CWE-35
AllowedPath Traversal: '.../...//'
Abstraction: Variant · Status: Incomplete
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
334 vulnerabilities reference this CWE, most recent first.
GHSA-G78H-54HC-HC8F
Vulnerability from github – Published: 2025-06-17 15:31 – Updated: 2026-04-28 21:35Path Traversal vulnerability in yannisraft Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery allows Path Traversal. This issue affects Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery: from n/a through 1.0.12.
{
"affected": [],
"aliases": [
"CVE-2025-49451"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-17T15:15:49Z",
"severity": "HIGH"
},
"details": "Path Traversal vulnerability in yannisraft Aeroscroll Gallery \u2013 Infinite Scroll Image Gallery \u0026amp; Post Grid with Photo Gallery allows Path Traversal. This issue affects Aeroscroll Gallery \u2013 Infinite Scroll Image Gallery \u0026amp; Post Grid with Photo Gallery: from n/a through 1.0.12.",
"id": "GHSA-g78h-54hc-hc8f",
"modified": "2026-04-28T21:35:42Z",
"published": "2025-06-17T15:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49451"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/aeroscroll-gallery/vulnerability/wordpress-aeroscroll-gallery-infinite-scroll-image-gallery-post-grid-with-photo-gallery-1-0-12-directory-traversal-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G97F-X473-QCH6
Vulnerability from github – Published: 2025-04-11 09:30 – Updated: 2026-04-01 18:34Path Traversal vulnerability in Trusty Plugins Shop Products Filter allows PHP Local File Inclusion. This issue affects Shop Products Filter: from n/a through 1.2.
{
"affected": [],
"aliases": [
"CVE-2025-32585"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-11T09:15:29Z",
"severity": "HIGH"
},
"details": "Path Traversal vulnerability in Trusty Plugins Shop Products Filter allows PHP Local File Inclusion. This issue affects Shop Products Filter: from n/a through 1.2.",
"id": "GHSA-g97f-x473-qch6",
"modified": "2026-04-01T18:34:40Z",
"published": "2025-04-11T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32585"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/trusty-woo-products-filter/vulnerability/wordpress-shop-products-filter-plugin-1-2-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GGH5-8M9W-PGPG
Vulnerability from github – Published: 2025-02-12 15:32 – Updated: 2025-02-12 15:32A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2025-26356"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-12T14:15:36Z",
"severity": "HIGH"
},
"details": "A CWE-35 \"Path Traversal\" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.",
"id": "GHSA-ggh5-8m9w-pgpg",
"modified": "2025-02-12T15:32:01Z",
"published": "2025-02-12T15:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26356"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26356"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GPJ2-23JF-PGQ2
Vulnerability from github – Published: 2024-11-04 15:31 – Updated: 2026-04-01 18:32Path Traversal: '.../...//' vulnerability in ThimPress WP Hotel Booking allows PHP Local File Inclusion.This issue affects WP Hotel Booking: from n/a through 2.1.4.
{
"affected": [],
"aliases": [
"CVE-2024-51582"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-04T14:15:16Z",
"severity": "HIGH"
},
"details": "Path Traversal: \u0027.../...//\u0027 vulnerability in ThimPress WP Hotel Booking allows PHP Local File Inclusion.This issue affects WP Hotel Booking: from n/a through 2.1.4.",
"id": "GHSA-gpj2-23jf-pgq2",
"modified": "2026-04-01T18:32:17Z",
"published": "2024-11-04T15:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51582"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-hotel-booking/vulnerability/wordpress-wp-hotel-booking-plugin-2-1-4-local-file-inclusion-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wp-hotel-booking/wordpress-wp-hotel-booking-plugin-2-1-4-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GPQF-QCRR-QP6H
Vulnerability from github – Published: 2025-02-12 15:32 – Updated: 2025-02-12 15:32A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2025-26354"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-12T14:15:35Z",
"severity": "HIGH"
},
"details": "A CWE-35 \"Path Traversal\" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.",
"id": "GHSA-gpqf-qcrr-qp6h",
"modified": "2025-02-12T15:32:00Z",
"published": "2025-02-12T15:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26354"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26354"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GQMC-VX75-XCQG
Vulnerability from github – Published: 2025-11-18 12:30 – Updated: 2025-11-18 12:30A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution.
{
"affected": [],
"aliases": [
"CVE-2025-41736"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T11:15:47Z",
"severity": "HIGH"
},
"details": "A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution.",
"id": "GHSA-gqmc-vx75-xcqg",
"modified": "2025-11-18T12:30:18Z",
"published": "2025-11-18T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41736"
},
{
"type": "WEB",
"url": "https://certvde.com/de/advisories/VDE-2025-097"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GR39-VVC6-5G3H
Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-08-29 21:31htmly v2.9.6 was discovered to contain an arbitrary file deletion vulnerability via the delete_post() function at admin.php. This vulnerability allows attackers to delete arbitrary files via a crafted request.
{
"affected": [],
"aliases": [
"CVE-2024-34191"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T16:17:23Z",
"severity": "MODERATE"
},
"details": "htmly v2.9.6 was discovered to contain an arbitrary file deletion vulnerability via the delete_post() function at admin.php. This vulnerability allows attackers to delete arbitrary files via a crafted request.",
"id": "GHSA-gr39-vvc6-5g3h",
"modified": "2024-08-29T21:31:02Z",
"published": "2024-05-14T18:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34191"
},
{
"type": "WEB",
"url": "https://chmod744.super.site/htmly-cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GW24-5V6P-PVVV
Vulnerability from github – Published: 2025-10-22 09:30 – Updated: 2025-10-22 09:30The importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the path restriction and upload files to arbitrary locations.
{
"affected": [],
"aliases": [
"CVE-2025-41723"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-22T07:15:33Z",
"severity": "CRITICAL"
},
"details": "The importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the path restriction and upload files to arbitrary locations.",
"id": "GHSA-gw24-5v6p-pvvv",
"modified": "2025-10-22T09:30:19Z",
"published": "2025-10-22T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41723"
},
{
"type": "WEB",
"url": "https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GW27-H66H-PHFX
Vulnerability from github – Published: 2025-06-27 12:31 – Updated: 2026-04-28 21:35Path Traversal vulnerability in TMRW-studio Katerio - Magazine allows PHP Local File Inclusion. This issue affects Katerio - Magazine: from n/a through 1.5.1.
{
"affected": [],
"aliases": [
"CVE-2025-52810"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-27T12:15:42Z",
"severity": "HIGH"
},
"details": "Path Traversal vulnerability in TMRW-studio Katerio - Magazine allows PHP Local File Inclusion. This issue affects Katerio - Magazine: from n/a through 1.5.1.",
"id": "GHSA-gw27-h66h-phfx",
"modified": "2026-04-28T21:35:42Z",
"published": "2025-06-27T12:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52810"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/katerio/vulnerability/wordpress-katerio-magazine-1-5-1-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H355-HM5H-CM8H
Vulnerability from github – Published: 2024-09-26 18:07 – Updated: 2024-09-26 21:11CWE-35: Path Traversal
https://cwe.mitre.org/data/definitions/35.html
CVSSv3.1 4.3 - Medium
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
A vulnerability has been discovered in Agnai that permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files.
This only affects installations with JSON_STORAGE enabled which is intended to local/self-hosting only.
Details & PoC
This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request:
GET /api/json/messages/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2fpackage HTTP/1.1
In this example, the attacker retrieves the package.json file content from the server by manipulating the file path.
The request is processed by the loadMessages handler in agnai/srv/api/json/index.ts and a file is read and returned to the client. The read filename is constructed using string interpolation, with no guard or check for path traversal: https://github.com/agnaistic/agnai/blob/2b878b7ca66471c5dd080197ad9ca2f7f0022655/srv/api/json/index.ts#L77
Constraints
Environment constraints: JSON Storage enabled (non standard)
Impact
This vulnerability is classified as a path traversal vulnerability. Specifically, any JSON file on the server which the webserver process has read privileges for, can be disclosed to the attacker.
Credit
- @ropwareJB
- @noe233
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "agnai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.330"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47170"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-26T18:07:52Z",
"nvd_published_at": "2024-09-26T18:15:10Z",
"severity": "LOW"
},
"details": "### CWE-35: Path Traversal\n\nhttps://cwe.mitre.org/data/definitions/35.html\n\n### CVSSv3.1 4.3 - Medium\nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\nCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N\n\n### Summary\n\nA vulnerability has been discovered in **Agnai** that permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files.\n**This only affects installations with `JSON_STORAGE` enabled which is intended to local/self-hosting only.**\n\n### Details \u0026 PoC\n\nThis is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request:\n\n```tsx\nGET /api/json/messages/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2fpackage HTTP/1.1\n```\n\nIn this example, the attacker retrieves the `package.json` file content from the server by manipulating the file path.\n\nThe request is processed by the `loadMessages` handler in `agnai/srv/api/json/index.ts` and a file is read and returned to the client. The read filename is constructed using string interpolation, with no guard or check for path traversal: https://github.com/agnaistic/agnai/blob/2b878b7ca66471c5dd080197ad9ca2f7f0022655/srv/api/json/index.ts#L77\n\n#### Constraints\n\nEnvironment constraints: JSON Storage enabled (non standard)\n\n### Impact\n\nThis vulnerability is classified as a path traversal vulnerability. Specifically, any JSON file on the server which the webserver process has read privileges for, can be disclosed to the attacker.\n\n### Credit\n- @ropwareJB\n- @noe233",
"id": "GHSA-h355-hm5h-cm8h",
"modified": "2024-09-26T21:11:05Z",
"published": "2024-09-26T18:07:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/agnaistic/agnai/security/advisories/GHSA-h355-hm5h-cm8h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47170"
},
{
"type": "PACKAGE",
"url": "https://github.com/agnaistic/agnai"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Agnai File Disclosure Vulnerability: JSON via Path Traversal "
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, the ".../...//" manipulation is useful for bypassing some path traversal protection schemes. If "../" sequences are removed from the ".../...//" string in a sequential fashion (as some regular expression engines and other algorithms operate) the string can collapse into the unsafe "../" value (CWE-182). Removing the first "../" yields "....//" and the second removal yields "../".
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.