Common Weakness Enumeration

CWE-24

Allowed

Path Traversal: '../filedir'

Abstraction: Variant · Status: Incomplete

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

187 vulnerabilities reference this CWE, most recent first.

GHSA-RQG5-4G9G-72MH

Vulnerability from github – Published: 2025-10-01 21:31 – Updated: 2025-10-01 21:31
VLAI
Details

Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. The endpoint is /sys/comment/addFile. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T20:18:39Z",
    "severity": "MODERATE"
  },
  "details": "Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. The endpoint is /sys/comment/addFile. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server.",
  "id": "GHSA-rqg5-4g9g-72mh",
  "modified": "2025-10-01T21:31:23Z",
  "published": "2025-10-01T21:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61189"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jeecgboot/JeecgBoot/issues/8827"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RX94-Q7CH-5WW2

Vulnerability from github – Published: 2024-11-15 18:30 – Updated: 2024-11-15 18:30
VLAI
Details

A vulnerability in the web-based management interface of Cisco PI and Cisco EPNM could allow an authenticated, remote attacker to conduct a path traversal attack on an affected device. To exploit this vulnerability, the attacker must have valid credentials on the system.

This vulnerability is due to insufficient input validation of the HTTPS URL by the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request that contains directory traversal character sequences to an affected device. A successful exploit could allow the attacker to write arbitrary files to the host system. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-15T16:15:21Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based management interface of Cisco\u0026nbsp;PI and Cisco\u0026nbsp;EPNM could allow an authenticated, remote attacker to conduct a path traversal attack on an affected device. To exploit this vulnerability, the attacker must have valid credentials on the system.\n\nThis vulnerability is due to insufficient input validation of the HTTPS URL by the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request that contains directory traversal character sequences to an affected device. A successful exploit could allow the attacker to write arbitrary files to the host system.\nCisco\u0026nbsp;has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.",
  "id": "GHSA-rx94-q7ch-5ww2",
  "modified": "2024-11-15T18:30:49Z",
  "published": "2024-11-15T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20656"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-path-trav-zws324yn"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sna-xss-NXOxDhRQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3JJ-M88W-XXXJ

Vulnerability from github – Published: 2023-12-03 12:30 – Updated: 2023-12-07 03:30
VLAI
Details

A vulnerability was found in ระบบบัญชีออนไลน์ Online Accounting System up to 1.4.0 and classified as problematic. This issue affects some unknown processing of the file ckeditor/filemanager/browser/default/image.php. The manipulation of the argument fid with the input ../../../etc/passwd leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The identifier of the patch is 9d9618422b980335bb30be612ea90f4f56cb992c. It is recommended to upgrade the affected component. The identifier VDB-246641 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-25094"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-03T11:15:07Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was found in \u0e23\u0e30\u0e1a\u0e1a\u0e1a\u0e31\u0e0d\u0e0a\u0e35\u0e2d\u0e2d\u0e19\u0e44\u0e25\u0e19\u0e4c Online Accounting System up to 1.4.0 and classified as problematic. This issue affects some unknown processing of the file ckeditor/filemanager/browser/default/image.php. The manipulation of the argument fid with the input ../../../etc/passwd leads to path traversal: \u0027../filedir\u0027. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The identifier of the patch is 9d9618422b980335bb30be612ea90f4f56cb992c. It is recommended to upgrade the affected component. The identifier VDB-246641 was assigned to this vulnerability.",
  "id": "GHSA-v3jj-m88w-xxxj",
  "modified": "2023-12-07T03:30:31Z",
  "published": "2023-12-03T12:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25094"
    },
    {
      "type": "WEB",
      "url": "https://github.com/59160781/project/commit/9d9618422b980335bb30be612ea90f4f56cb992c"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.246641"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.246641"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V49X-3X5X-Q43G

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 21:30
VLAI
Details

A path traversal vulnerability in FastX3 thru 3.3.67 allows an unauthenticated attacker to read arbitrary files on the server. By leveraging this vulnerability, it is possible to access the application's configuration files, which contain the secret key used to sign JSON Web Tokens as well as existing JTIs. With this information, an attacker can forge valid JWTs, impersonate the root user, and achieve remote code execution in privileged context via authenticated endpoints.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-57618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T18:15:36Z",
    "severity": "HIGH"
  },
  "details": "A path traversal vulnerability in FastX3 thru 3.3.67 allows an unauthenticated attacker to read arbitrary files on the server. By leveraging this vulnerability, it is possible to access the application\u0027s configuration files, which contain the secret key used to sign JSON Web Tokens as well as existing JTIs. With this information, an attacker can forge valid JWTs, impersonate the root user, and achieve remote code execution in privileged context via authenticated endpoints.",
  "id": "GHSA-v49x-3x5x-q43g",
  "modified": "2025-10-14T21:30:44Z",
  "published": "2025-10-14T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57618"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md?ref_type=heads"
    },
    {
      "type": "WEB",
      "url": "https://www.starnet.com/fastx"
    },
    {
      "type": "WEB",
      "url": "https://www.starnet.com/help/fastx3-3-server-release-notes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V76W-3PH8-VM66

Vulnerability from github – Published: 2024-02-12 21:30 – Updated: 2024-11-22 12:39
VLAI
Summary
Undertow Path Traversal vulnerability
Details

A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.undertow:undertow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.31.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.undertow:undertow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0.Alpha1"
            },
            {
              "fixed": "2.3.12.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-1459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-15T20:49:11Z",
    "nvd_published_at": "2024-02-12T21:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.",
  "id": "GHSA-v76w-3ph8-vm66",
  "modified": "2024-11-22T12:39:07Z",
  "published": "2024-02-12T21:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1459"
    },
    {
      "type": "WEB",
      "url": "https://github.com/undertow-io/undertow/pull/1556"
    },
    {
      "type": "WEB",
      "url": "https://github.com/undertow-io/undertow/commit/40bb3314f013247af8e222870bd5045ca8650c5c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/undertow-io/undertow/commit/54f3e4325425c472f5af5fc973e02df83d7a711a"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1674"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1675"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1676"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1677"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2763"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2764"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1459"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259475"
    },
    {
      "type": "WEB",
      "url": "https://issues.redhat.com/browse/UNDERTOW-2339"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20241122-0008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Undertow Path Traversal vulnerability"
}

GHSA-VGWR-23FQ-PR7G

Vulnerability from github – Published: 2026-05-26 19:33 – Updated: 2026-05-26 19:33
VLAI
Summary
XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin
Details

Impact

A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password, the attack first requires that the attacker already has admin access to at least a subwiki to be able to install a malicious extension. Further, the attacker needs to publish a malicious extension in an extension repository that is configured in the instance.

Patches

This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, and 18.0.0RC1.

Workarounds

XWiki is not aware of any workarounds except for being careful whom developers grant script and admin rights to.

Resources

  • https://jira.xwiki.org/browse/XWIKI-23902
  • https://github.com/xwiki/xwiki-platform/commit/9f747fcd3200259a1de51957d3f5f6acc8e3816c
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-webjars-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.6-rc-1"
            },
            {
              "fixed": "16.10.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-webjars-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0-rc-1"
            },
            {
              "fixed": "17.4.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-webjars-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.5.0-rc-1"
            },
            {
              "fixed": "17.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-26T19:33:44Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nA potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password, the attack first requires that the attacker already has admin access to at least a subwiki to be able to install a malicious extension. Further, the attacker needs to publish a malicious extension in an extension repository that is configured in the instance.\n\n### Patches\nThis vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, and 18.0.0RC1.\n\n### Workarounds\nXWiki is not aware of any workarounds except for being careful whom developers grant script and admin rights to.\n\n### Resources\n* https://jira.xwiki.org/browse/XWIKI-23902\n* https://github.com/xwiki/xwiki-platform/commit/9f747fcd3200259a1de51957d3f5f6acc8e3816c",
  "id": "GHSA-vgwr-23fq-pr7g",
  "modified": "2026-05-26T19:33:44Z",
  "published": "2026-05-26T19:33:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vgwr-23fq-pr7g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/9f747fcd3200259a1de51957d3f5f6acc8e3816c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-23902"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin"
}

GHSA-VMQV-3858-9WP7

Vulnerability from github – Published: 2025-04-26 15:30 – Updated: 2025-12-12 18:30
VLAI
Details

An arbitrary file upload vulnerability via writefile.php of Serosoft Academia Student Information System (SIS) EagleR-1.0.118 allows attackers to execute arbitrary code via ../ in the filePath parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53636"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-26T15:15:44Z",
    "severity": "MODERATE"
  },
  "details": "An arbitrary file upload vulnerability via writefile.php of Serosoft Academia Student Information System (SIS) EagleR-1.0.118 allows attackers to execute arbitrary code via ../ in the filePath parameter.",
  "id": "GHSA-vmqv-3858-9wp7",
  "modified": "2025-12-12T18:30:27Z",
  "published": "2025-04-26T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53636"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VvV1per/Vulnerability-Research-CVEs/tree/main/CVE-2024-53636"
    },
    {
      "type": "WEB",
      "url": "https://github.com/el-viper/cve-research/tree/main/CVEs/CVE-2024-53636"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VW86-C94W-V3X4

Vulnerability from github – Published: 2026-04-10 19:32 – Updated: 2026-04-24 20:36
VLAI
Summary
SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
Details

Summary

The endpoint /api/av/removeUnusedAttributeView is vulnerable to a path traversal (CWE-22) that allows an attacker to delete arbitrary .json files on the server.

The issue arises because user-controlled input (id) is directly used in filesystem path construction without validation or restriction.

Access to this endpoint (e.g., via a Reader-role or publish context) is considered a precondition and not part of the vulnerability. The root cause is unsafe path handling.


Steps To Reproduce

  1. Ensure the target instance has the publish service enabled (or any valid access to the endpoint).
  2. Send the following request:
POST /api/av/removeUnusedAttributeView HTTP/1.1
Host: <target>
Content-Type: application/json

{
  "id": "../../../conf/conf"
}
  1. Observe that the request is accepted.
  2. The server resolves the path outside the intended directory and deletes the target file.

Impact

An attacker can delete arbitrary .json files within the workspace directory.

This may lead to:

  • Deletion of global configuration files (e.g., conf/conf.json)
  • Loss of user data and application state
  • Corruption of workspace metadata
  • Persistent application instability or forced recovery

This represents a server-side arbitrary file deletion primitive, which can have severe impact depending on the targeted files.


Technical Details

The vulnerable code constructs file paths as follows:

filepath.Join(util.DataDir, "storage", "av", id+".json")

Because id is not validated, attackers can inject path traversal sequences such as ../ to escape the intended directory.

Example payloads

  • ../localdata/storage/local.json
  • ../../storage/outlinedata/storage/outline.json
  • ../../../conf/confconf/conf.json

No validation or restriction is applied to:

  • input format
  • path normalization
  • directory boundaries

Root Cause

  • Untrusted user input (id) is directly used in filesystem path construction
  • No input validation or sanitization
  • No enforcement that the resolved path stays within the intended directory

Remediation

  1. Validate input strictly

  2. Only allow valid Attribute View IDs

  3. Reject any input containing path traversal sequences

  4. Enforce directory boundaries

base := filepath.Join(util.DataDir, "storage", "av")
absPath := filepath.Join(base, id+".json")

if !util.IsSubPath(base, absPath) {
    return error
}
  1. Normalize paths before use

  2. Ensure canonical paths cannot escape the base directory

  3. Add additional logical checks

  4. Verify that the target object is valid and allowed to be deleted


Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 0.0.0-20260407035653-2f416e5253f1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.40.0.0-20260407035653-2f416e5253f1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:32:12Z",
    "nvd_published_at": "2026-04-16T23:16:33Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe endpoint `/api/av/removeUnusedAttributeView` is vulnerable to a **path traversal (CWE-22)** that allows an attacker to delete arbitrary `.json` files on the server.\n\nThe issue arises because user-controlled input (`id`) is directly used in filesystem path construction without validation or restriction.\n\n\u003e Access to this endpoint (e.g., via a Reader-role or publish context) is considered a precondition and not part of the vulnerability. The root cause is unsafe path handling.\n\n---\n\n## Steps To Reproduce\n\n1. Ensure the target instance has the publish service enabled (or any valid access to the endpoint).\n2. Send the following request:\n\n```http\nPOST /api/av/removeUnusedAttributeView HTTP/1.1\nHost: \u003ctarget\u003e\nContent-Type: application/json\n\n{\n  \"id\": \"../../../conf/conf\"\n}\n```\n\n3. Observe that the request is accepted.\n4. The server resolves the path outside the intended directory and deletes the target file.\n\n---\n\n## Impact\n\nAn attacker can delete arbitrary `.json` files within the workspace directory.\n\nThis may lead to:\n\n* Deletion of global configuration files (e.g., `conf/conf.json`)\n* Loss of user data and application state\n* Corruption of workspace metadata\n* Persistent application instability or forced recovery\n\nThis represents a **server-side arbitrary file deletion primitive**, which can have severe impact depending on the targeted files.\n\n---\n\n## Technical Details\n\nThe vulnerable code constructs file paths as follows:\n\n```go\nfilepath.Join(util.DataDir, \"storage\", \"av\", id+\".json\")\n```\n\nBecause `id` is not validated, attackers can inject path traversal sequences such as `../` to escape the intended directory.\n\n### Example payloads\n\n* `../local` \u2192 `data/storage/local.json`\n* `../../storage/outline` \u2192 `data/storage/outline.json`\n* `../../../conf/conf` \u2192 `conf/conf.json`\n\nNo validation or restriction is applied to:\n\n* input format\n* path normalization\n* directory boundaries\n\n---\n\n## Root Cause\n\n* Untrusted user input (`id`) is directly used in filesystem path construction\n* No input validation or sanitization\n* No enforcement that the resolved path stays within the intended directory\n\n---\n\n## Remediation\n\n1. **Validate input strictly**\n\n   * Only allow valid Attribute View IDs\n   * Reject any input containing path traversal sequences\n\n2. **Enforce directory boundaries**\n\n```go\nbase := filepath.Join(util.DataDir, \"storage\", \"av\")\nabsPath := filepath.Join(base, id+\".json\")\n\nif !util.IsSubPath(base, absPath) {\n    return error\n}\n```\n\n3. **Normalize paths before use**\n\n   * Ensure canonical paths cannot escape the base directory\n\n4. **Add additional logical checks**\n\n   * Verify that the target object is valid and allowed to be deleted\n\n---",
  "id": "GHSA-vw86-c94w-v3x4",
  "modified": "2026-04-24T20:36:55Z",
  "published": "2026-04-10T19:32:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vw86-c94w-v3x4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40318"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`"
}

GHSA-VX5G-JP83-6M8V

Vulnerability from github – Published: 2024-01-12 21:30 – Updated: 2024-01-12 21:30
VLAI
Details

A vulnerability classified as problematic was found in code-projects Employee Profile Management System 1.0. This vulnerability affects unknown code of the file download.php. The manipulation of the argument download_file leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. VDB-250570 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0465"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-12T19:15:12Z",
    "severity": "LOW"
  },
  "details": "A vulnerability classified as problematic was found in code-projects Employee Profile Management System 1.0. This vulnerability affects unknown code of the file download.php. The manipulation of the argument download_file leads to path traversal: \u0027../filedir\u0027. The exploit has been disclosed to the public and may be used. VDB-250570 is the identifier assigned to this vulnerability.",
  "id": "GHSA-vx5g-jp83-6m8v",
  "modified": "2024-01-12T21:30:19Z",
  "published": "2024-01-12T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0465"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BxYQ/vul/blob/main/EMPLOYEE_PROFILE_MANAGEMENT_SYSTEM%20_FileRead.pdf"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.250570"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.250570"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W6PP-PQV8-V26M

Vulnerability from github – Published: 2023-06-14 09:30 – Updated: 2023-06-14 09:30
VLAI
Details

A vulnerability has been found in OTCMS up to 6.62 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file usersNews_deal.php. The manipulation of the argument file leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-231511.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-14T09:15:09Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been found in OTCMS up to 6.62 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file usersNews_deal.php. The manipulation of the argument file leads to path traversal: \u0027../filedir\u0027. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-231511.",
  "id": "GHSA-w6pp-pqv8-v26m",
  "modified": "2023-06-14T09:30:42Z",
  "published": "2023-06-14T09:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3240"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HuBenLab/HuBenVulList/blob/main/OTCMS%20was%20discovered%20to%20contain%20an%20arbitrary%20file%20download%20vulenrability%20via%20the%20filename.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.231511"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.231511"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.