Common Weakness Enumeration

CWE-23

Allowed

Relative Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

778 vulnerabilities reference this CWE, most recent first.

CVE-2026-33206 (GCVE-0-2026-33206)

Vulnerability from cvelistv5 – Published: 2026-03-27 13:53 – Updated: 2026-03-27 14:48
VLAI
Title
calibre has a path traversal vulnerability
Summary
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Vendor Product Version
kovidgoyal calibre Affected: < 9.6.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33206",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T14:48:39.922938Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T14:48:44.155Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "calibre",
          "vendor": "kovidgoyal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre\u0027 handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T13:53:22.833Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6"
        }
      ],
      "source": {
        "advisory": "GHSA-h3p4-m74f-43g6",
        "discovery": "UNKNOWN"
      },
      "title": "calibre has a path traversal vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33206",
    "datePublished": "2026-03-27T13:53:22.833Z",
    "dateReserved": "2026-03-17T23:23:58.312Z",
    "dateUpdated": "2026-03-27T14:48:44.155Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32725 (GCVE-0-2026-32725)

Vulnerability from cvelistv5 – Published: 2026-03-31 17:01 – Updated: 2026-04-03 16:14
VLAI
Title
SciTokens C++: Relative Path Traversal Vulnerability
Summary
SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses ".." path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Vendor Product Version
scitokens scitokens-cpp Affected: < 1.4.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32725",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-03T16:14:03.357530Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-03T16:14:20.163Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "scitokens-cpp",
          "vendor": "scitokens",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses \"..\" path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T17:01:46.776Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-rqcx-mc9w-pjxp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-rqcx-mc9w-pjxp"
        },
        {
          "name": "https://github.com/scitokens/scitokens-cpp/commit/7951ed809967d88c00c20de414b1ff74df8c3e08",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/scitokens/scitokens-cpp/commit/7951ed809967d88c00c20de414b1ff74df8c3e08"
        }
      ],
      "source": {
        "advisory": "GHSA-rqcx-mc9w-pjxp",
        "discovery": "UNKNOWN"
      },
      "title": "SciTokens C++: Relative Path Traversal Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32725",
    "datePublished": "2026-03-31T17:01:46.776Z",
    "dateReserved": "2026-03-13T15:02:00.625Z",
    "dateUpdated": "2026-04-03T16:14:20.163Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31927 (GCVE-0-2026-31927)

Vulnerability from cvelistv5 – Published: 2026-04-17 19:24 – Updated: 2026-07-10 22:35
VLAI
Title
Anviz CX7 Firmware Relative Path Traversal
Summary
Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug‑setting changes.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Anviz Anviz CX7 Firmware Affected: All versions
Create a notification for this product.
Credits
An anonymous researcher reported this vulnerability to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31927",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-17T20:34:19.788440Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-17T20:34:41.679Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Anviz CX7 Firmware",
          "vendor": "Anviz",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "An anonymous researcher reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Anviz CX7 Firmware\u0026nbsp;is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug\u2011setting changes."
            }
          ],
          "value": "Anviz CX7 Firmware\u00a0is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug\u2011setting changes."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T22:35:14.120Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.anviz.com/contact-us.html"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json"
        }
      ],
      "source": {
        "advisory": "ICSA-26-106-03",
        "discovery": "EXTERNAL"
      },
      "title": "Anviz CX7 Firmware Relative Path Traversal",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Anviz did not respond to CISA\u0027s attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at \u003ca href=\"https://www.anviz.com/contact-us.html\"\u003ehttps://www.anviz.com/contact-us.html\u003c/a\u003e."
            }
          ],
          "value": "Anviz did not respond to CISA\u0027s attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at  https://www.anviz.com/contact-us.html ."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-31927",
    "datePublished": "2026-04-17T19:24:53.893Z",
    "dateReserved": "2026-04-14T15:42:14.030Z",
    "dateUpdated": "2026-07-10T22:35:14.120Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31831 (GCVE-0-2026-31831)

Vulnerability from cvelistv5 – Published: 2026-03-30 19:42 – Updated: 2026-03-31 19:09
VLAI
Title
Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint
Summary
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Vendor Product Version
Tautulli Tautulli Affected: < 2.17.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31831",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T18:39:50.406586Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T19:09:40.491Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Tautulli",
          "vendor": "Tautulli",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.17.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server\u0027s filesystem. This issue has been patched in version 2.17.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T19:42:23.002Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m"
        },
        {
          "name": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0"
        }
      ],
      "source": {
        "advisory": "GHSA-xp55-2pf4-fv8m",
        "discovery": "UNKNOWN"
      },
      "title": "Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-31831",
    "datePublished": "2026-03-30T19:42:23.002Z",
    "dateReserved": "2026-03-09T17:41:56.077Z",
    "dateUpdated": "2026-03-31T19:09:40.491Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29778 (GCVE-0-2026-29778)

Vulnerability from cvelistv5 – Published: 2026-03-07 15:28 – Updated: 2026-03-09 18:26
VLAI
Title
pyLoad: Arbitrary File Write via Path Traversal in edit_package()
Summary
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Vendor Product Version
pyload pyload Affected: >= 0.5.0b3.dev13, < 0.5.0b3.dev97
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29778",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T17:52:31.612889Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T18:26:46.896Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pyload",
          "vendor": "pyload",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.5.0b3.dev13, \u003c 0.5.0b3.dev97"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of \"../\", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-07T15:28:36.919Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw"
        }
      ],
      "source": {
        "advisory": "GHSA-6px9-j4qr-xfjw",
        "discovery": "UNKNOWN"
      },
      "title": "pyLoad: Arbitrary File Write via Path Traversal in edit_package()"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29778",
    "datePublished": "2026-03-07T15:28:36.919Z",
    "dateReserved": "2026-03-04T16:26:02.898Z",
    "dateUpdated": "2026-03-09T18:26:46.896Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29201 (GCVE-0-2026-29201)

Vulnerability from cvelistv5 – Published: 2026-05-08 18:51 – Updated: 2026-05-13 21:59
VLAI
Summary
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
Impacted products
Vendor Product Version
WebPros cPanel Affected: 11.136.0.0 , < 11.136.0.9 (semver)
Affected: 11.134.0.0 , < 11.134.0.25 (semver)
Affected: 11.132.0.0 , < 11.132.0.31 (semver)
Affected: 11.130.0.0 , < 11.130.0.22 (semver)
Affected: 11.126.0.0 , < 11.126.0.58 (semver)
Affected: 11.124.0.0 , < 11.124.0.37 (semver)
Affected: 11.118.0.0 , < 11.118.0.66 (semver)
Affected: 11.110.0.0 , < 11.110.0.117 (semver)
Affected: 11.102.0.0 , < 11.102.0.41 (semver)
Affected: 11.94.0.0 , < 11.94.0.30 (semver)
Affected: 11.86.0.0 , < 11.86.0.43 (semver)
Create a notification for this product.
WebPros WP Squared Affected: 11.136.1.0 , < 11.136.1.11 (semver)
Create a notification for this product.
WebPros cPanel (CloudLinux 6, CentOS 6) Affected: 11.110.0.0 , < 11.110.0.116 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-29201",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T19:52:34.386985Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T19:52:40.780Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "cPanel",
          "vendor": "WebPros",
          "versions": [
            {
              "lessThan": "11.136.0.9",
              "status": "affected",
              "version": "11.136.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.134.0.25",
              "status": "affected",
              "version": "11.134.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.132.0.31",
              "status": "affected",
              "version": "11.132.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.130.0.22",
              "status": "affected",
              "version": "11.130.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.126.0.58",
              "status": "affected",
              "version": "11.126.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.124.0.37",
              "status": "affected",
              "version": "11.124.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.118.0.66",
              "status": "affected",
              "version": "11.118.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.110.0.117",
              "status": "affected",
              "version": "11.110.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.102.0.41",
              "status": "affected",
              "version": "11.102.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.94.0.30",
              "status": "affected",
              "version": "11.94.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.86.0.43",
              "status": "affected",
              "version": "11.86.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "WP Squared",
          "vendor": "WebPros",
          "versions": [
            {
              "lessThan": "11.136.1.11",
              "status": "affected",
              "version": "11.136.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "cPanel (CloudLinux 6, CentOS 6)",
          "vendor": "WebPros",
          "versions": [
            {
              "lessThan": "11.110.0.116",
              "status": "affected",
              "version": "11.110.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23 Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T21:59:09.469Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2026-29201",
    "datePublished": "2026-05-08T18:51:05.803Z",
    "dateReserved": "2026-03-04T15:00:09.267Z",
    "dateUpdated": "2026-05-13T21:59:09.469Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29101 (GCVE-0-2026-29101)

Vulnerability from cvelistv5 – Published: 2026-03-19 22:51 – Updated: 2026-03-20 18:09
VLAI
Title
SuiteCRM Vulnerable to Directory Traversal to DoS in Modules
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Vendor Product Version
SuiteCRM SuiteCRM Affected: < 7.15.1
Affected: >= 8.0.0, < 8.9.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29101",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T16:59:10.693199Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T18:09:29.978Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SuiteCRM",
          "vendor": "SuiteCRM",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.15.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.9.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-19T22:51:47.718Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg"
        },
        {
          "name": "https://docs.suitecrm.com/admin/releases/7.15.x",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.suitecrm.com/admin/releases/7.15.x"
        }
      ],
      "source": {
        "advisory": "GHSA-24pf-9cvh-ppcg",
        "discovery": "UNKNOWN"
      },
      "title": "SuiteCRM Vulnerable to Directory Traversal to DoS in Modules"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29101",
    "datePublished": "2026-03-19T22:51:47.718Z",
    "dateReserved": "2026-03-03T21:54:06.708Z",
    "dateUpdated": "2026-03-20T18:09:29.978Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29098 (GCVE-0-2026-29098)

Vulnerability from cvelistv5 – Published: 2026-03-19 22:43 – Updated: 2026-03-20 17:45
VLAI
Title
SuiteCRM has Relative Path Traversal via ModuleBuilder Modules ExportCustom Action
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Vendor Product Version
SuiteCRM SuiteCRM Affected: < 7.15.1
Affected: >= 8.0.0, < 8.9.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29098",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T17:43:50.482877Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T17:45:30.519Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SuiteCRM",
          "vendor": "SuiteCRM",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.15.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.9.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-19T22:47:11.424Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-6858-fhw5-56gf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-6858-fhw5-56gf"
        },
        {
          "name": "https://docs.suitecrm.com/admin/releases/7.15.x",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.suitecrm.com/admin/releases/7.15.x"
        }
      ],
      "source": {
        "advisory": "GHSA-6858-fhw5-56gf",
        "discovery": "UNKNOWN"
      },
      "title": "SuiteCRM has Relative Path Traversal via ModuleBuilder Modules ExportCustom Action"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29098",
    "datePublished": "2026-03-19T22:43:58.568Z",
    "dateReserved": "2026-03-03T21:54:06.708Z",
    "dateUpdated": "2026-03-20T17:45:30.519Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27625 (GCVE-0-2026-27625)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:44 – Updated: 2026-03-20 15:37
VLAI
Title
Stirling-PDF Zip Slip: Arbitrary File Write via Path Traversal in Markdown-to-PDF ZIP Extraction
Summary
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27625",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T15:36:55.042694Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T15:37:16.038Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Stirling-PDF",
          "vendor": "Stirling-Tools",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working directory, leading to arbitrary file write with the privileges of the Stirling-PDF process user (stirlingpdfuser). This can overwrite writable files and compromise data integrity, with further impact depending on writable paths. The issue was fixed in version 2.5.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T08:44:24.942Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-wccq-mg6x-2w22"
        },
        {
          "name": "https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Stirling-Tools/Stirling-PDF/releases/tag/v2.5.2"
        }
      ],
      "source": {
        "advisory": "GHSA-wccq-mg6x-2w22",
        "discovery": "UNKNOWN"
      },
      "title": "Stirling-PDF Zip Slip: Arbitrary File Write via Path Traversal in Markdown-to-PDF ZIP Extraction"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27625",
    "datePublished": "2026-03-20T08:44:24.942Z",
    "dateReserved": "2026-02-20T22:02:30.027Z",
    "dateUpdated": "2026-03-20T15:37:16.038Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27489 (GCVE-0-2026-27489)

Vulnerability from cvelistv5 – Published: 2026-04-01 17:33 – Updated: 2026-07-15 01:14
VLAI
Title
ONNX: Path Traversal via Symlink
Summary
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-23 - Relative Path Traversal
  • CWE-61 - UNIX Symbolic Link (Symlink) Following
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
Impacted products
Vendor Product Version
onnx onnx Affected: < 1.21.0
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780078312 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780078429 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780069222 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780078632 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780078416 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780417775 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780078388 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780069146 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780078413 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780069226 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780078629 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780078414 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27489",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T19:08:27.206936Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T19:09:18.474Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780078312",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780078429",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780069222",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780078632",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780078416",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780417775",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780078388",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780069146",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780078413",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780069226",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780078629",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780078414",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780078632",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780069222",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-openvino-model-server-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-04-01T17:33:51.281Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Open Neural Network Exchange (ONNX), an open standard for machine learning interoperability. This path traversal vulnerability, exploitable via a symbolic link (symlink), allows an attacker to read arbitrary files located outside of the intended model or user-provided directories. This could lead to unauthorized information disclosure."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.6,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-22",
                "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T01:14:13.726Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-27489"
          },
          {
            "name": "RHBZ#2453929",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453929"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27489.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:24977"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:24977: Red Hat OpenShift AI 2.25"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-04-01T18:01:42.208Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-04-01T17:33:51.281Z",
            "value": "Made public."
          }
        ],
        "title": "onnx: ONNX: Information Disclosure via Path Traversal Vulnerability",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "onnx",
          "vendor": "onnx",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.21.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T17:33:51.281Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/onnx/onnx/security/advisories/GHSA-3r9x-f23j-gc73",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/onnx/onnx/security/advisories/GHSA-3r9x-f23j-gc73"
        },
        {
          "name": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb"
        }
      ],
      "source": {
        "advisory": "GHSA-3r9x-f23j-gc73",
        "discovery": "UNKNOWN"
      },
      "title": "ONNX: Path Traversal via Symlink"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27489",
    "datePublished": "2026-04-01T17:33:51.281Z",
    "dateReserved": "2026-02-19T19:46:03.541Z",
    "dateUpdated": "2026-07-15T01:14:13.726Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-139: Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.