CWE-24
AllowedPath Traversal: '../filedir'
Abstraction: Variant · Status: Incomplete
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.
187 vulnerabilities reference this CWE, most recent first.
GHSA-W9QQ-JMGQ-WFV5
Vulnerability from github – Published: 2025-07-29 00:30 – Updated: 2025-11-03 21:34An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker.
{
"affected": [],
"aliases": [
"CVE-2025-54769"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-29T00:15:24Z",
"severity": "HIGH"
},
"details": "An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker.",
"id": "GHSA-w9qq-jmgq-wfv5",
"modified": "2025-11-03T21:34:11Z",
"published": "2025-07-29T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54769"
},
{
"type": "WEB",
"url": "https://korelogic.com/Resources/Advisories/KL-001-2025-016.txt"
},
{
"type": "WEB",
"url": "https://lpar2rrd.com/note800.php"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jul/19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQ5X-HGVH-F6JV
Vulnerability from github – Published: 2023-12-17 15:30 – Updated: 2023-12-17 15:30A vulnerability, which was classified as critical, has been found in rmountjoy92 DashMachine 0.5-4. Affected by this issue is some unknown functionality of the file /settings/delete_file. The manipulation of the argument file leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. VDB-248258 is the identifier assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-6900"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-17T14:15:36Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, has been found in rmountjoy92 DashMachine 0.5-4. Affected by this issue is some unknown functionality of the file /settings/delete_file. The manipulation of the argument file leads to path traversal: \u0027../filedir\u0027. The exploit has been disclosed to the public and may be used. VDB-248258 is the identifier assigned to this vulnerability.",
"id": "GHSA-wq5x-hgvh-f6jv",
"modified": "2023-12-17T15:30:19Z",
"published": "2023-12-17T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6900"
},
{
"type": "WEB",
"url": "https://treasure-blarney-085.notion.site/DashMachine-Arbitrary-File-Deletion-ab44f2fe68e843c393ae9e0c1d487676"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.248258"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.248258"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-WXJ3-5CJF-39GH
Vulnerability from github – Published: 2024-04-03 00:30 – Updated: 2024-04-03 00:30A vulnerability classified as critical has been found in Shibang Communications IP Network Intercom Broadcasting System 1.0. This affects an unknown part of the file /php/busyscreenshotpush.php. The manipulation of the argument jsondata[callee]/jsondata[imagename] leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259065 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-3218"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-03T00:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as critical has been found in Shibang Communications IP Network Intercom Broadcasting System 1.0. This affects an unknown part of the file /php/busyscreenshotpush.php. The manipulation of the argument jsondata[callee]/jsondata[imagename] leads to path traversal: \u0027../filedir\u0027. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259065 was assigned to this vulnerability.",
"id": "GHSA-wxj3-5cjf-39gh",
"modified": "2024-04-03T00:30:56Z",
"published": "2024-04-03T00:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3218"
},
{
"type": "WEB",
"url": "https://github.com/garboa/cve_3/blob/main/file_put_content.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.259065"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.259065"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.308510"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-X3WR-P869-7P3G
Vulnerability from github – Published: 2025-05-07 18:30 – Updated: 2025-05-07 18:30Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ directory traversal in the test parameter to /others/_test.php, as demonstrated by reading the server's private SSL key in cleartext.
{
"affected": [],
"aliases": [
"CVE-2025-47423"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-07T18:15:43Z",
"severity": "MODERATE"
},
"details": "Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ directory traversal in the test parameter to /others/_test.php, as demonstrated by reading the server\u0027s private SSL key in cleartext.",
"id": "GHSA-x3wr-p869-7p3g",
"modified": "2025-05-07T18:30:50Z",
"published": "2025-05-07T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47423"
},
{
"type": "WEB",
"url": "https://github.com/haluka92/CVE-2025-47423"
},
{
"type": "WEB",
"url": "https://pwsdashboard.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X4XJ-9MHP-W8JM
Vulnerability from github – Published: 2026-03-05 09:30 – Updated: 2026-03-06 00:31Path traversal vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2026-28538"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T08:15:58Z",
"severity": "MODERATE"
},
"details": "Path traversal vulnerability in the certificate management module.\u00a0Impact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-x4xj-9mhp-w8jm",
"modified": "2026-03-06T00:31:30Z",
"published": "2026-03-05T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28538"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2026/3"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletinlaptops/2026/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XPX4-57H5-9V98
Vulnerability from github – Published: 2025-11-19 21:31 – Updated: 2025-11-20 21:30A path Traversal vulnerability found in FileCodeBox v2.2 and earlier allows arbitrary file writes when application is configured to use local filesystem storage. SystemFileStorage.save_file method in core/storage.py uses filenames from user input without validation to construct save_path and save files. This allows remote attackers to perform arbitrary file writes outside the intended directory by sending crafted POST requests with malicious traversal sequences to /share/file/ upload endpoint, which does not require any authorization.
{
"affected": [],
"aliases": [
"CVE-2025-51661"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-19T20:15:52Z",
"severity": "HIGH"
},
"details": "A path Traversal vulnerability found in FileCodeBox v2.2 and earlier allows arbitrary file writes when application is configured to use local filesystem storage. SystemFileStorage.save_file method in core/storage.py uses filenames from user input without validation to construct save_path and save files. This allows remote attackers to perform arbitrary file writes outside the intended directory by sending crafted POST requests with malicious traversal sequences to /share/file/ upload endpoint, which does not require any authorization.",
"id": "GHSA-xpx4-57h5-9v98",
"modified": "2025-11-20T21:30:31Z",
"published": "2025-11-19T21:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51661"
},
{
"type": "WEB",
"url": "https://github.com/vastsa/FileCodeBox/issues/349"
},
{
"type": "WEB",
"url": "https://github.com/vastsa/FileCodeBox"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XQ3X-GRRJ-FJ6X
Vulnerability from github – Published: 2023-04-02 12:30 – Updated: 2024-05-20 21:50sjqzhang go-fastdfs up to 1.4.3 is vulnerable to path traversal in the function upload of the file /group1/upload of the component File Upload Handler. The attack may be launched remotely and the exploit has been disclosed to the public and may be used.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/sjqzhang/go-fastdfs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.5-0.20230408141131-61cbff5124c6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-1800"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24",
"CWE-434"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-07T22:24:59Z",
"nvd_published_at": "2023-04-02T11:15:00Z",
"severity": "CRITICAL"
},
"details": "sjqzhang go-fastdfs up to 1.4.3 is vulnerable to path traversal in the function upload of the file `/group1/upload` of the component `File Upload Handler`. The attack may be launched remotely and the exploit has been disclosed to the public and may be used.",
"id": "GHSA-xq3x-grrj-fj6x",
"modified": "2024-05-20T21:50:28Z",
"published": "2023-04-02T12:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1800"
},
{
"type": "WEB",
"url": "https://github.com/sjqzhang/go-fastdfs/commit/61cbff5124c61e292994099372b11c06cdb5b80b"
},
{
"type": "PACKAGE",
"url": "https://github.com/sjqzhang/go-fastdfs"
},
{
"type": "WEB",
"url": "https://github.com/yangyanglo/ForCVE/blob/93a16663cd32a36d37d8a0f0102e1592254d0279/2023-0x05.md"
},
{
"type": "WEB",
"url": "https://github.com/yangyanglo/ForCVE/blob/main/2023-0x05.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.224768"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.224768"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "sjqzhang go-fastdfs vulnerable to path traversal"
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.