Path Traversal

Cockpit CMS versions 2.13.5 and earlier allow authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets via directory traversal in the Buckets component. The vulnerability requires valid user authentication and does not impact confidentiality, but enables integrity compromise through malicious file placement or asset replacement. A proof-of-concept exists, though the SSVC framework rates automatable exploitation as unlikely, suggesting manual attack steps are required.

A flaw has been found in elinsky execution-system-mcp 0.1.0. The impacted element is the function _get_context_file_path of the file src/execution_system_mcp/server.py of the component add_action Tool. This manipulation of the argument context causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used.

A vulnerability was detected in elie mcp-project 0.1.0. The affected element is the function search_papers of the file research_server.py. The manipulation of the argument topic results in path traversal. Attacking locally is a requirement. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

A flaw has been found in eiceblue spire-pdf-mcp-server 0.1.1. This impacts the function get_pdf_path of the file src/spire_pdf_mcp/server.py of the component PDF File Handler. Executing a manipulation of the argument filepath can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability was detected in eiceblue spire-doc-mcp-server 1.0.0. This affects the function get_doc_path of the file src/spire_doc_mcp/api/base.py. Performing a manipulation of the argument document_name results in path traversal. The attack can be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file and upload_image endpoints to access files beyond the intended workspace-only filesystem policy.

OpenClaw before version 2026.4.2 allows authenticated attackers to delete arbitrary remote directories during mirror mode synchronization operations by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values. An attacker with login credentials can craft malicious OpenShell config paths that cause the mirror sync function to delete unintended remote directory contents before replacing them with uploaded workspace data, resulting in data loss and potential service disruption.

Path traversal in DV0x creative-ad-agent server component (up to commit 751b9e5146604dc65049bd0f62dcbdad6212f8a3) allows remote unauthenticated attackers to read arbitrary files via manipulation of req.params arguments in server/sdk-server.ts. Public exploit code is available. CVSS 5.5 reflects low confidentiality impact with network-accessible attack vector and no authentication requirement.

Path traversal in WilliamCloudQi matlab-mcp-server allows remote unauthenticated attackers to manipulate the scriptPath argument in the generate_matlab_code and execute_matlab_code functions, enabling unauthorized file system access with confidentiality and integrity impact. The vulnerability affects versions up to commit ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca, has publicly available exploit code, and the vendor has not yet responded to early disclosure notification.

Path traversal in AgiFlow scaffold-mcp's write-to-file tool allows remote unauthenticated attackers to read, write, or delete arbitrary files on the server by manipulating the file_path parameter. Versions up to 1.0.27 are affected. Public exploit code exists (GitHub issue #88), enabling attackers to bypass directory restrictions and access sensitive files or overwrite critical system files. CVSS 7.3 (High) with network attack vector and no authentication required. Vendor-released patch available in version 1.1.0 (commit c4d23592).

Path traversal vulnerability in ErlichLiu claude-agent-sdk-master allows remote unauthenticated attackers to read arbitrary files by manipulating the outputFile parameter in app/api/agent-output/route.ts. The vulnerability has a CVSS score of 5.3 (low integrity impact) and publicly available exploit code exists, though the project uses rolling releases and the maintainer has not yet responded to disclosure.

Path traversal in browser-operator-core versions up to 0.6.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files on the server by manipulating the request.url parameter in the startsWith function of server.js. Publicly available exploit code exists (GitHub issue #96), enabling trivial exploitation with no user interaction. CVSS 7.3 reflects network-exploitable attack with low impact across confidentiality, integrity, and availability. No vendor response or patch released despite early responsible disclosure via issue report. This is a critical supply chain risk for any systems running the affected BrowserOperator component server.

Absolute path traversal in Deepractice PromptX up to version 2.4.0 allows remote unauthenticated attackers to read arbitrary files from the server by manipulating the path argument in document file handling functions (read_docx, read_xlsx, read_pptx, list_xlsx_sheets, read_pdf). Publicly available exploit code exists and the vendor has not responded to early disclosure, though CVSS 5.3 (AV:N/AC:L/PR:N/UI:N) indicates moderate information disclosure risk with no integrity or availability impact.

Path traversal in processing-claude-mcp-bridge's create_sketch tool allows remote unauthenticated attackers to read, write, or delete arbitrary files on the server by manipulating the sketch_name parameter in processing_server.py. Public exploit code exists via GitHub issue #1, enabling straightforward attacks against exposed instances. EPSS data not available, but CVSS 7.3 (High) with network vector and no authentication requirements indicates significant risk for internet-facing deployments. Project maintainer has not responded to vulnerability disclosure, leaving no vendor-confirmed patch timeline.

Path traversal in eghuzefa engineer-your-data up to version 0.1.3 allows remote attackers to read, write, list, and obtain information about arbitrary files via manipulation of the WORKSPACE_PATH argument in the read_file, write_file, list_files, and file_inf functions within src/server.py. Publicly available exploit code exists, and the vendor has been notified but has not yet responded with a fix.

Path traversal in ef10007 MLOps_MCP 1.0.0 allows remote unauthenticated attackers to write files to arbitrary filesystem locations via manipulation of the filename/destination argument in the save_file tool of fastmcp_server.py. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification, leaving affected deployments without an official patch.

Path traversal in duartium papers-mcp-server allows remote unauthenticated attackers to access arbitrary files on the server by manipulating the topic argument in the search_papers function. The vulnerability affects commit 9ceb3812a6458ba7922ca24a7406f8807bc55598 and is publicly exploitable with proof-of-concept code available; the vendor has been notified via issue report but has not yet responded.

Path traversal in edvardlindelof notes-mcp up to version 0.1.4 allows remote unauthenticated attackers to read or manipulate files outside the intended directory by manipulating the root_dir or path arguments in notes_mcp.py. The vulnerability has a publicly available exploit and a CVSS score of 6.9, but the vendor has not responded to the early disclosure through issue tracking.

Path traversal in OpenClaw's ACP dispatch mechanism allows authenticated remote attackers to read arbitrary files outside intended directories by manipulating inbound channel attachment paths. Attackers can bypass both attachment-cache and root directory security checks to access sensitive system files. Upstream fix available via GitHub commit 566fb73d9d, with versions prior to 2026.3.31 confirmed vulnerable. No CISA KEV listing at time of analysis, indicating targeted rather than widespread exploitation.

OpenClaw versions 2026.2.6 through 2026.3.24 allow authenticated remote attackers to read arbitrary files outside configured sandbox boundaries via path traversal in the Feishu extension's resolveUploadInput function during upload_image operations. The vulnerability bypasses file-system sandbox restrictions through improper path resolution, enabling confidentiality compromise of sensitive data accessible to the application process.

A security vulnerability has been detected in OSPG binwalk up to 2.4.3. This vulnerability affects the function read_null_terminated_string of the file src/binwalk/plugins/winceextract.py of the component WinCE Extraction Plugin. Such manipulation of the argument self.file_name leads to path traversal. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The project maintainer confirms this issue: "I accept the existence of the Path Traversal vulnerability. However, as stated in the Github link, it reached EOL and as a result no actions should be expected." The GitHub repository mentions, that "[u]sers and contributors should migrate to binwalk v3." This vulnerability only affects products that are no longer supported by the maintainer.

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

A vulnerability was found in douinc mkdocs-mcp-plugin up to 0.4.1. This affects the function read_document/list_documents of the file server.py. Performing a manipulation of the argument docs_dir/file_path results in path traversal. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor confirms, that the "fix will be published within a few days."

A vulnerability has been found in dexhunter kaggle-mcp up to 406127ffcb2b91b8c10e20e6c2ca787fbc1dc92d. This vulnerability affects the function prepare_kaggle_dataset of the file src/kaggle_mcp/server.py. The manipulation of the argument competition_id leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.

Unauthenticated directory traversal in Pro-Bit versions before 1.77.4 exposes sensitive directories and subdirectories to remote attackers without authentication. The vulnerability allows direct access to protected file system locations via network requests, enabling unauthorized information disclosure. EPSS score of 0.02% (6th percentile) indicates low observed exploitation probability in the wild, and no CISA KEV listing exists at time of analysis, suggesting limited active exploitation despite the CVSS 7.5 severity rating.

A path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS v1.5.2 allows attackers to execute a directory traversal.

ProjeQtor versions 7.0 through 12.4.3 contains a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not validated against directory traversal sequences before constructing file paths. Authenticated attackers can inject directory traversal sequences ../ into the logname parameter to read arbitrary .log files accessible to the web server process on the filesystem.

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.

A vulnerability was found in code-projects Online Lot Reservation System up to 1.0. This affects the function readfile of the file /download.php. The manipulation of the argument File results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used.

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application - for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack - can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.

Path traversal in HBAI-Ltd Toonflow-app up to version 1.1.1 allows authenticated remote attackers to access files outside intended directories via the url parameter in the downloadApp endpoint (src/routes/setting/about/downloadApp.ts). The vulnerability requires high attack complexity and authenticated access; vendor mitigation notes that the update URL is statically compiled in official code and exploitation would require users to modify source code. Publicly disclosed exploit code exists, but real-world exploitability is disputed by the vendor and remains uncertain.

Path traversal in HBAI-Ltd Toonflow-app up to version 1.1.1 allows authenticated remote attackers to read arbitrary files via manipulation of the url argument in the updateStoryboardUrl function of the Storyboard Export component. The vulnerability has a publicly available exploit, though the vendor disputes its practical exploitability, arguing the affected interface is designed to accept only local or trusted Docker-configured addresses. CVSS 4.3 reflects low confidence (RC:C) and unconfirmed exploitation probability (E:P).

A path traversal vulnerability in the UI/static component of leonvanzyl autocoder commit 79d02a allows attackers to read arbitrary files via sending crafted URL path containing traversal sequences.

Path traversal in MiroFish up to version 0.1.2 allows remote unauthenticated attackers to read arbitrary files via manipulation of the Platform query parameter in the get_simulation_posts function. The vulnerability affects the backend simulation API endpoint and has publicly available exploit code, though exploitation is limited to information disclosure rather than modification or availability impact.

Path traversal in Tenda i9 router firmware version 1.0.0.5(2204) allows remote unauthenticated attackers to access arbitrary files, modify system configurations, and potentially disrupt device operation via the R7WebsSecurityHandlerfunction in the HTTP Handler component. Publicly available exploit code exists on GitHub (Litengzheng/vuldb_new), enabling straightforward exploitation with EPSS-assessed risk. The vulnerability permits confidentiality, integrity, and availability impacts with low attack complexity and no required user interaction, making it a realistic target for automated scanning and exploitation.

Path traversal in rawchen sims DeleteFileServlet endpoint allows authenticated remote attackers to manipulate the filename parameter and access arbitrary files on the system, potentially leading to information disclosure or file modification. The vulnerability affects all versions up to commit 004f783b1db5ecdfad81c8fdc3b34171211112de, with publicly available exploit code and no vendor response to early disclosure notification.

Path traversal vulnerability in Ollama up to version 0.20.2 affects the digestToPath function in the Tensor Model Transfer Handler, allowing remote attackers with high complexity to manipulate digest arguments and traverse the filesystem. Public exploit code exists, though the vendor has not acknowledged disclosure attempts. CVSS 6.3 reflects low confidentiality, integrity, and availability impact limited by high attack complexity and no scope change.

Path traversal vulnerabilities in AWS Tough (a Rust TUF client library) versions prior to 0.22.0 enable authenticated users with delegated signing privileges to write arbitrary files outside intended repository directories, bypassing incomplete fixes from previous security patches. The flaws exist in three distinct code paths: absolute target names in copy_target/link_target operations, symlinked parent directories in save_target, and symlinked metadata filenames in SignedRole::write. AWS has released patches in tough-v0.22.0 and tuftool-v0.15.0 that implement post-resolution path containment verification. No public exploit code or active exploitation confirmed at time of analysis, though CVSS 7.1 HIGH reflects significant integrity impact when exploited.

OpenTelemetry eBPF Instrumentation versions 0.4.0 through 0.7.x allow local attackers controlling a Java workload to overwrite arbitrary host files via path traversal when Java injection is enabled and the agent runs with elevated privileges. The vulnerability exploits unsafe file creation in the Java agent injection path, where the injector trusts the target process's TMPDIR environment variable and lacks boundary checks, enabling symlink-based file clobbering and filesystem escape. Vendor-released patch available in version 0.8.0. No public exploit identified at time of analysis, but CVSS 8.4 reflects high integrity and availability impact with scope change from container to host.

Directory traversal in SiYuan personal knowledge management system allows authenticated attackers to read arbitrary workspace files via double URL encoding bypass. The vulnerability stems from an incomplete fix for CVE-2026-30869 that added only denylist validation without removing a redundant url.PathUnescape() call in serveExport(). Attackers can use %252e%252e encoding to access sensitive files including the complete SQLite database (siyuan.db), kernel logs, and all user documents. EPSS data not available for this recent CVE; publicly available exploit code exists (GitHub commit demonstrates exploitation technique).

Path traversal in 4ga Boards before 3.3.5 allows authenticated users with board import privileges to force the server to read and expose arbitrary local files as board attachments during BOARDS archive import. Attackers can then download sensitive host files (configuration files, credentials, application source code) through the normal download interface. CVSS score of 7.6 reflects high confidentiality impact with low integrity/availability impact. No public exploit code or active exploitation confirmed at time of analysis, though the attack technique is straightforward for authenticated insiders.

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/11. ions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass (Stig Palmquist <stig@...g.io>) CVE-2026-40199: Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypas… (Stig Palmquist <stig@...g.io>) [kubernetes] CVE-2026-3865: CSI Driver for SMB path traversal via subDir may delete unintended directories on the SMB s… (Vinayak Goyal <vinayakankugoyal@...il.c…) CPython [CVE-2026-1502] HTTP client proxy tunnel headers not validated for CR/LF (Alan Coopersmith <alan.coopersmith@...cle.com>) CPython [CVE-2026-3446] Base64 d

FreeRDP versions prior to 3.25.0 allow path traversal attacks through an off-by-one error in the drive redirection filter, enabling rogue RDP servers to read, list, or write files one directory above the client's shared folder via RDPDR requests. Exploitation requires the victim to connect with drive redirection enabled and interact with a malicious RDP server, making this a user-interaction-dependent remote attack with moderate CVSS score (4.2) but real-world impact limited by connection and configuration requirements.

Arbitrary file read in Roxy-WI versions before 8.2.6.4 allows unauthenticated remote attackers to access sensitive files on the server via path traversal in the oldconfig parameter of the haproxy_section_save interface. This CVSS:4.0 vector indicates zero attack complexity and no prerequisites, enabling trivial exploitation to exfiltrate configuration files, credentials, or private keys. GitHub Security Advisory confirms the vulnerability with proof-of-concept exploitation status (E:P), representing immediate risk for exposed Roxy-WI management interfaces.

Remote code execution in Roxy-WI versions before 8.2.6.4 allows unauthenticated attackers to write malicious code into scheduled tasks via path traversal in the haproxy_section_save interface. The vulnerability chains CWE-22 path traversal with cron job manipulation, enabling arbitrary command execution on servers managing HAProxy, Nginx, Apache, and Keepalived infrastructure. CVSS 8.9 with network attack vector and no privileges required indicates critical risk, though EPSS data and KEV status are unavailable to confirm active exploitation.

`melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and `pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these values were not validated for path separators or `..` sequences, so an attacker who can supply an APK to a melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) could cause melange to write `lint-<pkgname>-<pkgver>-r<epoch>.json` to an arbitrary `.json` path reachable by the melange process. The written file is a JSON lint report whose content is partially attacker-influenced. There is no direct code-execution path, but the write can clobber other JSON artifacts on the filesystem. The issue only affects deployments that explicitly pass `--persist-lint-results`; the flag is off by default. Fixed in melange **v0.43.4** by validating `arch` and `pkgname` for `..`, `/`, and `filepath.Separator` before path construction in `pkg/linter/results.go` (commit [84f3b45](https://github.com/chainguard-dev/melange/commit/84f3b450ce6e472c4abb8dc4c26d0ce8ac1259ac)). Do not pass `--persist-lint-results` when linting or building APKs whose `.PKGINFO` contents are not fully trusted. Running melange as a low-privileged user and confining writes to an isolated directory also limits impact. melange thanks Oleh Konko ([@1seal](https://github.com/1seal) from [1seal.org](https://1seal.org/)) for discovering and reporting this issue.

An attacker who can influence a melange configuration file - for example through pull-request-driven CI or build-as-a-service scenarios - could set `pipeline[].uses` to a value containing `../` sequences or an absolute path. The `(*Compiled).compilePipeline` function in `pkg/build/compile.go` passed `uses` directly to `filepath.Join(pipelineDir, uses + ".yaml")` without validating the value, so the resolved path could escape each `--pipeline-dir` and read an arbitrary YAML-parseable file visible to the melange process. Because the loaded file is subsequently interpreted as a melange pipeline and its `runs:` block is executed via `/bin/sh -c` in the build sandbox, this additionally allowed shell commands sourced from an out-of-tree file to run during the build, bypassing the review boundary that normally covers the in-tree pipeline definition. Fixed in melange **v0.43.4** via commit [5829ca4](https://github.com/chainguard-dev/melange/commit/5829ca45cfe14dfeb73ffb716992db3b1b7892ac). The fix rejects `uses` values that are absolute paths or contain `..`, and verifies (via `filepath.Rel` after `filepath.Clean`) that the resolved target remains within the pipeline directory. Only run `melange build` against configuration files from trusted sources. In CI systems that build user-supplied melange configs, gate builds behind manual review of `pipeline[].uses` values and reject any containing `..` or leading `/`. melange thanks Oleh Konko ([@1seal](https://github.com/1seal) from [1seal.org](https://1seal.org/)) for discovering and reporting this issue.

radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.

radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11.

A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful exploitation of this vulnerability could allow a user to read, modify, or delete files.

Path traversal in Zurich Instruments LabOne Web Server allows unauthenticated remote attackers to read arbitrary files accessible to the LabOne process. The vulnerability combines insufficient input validation (CWE-22) with missing CORS restrictions, enabling direct exploitation or browser-based attacks via malicious websites. EPSS data not available, but the network-accessible unauthenticated attack vector (AV:N/PR:N/UI:N) combined with vendor-confirmed patch indicates active vendor response to a readily exploitable information disclosure flaw. Exploitation limited to installations running the Web Server component; API-only deployments are unaffected.

Authenticated customers can achieve remote code execution in Froxlor server administration software versions prior to 2.3.6 through path traversal in the API's language parameter. By injecting malicious path traversal sequences into the `def_language` field via the `Customers.update` or `Admins.update` API endpoints, authenticated users can force the application to execute arbitrary PHP code as the web server user on subsequent requests. This vulnerability carries a CVSS score of 9.9 with scope change, indicating potential for full system compromise beyond the vulnerable component. Vendor-released patch version 2.3.6 addresses the vulnerability by implementing proper validation of language parameters against available language files.

Path traversal in Vite+ downloadPackageManager() allows local attackers to write or delete arbitrary files outside the intended cache directory. The vulnerability affects Vite+ versions before 0.1.17 and stems from inadequate input validation on the version parameter, enabling directory traversal via '../' sequences or absolute paths. Attackers with local access can manipulate filesystem operations to compromise system integrity and availability (CVSS 8.4, VI:H/VA:H). No public exploit identified at time of analysis, but exploitation requires minimal technical complexity (AC:L) and no authentication (PR:N). Vendor-released patch available in version 0.1.17.

Arbitrary file write vulnerability in IBM Guardium Data Protection 12.1 allows authenticated administrative users to traverse directories and write files to arbitrary locations via specially crafted URLs containing path traversal sequences (/../). The vulnerability requires high-privilege admin credentials and network access but results in integrity compromise without requiring user interaction, making it a post-authentication privilege abuse risk for organizations running this data protection platform.

Path traversal in PsiTransfer versions before 2.4.3 enables remote code execution through malicious file uploads. An attacker exploits URL encoding inconsistencies in the upload validation flow to write attacker-controlled JavaScript configuration files outside the intended upload directory. When the application restarts, these injected config files execute with application privileges, granting the attacker persistent code execution. Vendor patch released in v2.4.3 addresses the encoding mismatch between validation and file-write operations. CVSS 7.5 reflects high attack complexity and required user interaction, limiting immediate mass exploitation risk despite the severe RCE impact.

Remote unauthenticated attackers can access sensitive operating system files in Ziostation2 medical imaging software v2.9.8.7 and earlier via path traversal, achieving high confidentiality impact. The vulnerability requires no authentication, low attack complexity, and no user interaction (CVSS:4.0 AV:N/AC:L/PR:N/UI:N), making it easily exploitable from the network. While not currently listed in CISA KEV and lacking public exploit code at time of analysis, the trivial exploitation conditions and exposure of medical system data present significant risk to healthcare organizations using affected versions.

Path traversal in EspoCRM's formula scripting engine allows authenticated administrators to achieve arbitrary file read/write on the web server by manipulating attachment sourceId fields. The vulnerability chains unsanitized user input with filesystem operations, enabling admins to overwrite or access files anywhere within PHP's open_basedir restriction. Publicly available exploit code exists. Vendor-released patch version 9.3.4 addresses this critical issue. Despite the 9.1 CVSS score and Changed scope indicating potential container escape or cross-tenant impact, EPSS data was not provided to assess real-world exploitation likelihood.

Unauthenticated attackers can execute remote code and read arbitrary files in Xerte Online Toolkits 3.15 and earlier via a missing authentication flaw in the elFinder connector endpoint. The vulnerability stems from a logic error where HTTP redirects for unauthenticated requests fail to terminate PHP execution, allowing full server-side processing of file operations. Attackers can create directories, upload files, rename, duplicate, overwrite, and delete files in project media directories without authentication. When chained with path traversal and extension blocklist bypasses, this enables complete system compromise. VulnCheck identified the flaw, and vendor patches are available via three GitHub commits addressing versions 3.13.0 through 3.15.0.

Remote code execution in Xerte Online Toolkits 3.15 and earlier allows unauthenticated attackers to upload and execute arbitrary PHP code by chaining an incomplete file extension filter bypass (.php4 extension) with authentication bypass and path traversal vulnerabilities in the elFinder connector endpoint. Attackers can achieve complete server compromise by uploading malicious PHP files, renaming them with the .php4 extension to evade filtering, and executing operating system commands. Vendor-released patches available via three GitHub commits (02661be, 17e4f94, 507d55c). No public exploit code or active exploitation confirmed at time of analysis, though the attack chain is straightforward for skilled attackers.

Path traversal in Xerte Online Toolkits' elFinder connector allows authenticated attackers to move files to arbitrary filesystem locations, enabling application file overwrites, stored XSS, or chained remote code execution. Affects versions 3.15 and earlier through unsanitized rename operations at /editor/elfinder/php/connector.php. Vendor patches available via GitHub commits 02661be, 507d55c, and 17e4f94. CVSS 7.1 with low attack complexity and low privileges required. No public exploitation confirmed (SSVC: exploitation=none), but attack is not automatable per CISA framework.

Xerte Online Toolkits versions 3.15 and earlier expose the server-side filesystem root path through an unauthenticated GET request to the /setup page, allowing remote attackers to retrieve sensitive path information rendered in HTML responses. This information disclosure enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php, potentially leading to unauthorized file access or further system compromise.

Remote code execution in ci4ms content management system allows authenticated backend users with theme creation permissions to write arbitrary PHP files via Zip Slip path traversal. A working proof-of-concept demonstrates uploading a malicious theme archive containing path-traversal entries (../../public/shell.php) that bypass extraction directory boundaries, placing executable code under the web root. Vendor-released patch available in version 0.31.5.0. No CISA KEV listing or EPSS data available, but publicly disclosed PoC significantly lowers exploitation barrier for attackers with valid credentials.

Remote code execution in ci4ms (CodeIgniter 4 Management System) versions prior to 0.31.5.0 allows authenticated backend users with backup creation permissions to write PHP webshells to the public web root via Zip Slip path traversal during backup restoration. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code exists. CVSS 9.4 (Critical) aligns with the real-world risk, as exploitation requires only low-privilege authentication and the affected route is exempt from CSRF protection, enabling drive-by attacks against logged-in administrators. Vendor-released patch version 0.31.5.0 addresses the flaw by implementing path validation during ZIP extraction.

Path traversal in DDEV versions prior to 1.25.2 allows remote attackers to write files outside intended extraction directories when downloading and extracting archives from remote sources. The vulnerability affects the Untar() and Unzip() functions in pkg/archive/archive.go, which lack path validation during extraction. Exploitation requires user interaction (UI:R) to trigger archive extraction but can achieve high integrity impact through arbitrary file write. A proof-of-concept exists, and CISA SSVC framework rates this as exploitable with partial technical impact.

The rm utility in uutils coreutils fails to properly validate current directory paths with trailing slashes (./ or .///), allowing local users with write access to silently delete all contents of the current directory via rm -rf ./ while the utility reports a misleading 'Invalid input' error. CVSS score 5.6 reflects local attack vector and required user interaction, though the impact is severe data loss with potential recovery complications.

Time-of-Check to Time-of-Use (TOCTOU) symlink race condition vulnerability in uutils coreutils affects directory traversal operations on macOS and FreeBSD because the safe_traversal module's file-descriptor-relative syscall protections are incorrectly limited to Linux targets only. Local authenticated attackers with limited privileges can exploit this race condition to read or modify files via symlink manipulation, though exploitation requires specific timing conditions and is not automatable. EPSS and CISA SSVC assessment indicate partial technical impact with no evidence of active exploitation.

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing local authenticated users to execute destructive permission changes across the entire root filesystem. The vulnerability stems from incomplete path canonicalization that permits path traversal variants (/../) and symbolic links to circumvent safety checks, potentially causing system-wide denial of service. EPSS score of 0.01% indicates minimal exploitation probability in the wild, with no public exploit code identified and vendor patch available in version 0.6.0.

Path traversal vulnerability in Poetry's tar extraction function allows arbitrary file writes when processing untrusted source distributions on Python 3.10.0-3.10.12 and 3.11.0-3.11.4, where the tarfile.data_filter safety mechanism is absent or broken. The vulnerability is triggered during dependency resolution (poetry add --lock) or installation before the build backend executes, enabling attackers to write files outside the intended extraction directory via crafted tar member paths, symlinks, or hardlinks in malicious sdists.

Path traversal in InstructLab's chat session handler enables local authenticated attackers to write files to arbitrary filesystem locations by manipulating the logs_dir parameter. Red Hat Enterprise Linux AI 3 deployments are confirmed affected. CVSS 7.1 (High) reflects significant confidentiality and integrity impact, though exploitation requires local access and low-level privileges. No active exploitation (CISA KEV) or public proof-of-concept identified at time of analysis. EPSS data not available, suggesting limited immediate widespread exploitation risk despite high severity rating.

Local file inclusion in Breaking News WP plugin for WordPress (versions up to 1.3) allows authenticated attackers with Subscriber-level access to read arbitrary files on the server. The vulnerability stems from insufficient path validation in the brnwp_show_breaking_news_wp() shortcode handler, which passes unsanitized user input directly to PHP's include() function after stripping only text field characters but not directory traversal sequences. Attackers can exploit the unprotected brnwp_ajax_form AJAX endpoint to overwrite the brnwp_theme option with paths like ../../../../etc/passwd, then trigger file inclusion when the shortcode renders.

WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream function `try_get_contents_from_local()` in `objects/functionsFile.php` uses `explode('/videos/', $url)` on the **full URL string** including the query string. An attacker can place the `/videos/../../` traversal payload in the query string to bypass the security check and read arbitrary files from the server filesystem. Commit bd11c16ec894698e54e2cdae25026c61ad1ed441 contains an updated fix.

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.

nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/start, and /api/workspaces/add. Attackers can repoint a session workspace to a directory outside the intended trusted root and then use ordinary file read and write APIs to access or modify files outside the intended workspace boundary within the permissions of the hermes-webui process.

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal paths by using .. path traversal components. The restriction check uses strings.HasPrefix without filepath.Clean, so a path like /tekton/home/../results passes validation but resolves to /tekton/results at runtime. This vulnerability is fixed in 1.11.1.

Path traversal in WWBN AVideo 29.0 and earlier allows authenticated administrators (or CSRF-tricked admins) to write arbitrary PHP files anywhere on the server filesystem, achieving remote code execution. The locale save endpoint fails to sanitize the 'flag' parameter used in file path construction and lacks CSRF protection despite SameSite=None cookies, enabling straightforward exploitation by lower-privilege attackers who chain CSRF against admin sessions. Upstream fix committed to GitHub (57f89ffb) but released patched version not independently confirmed. CVSS 8.7 reflects high impact but requires privileged access - real-world risk depends heavily on admin session hijacking opportunities.

Unauthenticated path traversal in CrowdStrike LogScale cluster API allows remote attackers to read arbitrary files from server filesystems. Affects only self-hosted LogScale deployments with specific vulnerable versions; Next-Gen SIEM customers are not impacted. CrowdStrike proactively identified this during internal testing and deployed network-layer blocks for SaaS customers on April 7, 2026, with log analysis confirming no evidence of exploitation. CVSS 9.8 critical severity with network vector and no authentication required (AV:N/PR:N), though EPSS and KEV data not available at time of analysis.

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code execution by uploading malicious ZIP archives during module installation. The path traversal vulnerability (CWE-22) enables attackers to write files to any location on the server filesystem, including web-accessible directories where PHP shells can be placed. With CVSS 9.1 (Critical) and EPSS data not provided, the primary risk factor is the changed scope (S:C) indicating potential container/hosting infrastructure compromise beyond the application itself. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis, though the fix commit provides implementation details that could facilitate exploit development.

Remote unauthenticated path traversal in excel-mcp-server versions ≤0.1.7 allows network attackers to read, write, and overwrite arbitrary files on the host filesystem. The server's get_excel_path() function fails to validate file paths in two ways: it passes absolute paths without checking boundaries and joins relative paths without resolving traversal sequences. With default configuration binding to 0.0.0.0 (all network interfaces) and no authentication on SSE/Streamable-HTTP transport modes, exploitation is trivial. Vendor-released patch available in version 0.1.8. EPSS data not available; no CISA KEV listing identified at time of analysis.

Erlang OTP SSH daemon (ssh_sftpd) stores unresolved user-supplied paths in file handles, allowing authenticated SFTP users to modify file attributes (permissions, ownership, timestamps) outside the configured chroot directory via SSH_FXP_FSETSTAT requests. When the SSH daemon runs as root, this enables privilege escalation through setting setuid bits or changing ownership of system files. The vulnerability affects OTP versions 17.0 through 28.4.3 (and earlier point releases in 27.x and 26.x series); patched versions are available per vendor advisory.

Path traversal in Apktool 3.0.0-3.0.1 enables malicious APK files to write arbitrary files during decoding operations, potentially achieving remote code execution by overwriting shell configuration files or startup scripts. This security regression, introduced December 12, 2025 when sanitization controls were removed from resource decoder logic, allows attackers to embed directory traversal sequences in APK metadata that escape output directories and target critical system files like ~/.ssh/config or Windows Startup folders. CVSS 7.1 with local attack vector and required user interaction. No active exploitation (CISA KEV) or public POC identified at time of analysis, but exploit development is straightforward given the detailed technical disclosure in GitHub advisory GHSA-m8mh-x359-vm8m.

Sandbox escape in Claude Code versions prior to 2.1.64 enables arbitrary file writes outside the workspace by exploiting symlink handling between sandboxed and unsandboxed processes, potentially leading to code execution. The vulnerability requires prompt injection to trigger malicious sandboxed code execution, creating an exploitable chain where neither component can independently breach the sandbox but their interaction does. EPSS score of 0.08% (23rd percentile) suggests limited real-world exploitation likelihood, and CISA SSVC indicates no known exploitation with non-automatable attack requirements. Version 2.1.64 patches this issue, auto-deployed to standard installations.

Jupyter nbconvert 6.5 through 7.17.0 allows unauthenticated remote attackers to read arbitrary files from the conversion host when HTMLExporter.embed_images is enabled, by embedding malicious image references with path traversal sequences in a crafted notebook. A malicious actor can exfiltrate sensitive files as base64-encoded data URIs in the output HTML, achieving confidentiality breach with no integrity or availability impact. Vendor-released patch: version 7.17.1.

Path traversal in OpenClaude CLI versions before 0.5.1 allows local authenticated users to bypass sandbox directory restrictions and access arbitrary filesystem paths. A logic flaw in the bash permission handler causes path constraint checks to be skipped when sandbox auto-allow is enabled without explicit deny rules, permitting traversal sequences like '../../../etc/passwd' to escape containment boundaries. EPSS score of 0.01% indicates low probability of widespread exploitation, and no active exploitation has been reported.

Arbitrary file write in Jupyter nbconvert 6.5 through 7.17.0 allows unauthenticated attackers to write files to arbitrary filesystem locations outside the intended output directory by crafting malicious cell attachment filenames in notebooks. The ExtractAttachmentsPreprocessor fails to sanitize attachment filenames, enabling path traversal that provides full control over destination paths and file extensions. Requires user interaction (opening a malicious notebook) and is patched in version 7.17.1.

Roxy-WI versions prior to 8.2.6.4 allow authenticated attackers to read arbitrary files via path traversal in the POST /config/<service>/show API endpoint. The configver parameter is directly concatenated into a file path without proper validation, permitting directory escape sequences (../) to bypass the existing path guard. An authenticated user can exploit this to access sensitive configuration files and other data readable by the web application process.

Path traversal in Everest Forms (WordPress plugin) allows unauthenticated attackers to read and delete arbitrary files on the server through malicious form submissions containing crafted old_files parameters. Vulnerable versions ≤3.4.4 use regex-based path resolution without canonicalization, enabling attackers to traverse directories, exfiltrate wp-config.php via email attachments (exposing database credentials and authentication salts), and trigger automatic deletion of targeted files post-email. CVSS 8.1 (AV:N/AC:H) reflects the remote vector with high attack complexity. EPSS and KEV status not provided; proof-of-concept details available in Wordfence advisory and plugin source code references.

Arbitrary file deletion in wpForo Forum plugin versions ≤3.0.5 allows authenticated attackers with subscriber-level privileges to delete critical WordPress files including wp-config.php, enabling remote code execution. The vulnerability chains two flaws: unvalidated file paths in custom profile fields and insufficient path sanitization before file deletion. Exploitation requires the wpForo User Custom Fields addon with at least one file-type custom field configured. CVSS 8.1 (High) with network attack vector, low complexity, and low privilege requirements. EPSS data and active exploitation status not available in current intelligence.

OpenMage LTS Dataflow module prior to version 20.17.0 allows authenticated administrators to read arbitrary files via a bypassable path traversal filter that uses simple string replacement (`str_replace('../', '', $input)`). Attackers can circumvent the blacklist by using nested patterns like `..././` or `....//` which resolve to valid `../` sequences after filtering. Remote administrative access is required, but the high confidentiality impact and confirmed patch availability make immediate patching necessary for affected deployments.