-of-traversal test cases.

Path Traversal Pnpm
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Path traversal in pnpm's global package management flows allows deletion of the global bin directory or its parent when a malicious package with specially crafted bin keys is installed. Packages carrying ".", "..", or "" as bin object keys in their manifest bypass pnpm's bin-name guard; subsequent global remove, update, or add-replacement operations re-derive those names and pass them through path.join(globalBinDir, binName) into removeBin, resolving to the bin directory itself or its parent. No public exploit has been identified at time of analysis, but fixed versions 10.34.2 and 11.5.3 are available and should be applied immediately given the supply-chain delivery mechanism.

Path Traversal Pnpm
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Arbitrary file write in Aqua Security's Trivy scanner (prior to 0.71.1) allows an attacker who can make Trivy fetch an attacker-controlled OCI artifact to write layer content anywhere on the host filesystem. Trivy trusts the org.opencontainers.image.title manifest annotation as the output filename without sanitization, so a crafted value containing path-traversal sequences escapes the intended download directory (CWE-22). No public exploit has been identified at time of analysis; the CVSS 4.0 score is 7.0 (high), driven by high integrity and availability impact requiring user interaction.

Path Traversal Trivy Suse
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Red Hat Build of Keycloak allows realm administrators holding the 'manage-realm' role to probe arbitrary filesystem paths by submitting unsanitized path values as keystore parameters during key provider component creation. The Keycloak process's file access attempt reveals whether a given path exists and is readable, functioning as a filesystem oracle for authenticated attackers. No public exploit code or active exploitation has been identified at time of analysis; the CVSS score of 4.9 (PR:H) reflects the significant constraint of requiring realm administrator credentials prior to exploitation.

Path Traversal Information Disclosure Red Hat Build Of Keycloak
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Path traversal in Halo's backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem, bypassing directory boundaries. Affected are all Halo deployments prior to version 2.24.3, where the MigrationServiceImpl.download() method invokes Path.resolve() on attacker-supplied filenames without enforcing containment within the designated backups directory. A compounding issue exists in the backup creation endpoint, which fails to sanitize status fields. No public exploit code or CISA KEV listing has been identified at time of analysis, and the PR:H requirement meaningfully constrains the attack surface.

Path Traversal Halo
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

Arbitrary file relocation in HTMLy CMS through version 3.1.1 allows low-privileged authenticated users to move any web-server-writable file by injecting directory traversal sequences into the oldfile parameter of the admin autosave endpoint. Reported by VulnCheck with publicly available exploit code, the flaw stems from passing unsanitized input directly to file_exists() and rename() in admin.php. It is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis despite the available POC.

Path Traversal PHP Htmly
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Path traversal in the K2 extension for Joomla (versions 1.0-2.26) allows authenticated Authors to copy arbitrary web-readable files - including Joomla's database credential file `configuration.php` and OS files such as `/etc/passwd` - into a publicly accessible directory for retrieval. The article-save handler's `attachment[N][existing]` POST parameter is concatenated with `JPATH_SITE/` and passed directly to `JFile::copy()` without stripping `../` sequences or enforcing a source-path allow-list, making traversal trivial. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the confidentiality impact is severe on multi-author Joomla sites where Author accounts may be widely distributed.

Path Traversal PHP K2 Extension For Joomla
NVD
EPSS 0% CVSS 8.7
HIGH POC This Week

Arbitrary file read in Winstone Servlet Engine (versions through 0.9.10) lets unauthenticated remote attackers retrieve any file readable by the servlet process by embedding dot-dot-slash sequences in HTTP GET request paths to the static-file handler. The flaw stems from missing path sanitization when resolving requests against the configured webroot, and publicly available exploit code exists (reported by VulnCheck), though it is not listed in CISA KEV. Impact is confidentiality-only but high, escalating to disclosure of OS-level secrets when the engine runs with elevated privileges.

Path Traversal Winstone Servlet Container
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

Remote code execution in Dell Wyse Management Suite (versions prior to WMS 5.5 HF1) is reachable through a path traversal flaw (CWE-22) that lets an authenticated, high-privileged remote attacker access or write files outside the intended directory and ultimately execute arbitrary code on the management server. The CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), reflecting full confidentiality, integrity, and availability impact gated by a high-privilege requirement. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Dell Path Traversal RCE +1
NVD VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Arbitrary file deletion in the JS Help Desk (JS Support Ticket) WordPress plugin versions 3.1.1 and earlier lets a low-privileged authenticated user (Subscriber, PR:L) delete arbitrary files on the server via path traversal. Because the scope is changed (S:C) and impact is availability-only (A:H), an attacker can remove critical files such as wp-config.php to trigger denial of service or force WordPress into a reinstall/setup state. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; it was disclosed through Patchstack.

Path Traversal Js Help Desk
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

Privilege bypass in Apache Kvrocks exposes the internal APPLYBATCH command without proper permission enforcement, letting an authenticated low-privilege client write raw batches directly to the underlying RocksDB storage engine and bypass the server's command ACL model. The flaw (CWE-280, improper handling of permissions) carries a CVSS 4.0 base of 9.4 due to high integrity and availability impact and an irrecoverable-damage recovery rating. No public exploit identified at time of analysis, and it is not listed in CISA KEV; it was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two sibling Kvrocks CVEs.

Path Traversal Apache
NVD VulDB
Prev Page 3 of 86 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
7707

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy