CWE-35
AllowedPath Traversal: '.../...//'
Abstraction: Variant · Status: Incomplete
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
334 vulnerabilities reference this CWE, most recent first.
GHSA-PJX5-26HX-4CJ5
Vulnerability from github – Published: 2025-05-19 18:30 – Updated: 2026-04-01 18:35Path Traversal: '.../...//' vulnerability in bslthemes Tastyc allows PHP Local File Inclusion.This issue affects Tastyc: from n/a before 2.5.2.
{
"affected": [],
"aliases": [
"CVE-2025-27010"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-19T18:15:28Z",
"severity": "HIGH"
},
"details": "Path Traversal: \u0027.../...//\u0027 vulnerability in bslthemes Tastyc allows PHP Local File Inclusion.This issue affects Tastyc: from n/a before 2.5.2.",
"id": "GHSA-pjx5-26hx-4cj5",
"modified": "2026-04-01T18:35:11Z",
"published": "2025-05-19T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27010"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/tastyc/vulnerability/wordpress-tastyc-2-5-2-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PM93-MHPJ-X843
Vulnerability from github – Published: 2024-11-18 18:30 – Updated: 2024-11-18 18:30A vulnerability in the API subsystem and in the web-management interface of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to access sensitive data. This vulnerability exists because the web-management interface and certain HTTP-based APIs do not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-1132"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-18T16:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the API subsystem and in the web-management interface of Cisco\u0026nbsp;Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to access sensitive data.\nThis vulnerability exists because the web-management interface and certain HTTP-based APIs do not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system.Cisco\u0026nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.",
"id": "GHSA-pm93-mhpj-x843",
"modified": "2024-11-18T18:30:57Z",
"published": "2024-11-18T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1132"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipphone-rce-dos-U2PsSkz3"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-path-trvsl-dZRQE8Lc"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vmaninfdis3-OvdR6uu8"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwanvman-infodis1-YuQScHB"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-ethernet-dos-HGXgJH8n"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-distupd-N87eB6Z3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PQ8X-V483-W8HJ
Vulnerability from github – Published: 2024-12-31 15:30 – Updated: 2026-04-01 18:32Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5.
{
"affected": [],
"aliases": [
"CVE-2024-56045"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-31T14:15:24Z",
"severity": "CRITICAL"
},
"details": "Path Traversal: \u0027.../...//\u0027 vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5.",
"id": "GHSA-pq8x-v483-w8hj",
"modified": "2026-04-01T18:32:54Z",
"published": "2024-12-31T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56045"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/wplms_plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-unauthenticated-arbitrary-directory-deletion-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-unauthenticated-arbitrary-directory-deletion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PW38-42W8-QM8M
Vulnerability from github – Published: 2023-04-24 15:30 – Updated: 2024-04-04 03:39In JetBrains Ktor before 2.3.0 path traversal in the resolveResource method was possible
{
"affected": [],
"aliases": [
"CVE-2022-48476"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-24T13:15:07Z",
"severity": "HIGH"
},
"details": "In JetBrains Ktor before 2.3.0 path traversal in the `resolveResource` method was possible\n",
"id": "GHSA-pw38-42w8-qm8m",
"modified": "2024-04-04T03:39:08Z",
"published": "2023-04-24T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48476"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q48Q-MRMP-GPX2
Vulnerability from github – Published: 2025-03-16 00:35 – Updated: 2026-04-28 21:35Path Traversal vulnerability in NotFound Pie Register Premium. This issue affects Pie Register Premium: from n/a through 3.8.3.2.
{
"affected": [],
"aliases": [
"CVE-2025-26940"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-15T22:15:14Z",
"severity": "MODERATE"
},
"details": "Path Traversal vulnerability in NotFound Pie Register Premium. This issue affects Pie Register Premium: from n/a through 3.8.3.2.",
"id": "GHSA-q48q-mrmp-gpx2",
"modified": "2026-04-28T21:35:32Z",
"published": "2025-03-16T00:35:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26940"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/pie-register-premium/vulnerability/wordpress-pie-register-premium-plugin-3-8-3-2-path-traversal-to-non-arbitrary-file-deletion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q5PH-HV6H-Q9VH
Vulnerability from github – Published: 2025-02-12 15:32 – Updated: 2025-02-12 15:32A CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2025-26352"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-12T14:15:35Z",
"severity": "MODERATE"
},
"details": "A CWE-35 \"Path Traversal\" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.",
"id": "GHSA-q5ph-hv6h-q9vh",
"modified": "2025-02-12T15:32:00Z",
"published": "2025-02-12T15:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26352"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26352"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q65P-Q52G-JJGH
Vulnerability from github – Published: 2025-10-14 03:30 – Updated: 2025-10-14 03:30SAP Print Service (SAPSprint) performs insufficient validation of path information provided by users. An unauthenticated attacker could traverse to the parent directory and over-write system files causing high impact on confidentiality integrity and availability of the application.
{
"affected": [],
"aliases": [
"CVE-2025-42937"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T01:15:33Z",
"severity": "CRITICAL"
},
"details": "SAP Print Service (SAPSprint) performs insufficient validation of path information provided by users. An unauthenticated attacker could traverse to the parent directory and over-write system files causing high impact on confidentiality integrity and availability of the application.",
"id": "GHSA-q65p-q52g-jjgh",
"modified": "2025-10-14T03:30:57Z",
"published": "2025-10-14T03:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42937"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3630595"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q68R-7388-9J79
Vulnerability from github – Published: 2023-06-01 18:30 – Updated: 2024-04-04 04:27In the Splunk App for Lookup File Editing versions below 4.0.1, a low-privileged user can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory.
{
"affected": [],
"aliases": [
"CVE-2023-32714"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-01T17:15:10Z",
"severity": "HIGH"
},
"details": "In the Splunk App for Lookup File Editing versions below 4.0.1, a low-privileged user can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory.",
"id": "GHSA-q68r-7388-9j79",
"modified": "2024-04-04T04:27:57Z",
"published": "2023-06-01T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32714"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2023-0608"
},
{
"type": "WEB",
"url": "https://research.splunk.com/application/8ed58987-738d-4917-9e44-b8ef6ab948a6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QGJM-8MVC-7R64
Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 18:31Path Traversal: '.../...//' vulnerability in Snowray Software File Uploader for WooCommerce file-uploader-for-woocommerce allows Path Traversal.This issue affects File Uploader for WooCommerce: from n/a through <= 1.0.4.
{
"affected": [],
"aliases": [
"CVE-2026-25397"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T17:16:49Z",
"severity": "HIGH"
},
"details": "Path Traversal: \u0027.../...//\u0027 vulnerability in Snowray Software File Uploader for WooCommerce file-uploader-for-woocommerce allows Path Traversal.This issue affects File Uploader for WooCommerce: from n/a through \u003c= 1.0.4.",
"id": "GHSA-qgjm-8mvc-7r64",
"modified": "2026-03-26T18:31:33Z",
"published": "2026-03-25T18:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25397"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/file-uploader-for-woocommerce/vulnerability/wordpress-file-uploader-for-woocommerce-plugin-1-0-4-path-traversal-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QM92-93FV-VH7M
Vulnerability from github – Published: 2024-11-01 21:37 – Updated: 2024-11-01 21:37Summary
By default oak does not allow transferring of hidden files with Context.send API. However, this can be bypassed by
encoding / as its URL encoded form %2F.
Details
1.) Oak uses decodeComponent which seems to be unexpected. This is also the reason why it is not possible to access a file that contains URL encoded characters unless the client URL encodes it first.
2.) The function isHidden is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from subdir/.env.
PoC
// server.ts
import { Application } from "jsr:@oak/oak@17.1.2";
const app = new Application();
app.use(async (context, next) => {
try {
await context.send({
root: './root',
hidden: false, // default
});
} catch {
await next();
}
});
await app.listen({ port: 8000 });
In terminal:
# setup root directory
mkdir root/.git
echo SECRET_KEY=oops > root/.env
echo oops > root/.git/config
# start server
deno run -A server.ts
# in another terminal
curl -D- http://127.0.0.1:8000/poc%2f../.env
curl -D- http://127.0.0.1:8000/poc%2f../.git/config
Impact
For an attacker this has potential to read sensitive user data or to gain access to server secrets.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@oakserver/oak"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-49770"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-01T21:37:10Z",
"nvd_published_at": "2024-11-01T17:15:17Z",
"severity": "HIGH"
},
"details": "### Summary\n\nBy default `oak` does not allow transferring of hidden files with `Context.send` API. However, this can be bypassed by\nencoding `/` as its URL encoded form `%2F`.\n\n### Details\n\n1.) Oak uses [decodeComponent](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25) which seems to be unexpected. This is also the reason why it is not possible to access a file that\ncontains URL encoded characters unless the client URL encodes it first.\n\n2.) The function [isHidden](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125) is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from `subdir/.env`.\n\n### PoC\n\n```ts\n// server.ts\n\nimport { Application } from \"jsr:@oak/oak@17.1.2\";\n\nconst app = new Application();\n\napp.use(async (context, next) =\u003e {\n try {\n await context.send({\n root: \u0027./root\u0027,\n hidden: false, // default\n });\n } catch {\n await next();\n }\n});\n\nawait app.listen({ port: 8000 });\n```\n\nIn terminal:\n\n```bash\n# setup root directory\nmkdir root/.git\necho SECRET_KEY=oops \u003e root/.env\necho oops \u003e root/.git/config\n\n# start server\ndeno run -A server.ts\n\n# in another terminal\ncurl -D- http://127.0.0.1:8000/poc%2f../.env\ncurl -D- http://127.0.0.1:8000/poc%2f../.git/config\n```\n\n### Impact\n\nFor an attacker this has potential to read sensitive user data or to gain access to server secrets.\n",
"id": "GHSA-qm92-93fv-vh7m",
"modified": "2024-11-01T21:37:10Z",
"published": "2024-11-01T21:37:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oakserver/oak/security/advisories/GHSA-qm92-93fv-vh7m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49770"
},
{
"type": "WEB",
"url": "https://github.com/oakserver/oak/commit/4b2f27efd5cba5a45b2c3982e610da3af0869209"
},
{
"type": "PACKAGE",
"url": "https://github.com/oakserver/oak"
},
{
"type": "WEB",
"url": "https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125"
},
{
"type": "WEB",
"url": "https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Path traversal in oak allows transfer of hidden files within the served root directory"
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, the ".../...//" manipulation is useful for bypassing some path traversal protection schemes. If "../" sequences are removed from the ".../...//" string in a sequential fashion (as some regular expression engines and other algorithms operate) the string can collapse into the unsafe "../" value (CWE-182). Removing the first "../" yields "....//" and the second removal yields "../".
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.