CWE-35
AllowedPath Traversal: '.../...//'
Abstraction: Variant · Status: Incomplete
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
334 vulnerabilities reference this CWE, most recent first.
GHSA-H3Q6-JFRG-3X6Q
Vulnerability from github – Published: 2026-02-04 20:07 – Updated: 2026-02-05 21:47The following security vulnerability was identified in jsPDF versions <=3.0.4: Local File Inclusion/Path Traversal.
Impact
Since SurveyJS PDF Generator depends on jsPDF, any project using survey-pdf v1.12.58 and lower or v2.5.4 and lower could be exposed to this vulnerability.
Solution
SurveyJS PDF Generator has upgraded jsPDF to version >= 4.0.0 and included the fix in the following survey-pdf releases:
Action
Users should upgrade survey-pdf in their projects to v1.12.59+ or v2.5.5+ immediately.
Notes
No other survey-pdf dependencies are affected. This update is fully backward-compatible with previous survey-pdf releases.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.12.58"
},
"package": {
"ecosystem": "npm",
"name": "survey-pdf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.59"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.5.4"
},
"package": {
"ecosystem": "npm",
"name": "survey-pdf"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25630"
],
"database_specific": {
"cwe_ids": [
"CWE-35",
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-04T20:07:34Z",
"nvd_published_at": "2026-02-05T19:15:56Z",
"severity": "CRITICAL"
},
"details": "The following security vulnerability was identified in jsPDF versions \u003c=3.0.4: [Local File Inclusion/Path Traversal](https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2).\n\n### Impact\n\nSince SurveyJS PDF Generator depends on jsPDF, any project using `survey-pdf` v1.12.58 and lower or v2.5.4 and lower could be exposed to this vulnerability.\n\n### Solution\n\nSurveyJS PDF Generator has upgraded jsPDF to version \u003e= 4.0.0 and included the fix in the following `survey-pdf` releases:\n\n* [v1.12.59](https://www.npmjs.com/package/survey-pdf/v/1.12.59)\n* [v2.5.5](https://www.npmjs.com/package/survey-pdf/v/2.5.5)\n\n### Action\n\nUsers should upgrade `survey-pdf` in their projects to v1.12.59+ or v2.5.5+ immediately.\n\n### Notes\n\nNo other `survey-pdf` dependencies are affected. This update is fully backward-compatible with previous `survey-pdf` releases.",
"id": "GHSA-h3q6-jfrg-3x6q",
"modified": "2026-02-05T21:47:25Z",
"published": "2026-02-04T20:07:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2"
},
{
"type": "WEB",
"url": "https://github.com/surveyjs/survey-pdf/security/advisories/GHSA-h3q6-jfrg-3x6q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25630"
},
{
"type": "PACKAGE",
"url": "https://github.com/surveyjs/survey-pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "survey-pdf Upgraded jsPDF Version Due to Security Vulnerability"
}
GHSA-H3WP-R29V-882C
Vulnerability from github – Published: 2023-01-13 09:30 – Updated: 2026-05-20 09:30The File Management System developed by FileOrbis before version 10.6.3 has an unauthenticated local file inclusion and path traversal vulnerability. This has been fixed in the version 10.6.3
{
"affected": [],
"aliases": [
"CVE-2022-3693"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-13T08:15:00Z",
"severity": "HIGH"
},
"details": "The File Management System developed by FileOrbis before version 10.6.3 has an unauthenticated local file inclusion and path traversal vulnerability. This has been fixed in the version 10.6.3",
"id": "GHSA-h3wp-r29v-882c",
"modified": "2026-05-20T09:30:32Z",
"published": "2023-01-13T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3693"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-23-0021"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-23-0021"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H438-86CM-G2Q6
Vulnerability from github – Published: 2024-06-07 12:34 – Updated: 2026-04-08 18:33The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.8.23 via the esc_dir function. This makes it possible for authenticated attackers to cut and paste (copy) the contents of arbitrary files on the server, which can contain sensitive information, and to cut (delete) arbitrary directories, including the root WordPress directory. By default this can be exploited by administrators only. In the premium version of the plugin, administrators can give gallery edit permissions to lower level users, which might make this exploitable by users as low as contributors.
{
"affected": [],
"aliases": [
"CVE-2024-5481"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-07T10:15:11Z",
"severity": "MODERATE"
},
"details": "The Photo Gallery by 10Web \u2013 Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.8.23 via the esc_dir function. This makes it possible for authenticated attackers to cut and paste (copy) the contents of arbitrary files on the server, which can contain sensitive information, and to cut (delete) arbitrary directories, including the root WordPress directory. By default this can be exploited by administrators only. In the premium version of the plugin, administrators can give gallery edit permissions to lower level users, which might make this exploitable by users as low as contributors.",
"id": "GHSA-h438-86cm-g2q6",
"modified": "2026-04-08T18:33:22Z",
"published": "2024-06-07T12:34:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5481"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L178"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L436"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L512"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3098798"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/photo-gallery/#developers"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/76c38826-4d49-4204-b6b6-b01d01373fa9?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HMGM-P3V6-4GVH
Vulnerability from github – Published: 2025-11-06 18:32 – Updated: 2026-01-20 15:31Path Traversal: '.../...//' vulnerability in Mikado-Themes Wanderland wanderland allows PHP Local File Inclusion.This issue affects Wanderland: from n/a through <= 1.7.1.
{
"affected": [],
"aliases": [
"CVE-2025-39467"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-06T16:15:51Z",
"severity": "CRITICAL"
},
"details": "Path Traversal: \u0027.../...//\u0027 vulnerability in Mikado-Themes Wanderland wanderland allows PHP Local File Inclusion.This issue affects Wanderland: from n/a through \u003c= 1.7.1.",
"id": "GHSA-hmgm-p3v6-4gvh",
"modified": "2026-01-20T15:31:46Z",
"published": "2025-11-06T18:32:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39467"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/wanderland/vulnerability/wordpress-wanderland-1-7-1-local-file-inclusion-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Theme/wanderland/vulnerability/wordpress-wanderland-1-7-1-local-file-inclusion-vulnerability"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Theme/wanderland/vulnerability/wordpress-wanderland-1-7-1-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HX7J-RVM5-9VW9
Vulnerability from github – Published: 2024-11-18 12:30 – Updated: 2025-08-28 00:30A low privileged remote attacker can overwrite an arbitrary file on the filesystem which may lead to an arbitrary file read with root privileges.
{
"affected": [],
"aliases": [
"CVE-2024-41972"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-18T10:15:05Z",
"severity": "MODERATE"
},
"details": "A low privileged remote attacker can\u00a0overwrite an arbitrary file on the filesystem which\u00a0may lead to an arbitrary file read with root privileges.",
"id": "GHSA-hx7j-rvm5-9vw9",
"modified": "2025-08-28T00:30:27Z",
"published": "2024-11-18T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41972"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2024-047"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J3RG-CJ85-6MQ6
Vulnerability from github – Published: 2025-02-05 15:32 – Updated: 2025-02-05 15:32A vulnerability was discovered in the firmware builds up to 8.2.1.0820 in Poly Edge E devices. The firmware flaw does not properly prevent path traversal and could lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2025-0858"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-05T15:15:21Z",
"severity": "MODERATE"
},
"details": "A vulnerability was discovered in the firmware builds up to 8.2.1.0820 in Poly Edge E devices. The firmware flaw does not properly prevent path traversal and could lead to information disclosure.",
"id": "GHSA-j3rg-cj85-6mq6",
"modified": "2025-02-05T15:32:24Z",
"published": "2025-02-05T15:32:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0858"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/ish_11926124-11926148-16/hpsbpy03996"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JFG5-8678-GX36
Vulnerability from github – Published: 2025-05-07 15:31 – Updated: 2026-04-01 18:35Path Traversal vulnerability in Fernando Briano List category posts allows PHP Local File Inclusion. This issue affects List category posts: from n/a through 0.90.3.
{
"affected": [],
"aliases": [
"CVE-2025-47636"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-07T15:16:16Z",
"severity": "HIGH"
},
"details": "Path Traversal vulnerability in Fernando Briano List category posts allows PHP Local File Inclusion. This issue affects List category posts: from n/a through 0.90.3.",
"id": "GHSA-jfg5-8678-gx36",
"modified": "2026-04-01T18:35:04Z",
"published": "2025-05-07T15:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47636"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHX9-8PP3-9Q4M
Vulnerability from github – Published: 2024-08-27 09:30 – Updated: 2024-08-27 09:30An authenticated user can download sensitive files from Trellix products NX, EX, FX, AX, IVX, and CMS using path traversal for the URL of network anomaly download_artifact.
{
"affected": [],
"aliases": [
"CVE-2024-7608"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-27T08:15:05Z",
"severity": "MODERATE"
},
"details": "An authenticated user can download sensitive files from Trellix products NX, EX, FX, AX, IVX, and CMS using path traversal for the URL of network anomaly download_artifact.",
"id": "GHSA-jhx9-8pp3-9q4m",
"modified": "2024-08-27T09:30:45Z",
"published": "2024-08-27T09:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7608"
},
{
"type": "WEB",
"url": "https://thrive.trellix.com/s/article/000013844"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JMWP-442V-8QQQ
Vulnerability from github – Published: 2025-04-18 15:31 – Updated: 2026-04-01 18:34Path Traversal: '.../...//' vulnerability in ThimPress Ivy School allows PHP Local File Inclusion.This issue affects Ivy School: from n/a through 1.6.0.
{
"affected": [],
"aliases": [
"CVE-2025-39470"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-18T05:15:33Z",
"severity": "HIGH"
},
"details": "Path Traversal: \u0027.../...//\u0027 vulnerability in ThimPress Ivy School allows PHP Local File Inclusion.This issue affects Ivy School: from n/a through 1.6.0.",
"id": "GHSA-jmwp-442v-8qqq",
"modified": "2026-04-01T18:34:53Z",
"published": "2025-04-18T15:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39470"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/ivy-school/vulnerability/wordpress-ivy-school-1-6-0-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPMF-CHCH-C98M
Vulnerability from github – Published: 2024-04-09 03:30 – Updated: 2024-04-09 03:30SAP Asset Accounting could allow a high privileged attacker to exploit insufficient validation of path information provided by the users and pass it through to the file API's. Thus, causing a considerable impact on confidentiality, integrity and availability of the application.
{
"affected": [],
"aliases": [
"CVE-2024-27901"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T01:15:48Z",
"severity": "HIGH"
},
"details": "SAP Asset Accounting could allow a high privileged attacker to exploit insufficient validation of path information provided by the users and pass it through to the file API\u0027s. Thus, causing a considerable impact on confidentiality, integrity and availability of the application.\n\n",
"id": "GHSA-jpmf-chch-c98m",
"modified": "2024-04-09T03:30:52Z",
"published": "2024-04-09T03:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27901"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3438234"
},
{
"type": "WEB",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, the ".../...//" manipulation is useful for bypassing some path traversal protection schemes. If "../" sequences are removed from the ".../...//" string in a sequential fashion (as some regular expression engines and other algorithms operate) the string can collapse into the unsafe "../" value (CWE-182). Removing the first "../" yields "....//" and the second removal yields "../".
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.