Common Weakness Enumeration

CWE-23

Allowed

Relative Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

778 vulnerabilities reference this CWE, most recent first.

GHSA-P873-HG5H-J2MP

Vulnerability from github – Published: 2024-02-02 00:31 – Updated: 2024-02-07 18:30
VLAI
Details

In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can append path traversal characters to the filename when using a specific command, allowing them to read arbitrary files from the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22096"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-02T00:15:55Z",
    "severity": "MODERATE"
  },
  "details": "In Rapid Software LLC\u0027s Rapid SCADA versions prior to\u00a0Version 5.8.4,\u00a0an attacker can append path traversal characters to the filename when using a specific command, allowing them to read arbitrary files from the system.\n",
  "id": "GHSA-p873-hg5h-j2mp",
  "modified": "2024-02-07T18:30:27Z",
  "published": "2024-02-02T00:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22096"
    },
    {
      "type": "WEB",
      "url": "https://rapidscada.org/contact"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9V7-8X2V-H926

Vulnerability from github – Published: 2025-11-07 18:30 – Updated: 2025-11-14 21:30
VLAI
Details

A relative path traversal vulnerability has been reported to affect QuMagie. If a remote attacker, they can then exploit the vulnerability to read the contents of unexpected files or system data.

We have already fixed the vulnerability in the following version: QuMagie 2.7.3 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58464"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-07T16:15:41Z",
    "severity": "HIGH"
  },
  "details": "A relative path traversal vulnerability has been reported to affect QuMagie. If a remote attacker, they can then exploit the vulnerability to read the contents of unexpected files or system data.\n\nWe have already fixed the vulnerability in the following version:\nQuMagie 2.7.3 and later",
  "id": "GHSA-p9v7-8x2v-h926",
  "modified": "2025-11-14T21:30:28Z",
  "published": "2025-11-07T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58464"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-25-43"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PCV7-RJC4-Q59M

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Relative path traversal in Windows Admin Center allows an authorized attacker to execute code over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:18:30Z",
    "severity": "HIGH"
  },
  "details": "Relative path traversal in Windows Admin Center allows an authorized attacker to execute code over a network.",
  "id": "GHSA-pcv7-rjc4-q59m",
  "modified": "2026-07-14T18:32:38Z",
  "published": "2026-07-14T18:32:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56196"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56196"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJMR-FF79-H6XP

Vulnerability from github – Published: 2024-11-12 21:30 – Updated: 2024-11-12 21:30
VLAI
Details

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiAnalyzer versions below 7.4.2, Fortinet FortiManager versions below 7.4.2 and Fortinet FortiAnalyzer-BigData version 7.4.0 and below 7.2.7 allows a privileged attacker with read write administrative privileges to create non-arbitrary files on a chosen directory via crafted CLI requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-12T19:15:09Z",
    "severity": "LOW"
  },
  "details": "An improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability [CWE-22] in Fortinet FortiAnalyzer versions below 7.4.2, Fortinet FortiManager versions below 7.4.2 and Fortinet FortiAnalyzer-BigData version 7.4.0 and below 7.2.7 allows a privileged attacker with read write administrative privileges to create non-arbitrary files on a chosen directory via crafted CLI requests.",
  "id": "GHSA-pjmr-ff79-h6xp",
  "modified": "2024-11-12T21:30:52Z",
  "published": "2024-11-12T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35274"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-179"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQ32-79QF-69Q2

Vulnerability from github – Published: 2025-07-20 21:31 – Updated: 2025-07-30 18:31
VLAI
Details

An issue was discovered in Logpoint before 7.6.0. An attacker with operator privileges can exploit a path traversal vulnerability when creating a Layout Template, which can lead to remote code execution (RCE).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-20T19:15:24Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Logpoint before 7.6.0. An attacker with operator privileges can exploit a path traversal vulnerability when creating a Layout Template, which can lead to remote code execution (RCE).",
  "id": "GHSA-pq32-79qf-69q2",
  "modified": "2025-07-30T18:31:31Z",
  "published": "2025-07-20T21:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54317"
    },
    {
      "type": "WEB",
      "url": "https://servicedesk.logpoint.com/hc/en-us/articles/28685507675549-Path-Traversal-in-Layout-Templates-Allows-Remote-Code-Execution"
    },
    {
      "type": "WEB",
      "url": "https://servicedesk.logpoint.com/hc/en-us/sections/7201103730845-Product-Security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQ34-FR9M-WF7M

Vulnerability from github – Published: 2024-06-14 06:34 – Updated: 2024-06-14 06:34
VLAI
Details

Path traversal vulnerability in the web server of the Toshiba printer enables attacker to overwrite orginal files or add new ones to the printer. As for the affected products/models/versions, see the reference URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3497"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-14T05:15:48Z",
    "severity": "HIGH"
  },
  "details": "Path traversal vulnerability in the web server of the Toshiba printer enables attacker to overwrite orginal files or add new ones to the printer. As for the affected products/models/versions, see the reference URL.",
  "id": "GHSA-pq34-fr9m-wf7m",
  "modified": "2024-06-14T06:34:48Z",
  "published": "2024-06-14T06:34:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3497"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU97136265/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.toshibatec.com/information/20240531_01.html"
    },
    {
      "type": "WEB",
      "url": "https://www.toshibatec.com/information/pdf/information20240531_01.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PR37-GVG2-QR9V

Vulnerability from github – Published: 2024-11-18 09:31 – Updated: 2024-11-18 09:31
VLAI
Details

The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-18T07:15:16Z",
    "severity": "CRITICAL"
  },
  "details": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.",
  "id": "GHSA-pr37-gvg2-qr9v",
  "modified": "2024-11-18T09:31:13Z",
  "published": "2024-11-18T09:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11315"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-8255-0bb1a-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-8254-8daa2-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVG7-XXGR-RGPC

Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2024-04-04 02:55
VLAI
Details

The Metasploit Framework module "post/osx/gather/enum_osx module" is affected by a relative path traversal vulnerability in the get_keychains method which can be exploited to write arbitrary files to arbitrary locations on the host filesystem when the module is run on a malicious host.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-24T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Metasploit Framework module \"post/osx/gather/enum_osx module\" is affected by a relative path traversal vulnerability in the get_keychains method which can be exploited to write arbitrary files to arbitrary locations on the host filesystem when the module is run on a malicious host.",
  "id": "GHSA-pvg7-xxgr-rgpc",
  "modified": "2024-04-04T02:55:51Z",
  "published": "2022-05-24T17:26:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7376"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rapid7/metasploit-framework/issues/14008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q598-5464-X6Q8

Vulnerability from github – Published: 2025-02-15 15:30 – Updated: 2025-02-15 15:30
VLAI
Details

Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the fileID Parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0822"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-15T13:15:28Z",
    "severity": "MODERATE"
  },
  "details": "Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the fileID Parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.",
  "id": "GHSA-q598-5464-x6q8",
  "modified": "2025-02-15T15:30:24Z",
  "published": "2025-02-15T15:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0822"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/bit-assist/tags/1.5.2/backend/app/HTTP/Controllers/DownloadController.php#L65"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3239816/#file3"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/bit-assist/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de9b0eba-5d2b-427c-a199-88bf96c26f5e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q62R-8PPJ-XVF4

Vulnerability from github – Published: 2025-04-09 12:49 – Updated: 2025-04-09 17:13
VLAI
Summary
Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users
Details

Impact

Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location.

Patches

The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1.

Workarounds

Umbraco supports the configuration of allowed and disallowed file extensions. Using these options to allow only necessary file extensions significantly reduces the scope of the vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0--preview004"
            },
            {
              "fixed": "14.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.0-rc1"
            },
            {
              "fixed": "15.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-09T12:49:38Z",
    "nvd_published_at": "2025-04-08T16:15:27Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAuthenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location.\n\n### Patches\nThe issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1.\n\n### Workarounds\nUmbraco supports the configuration of [allowed](https://docs.umbraco.com/umbraco-cms/reference/configuration/contentsettings#allowed-upload-file-extensions) and [disallowed file extensions](https://docs.umbraco.com/umbraco-cms/reference/configuration/contentsettings#disallowed-upload-file-extensions).  Using these options to allow only necessary file extensions significantly reduces the scope of the vulnerability.",
  "id": "GHSA-q62r-8ppj-xvf4",
  "modified": "2025-04-09T17:13:35Z",
  "published": "2025-04-09T12:49:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-q62r-8ppj-xvf4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32017"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/commit/06a2a500b358ce15b1e228391eb60bd517c6e833"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/commit/d3c1443b14b1076faf13d1bcecc42860fdf5fad8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco-CMS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users"
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-139: Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.