CWE-36
AllowedAbsolute Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
245 vulnerabilities reference this CWE, most recent first.
GHSA-29C2-7QG3-7C74
Vulnerability from github – Published: 2025-12-29 09:30 – Updated: 2025-12-29 09:30BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files.
{
"affected": [],
"aliases": [
"CVE-2025-15227"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-29T08:15:51Z",
"severity": "HIGH"
},
"details": "BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files.",
"id": "GHSA-29c2-7qg3-7c74",
"modified": "2025-12-29T09:30:24Z",
"published": "2025-12-29T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15227"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10605-426b6-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10604-c65aa-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-29FJ-MX8X-VQCG
Vulnerability from github – Published: 2025-09-04 12:30 – Updated: 2025-09-04 12:30The atec Debug plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation on the 'debug_path' parameter in all versions up to, and including, 1.2.22. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
{
"affected": [],
"aliases": [
"CVE-2025-9518"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T10:42:35Z",
"severity": "HIGH"
},
"details": "The atec Debug plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation on the \u0027debug_path\u0027 parameter in all versions up to, and including, 1.2.22. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",
"id": "GHSA-29fj-mx8x-vqcg",
"modified": "2025-09-04T12:30:42Z",
"published": "2025-09-04T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9518"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/atec-debug/trunk/includes/ATEC/CONFIG.php#L320"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3355260%40atec-debug%2Ftrunk\u0026old=3342365%40atec-debug%2Ftrunk"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/170cd2e3-e31b-452e-8c15-d44a8be7757b?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2GV2-CFFP-J227
Vulnerability from github – Published: 2026-05-27 22:50 – Updated: 2026-05-27 22:50Summary
In the runtime-rs standalone virtio-fs path, verified here with QEMU (and verified with Cloud Hypervisor too), Kata Containers runs host virtiofsd as root with:
--sandbox none --seccomp none
If an attacker has root-equivalent execution inside the Kata guest VM, they can send raw FUSE requests directly to the host virtiofsd. With the tested runtime-rs virtio-fs configuration, a raw FUSE_SYMLINK request whose new symlink name is an absolute host path is honored outside the virtio-fs shared directory.
This lets guest root create host-root owned symlinks in sensitive host paths. The PoC created here will create symlinks in the host /etc/cron.d directory, causing host cron to execute a guest-controlled payload as host root.
Impact: guest root can execute code as host root.
Affected configuration
The verified host used:
/opt/kata/share/defaults/kata-containers/runtime-rs/configuration-qemu-runtime-rs.toml
rootless = false
shared_fs = "virtio-fs"
virtio_fs_daemon = "/opt/kata/libexec/virtiofsd"
hypervisor_name = "qemu"
debug_console_enabled = false
Pinned upstream references, using Kata Containers main commit 2ffd1538a296cff93a357bfba0dfca747480a1f8:
- runtime-rs standalone virtio-fs adds
--sandbox none --seccomp noneto thevirtiofsdcommand line. - runtime-rs QEMU leaves rootless mode disabled by default:
rootless = false. - The QEMU runtime-rs config template generates an installed config that uses standalone virtio-fs and points runtime-rs at the host
virtiofsdbinary:shared_fsandvirtio_fs_daemon. - The runtime-rs Makefile resolves those placeholders to
virtio-fsand$(LIBEXECDIR)/virtiofsd. - runtime-rs selects the same standalone virtio-fs implementation whenever
shared_fs = "virtio-fs":ShareVirtioFsStandalone.
Details
The guest kernel normally owns the virtio-fs client. A normal guest process will use filesystem syscalls, and the guest kernel will validate the paths, and only then does the kernel send FUSE messages to the host backend.
An attacker with root-equivalent access inside the guest can bypass that guest virtio-fs client. They can access the virtio-fs PCI device, mmap the virtio PCI BAR, recover guest physical addresses from /proc/self/pagemap, and build their own virtqueue from userspace. That queue can submit attacker-built FUSE messages directly to host virtiofsd.
The relevant primitive is FUSE_SYMLINK. An attacker can send a request whose body contains:
new symlink name: /etc/cron.d/kata-go-escape-cron-<pid>
symlink target: /proc/<pid>/root/run/kata-containers/shared/sandboxes/<sid>/ro/passthrough/<sid>/rootfs/tmp/kata-go-escape-payload
The new symlink name is an absolute host path. virtiofsd should reject that request or force it to resolve below the configured --shared-dir. In the tested runtime-rs path, host-root unsandboxed virtiofsd accepts the absolute name, creating a real host symlink under /etc/cron.d.
The attacker can make the symlink target resolve through /proc/<pid>/root/... for a live Kata runtime process whose mount namespace can see the guest-created payload. One matching runtime PID is enough.
When the host cron reads /etc/cron.d, it follows the root-owned symlink, loads the guest-created crontab payload, and executes it as host root.
PoC
sudo timeout --foreground --kill-after=10s 600s ctr run --rm \
--runtime /opt/kata/runtime-rs/bin/containerd-shim-kata-v2 \
--runtime-config-path /opt/kata/share/defaults/kata-containers/runtime-rs/configuration-qemu-runtime-rs.toml \
--privileged \
--privileged-without-host-devices \
docker.io/library/kata-go-escape:local \
"$run_id"
The container is privileged only to model the post-escape condition where the attacker already has guest-root capabilities. It is not the vulnerability by itself.
Inside the guest, the PoC:
- Writes a cron payload to guest
/tmp/kata-go-escape-payload. - Finds the virtio-fs PCI device in guest /sys.
- Takes over a virtio-fs queue from userspace.
- Sends
FUSE_INIT. - Discovers the current runtime-rs sandbox under
passthrough/. - Looks up
passthrough/<sid>/rootfs/tmp/kata-go-escape-payload. - Sends raw
FUSE_SYMLINKrequests where the new symlink names are absolute host paths under/etc/cron.d. - Keeps the guest alive while host cron scans.
Example log lines:
[guest] virtio-fs PCI device: /sys/devices/pci0000:00/0000:00:05.0
[res] sandbox_id=kata-go-escape-test-1778522686-1539
[res] lookup_path_error=0 path=passthrough/kata-go-escape-test-1778522686-1539/rootfs/tmp/kata-go-escape-payload nodeid=21
[spray] pid=1 err=-2 created_candidates=1
err=-2 is expected for the symlink spray. virtiofsd can return ENOENT after the side effect because its follow-up lookup is still relative to the export root. The host symlink creation has already happened.
Impact
The PoC proves guest-root to host-root command execution.
Verified host proof:
/run/kata-go-escape.proof
uid=0(root) gid=0(root) groups=0(root)
Mon May 11 18:05:01 UTC 2026
The proof file is written in host /run by host cron. It is not written by the guest process and not written by virtiofsd.
An attacker who reaches guest root can therefore cross the Kata isolation boundary and execute commands as host root on affected runtime-rs virtio-fs deployments.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kata-containers/kata-containers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260519062212-ffa59ce3aa78"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47243"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T22:50:01Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nIn the runtime-rs standalone virtio-fs path, verified here with QEMU (and verified with Cloud Hypervisor too), Kata Containers runs host `virtiofsd` as root with:\n\n```\n--sandbox none --seccomp none\n```\n\nIf an attacker has root-equivalent execution inside the Kata guest VM, they can send raw FUSE requests directly to the host `virtiofsd`. With the tested runtime-rs virtio-fs configuration, a raw `FUSE_SYMLINK` request whose new symlink name is an absolute host path is honored outside the virtio-fs shared directory.\n\nThis lets guest root create host-root owned symlinks in sensitive host paths. The PoC created here will create symlinks in the host `/etc/cron.d` directory, causing host cron to execute a guest-controlled payload as host root.\n\nImpact: guest root can execute code as host root.\n\n### Affected configuration\n\nThe verified host used:\n\n```\n/opt/kata/share/defaults/kata-containers/runtime-rs/configuration-qemu-runtime-rs.toml\n\nrootless = false\nshared_fs = \"virtio-fs\"\nvirtio_fs_daemon = \"/opt/kata/libexec/virtiofsd\"\nhypervisor_name = \"qemu\"\ndebug_console_enabled = false\n```\n\nPinned upstream references, using Kata Containers `main` commit `2ffd1538a296cff93a357bfba0dfca747480a1f8`:\n\n- runtime-rs standalone virtio-fs adds [`--sandbox none --seccomp none`](https://github.com/kata-containers/kata-containers/blob/2ffd1538a296cff93a357bfba0dfca747480a1f8/src/runtime-rs/crates/resource/src/share_fs/share_virtio_fs_standalone.rs#L82-L92) to the `virtiofsd` command line.\n- runtime-rs QEMU leaves rootless mode disabled by default: [`rootless = false`](https://github.com/kata-containers/kata-containers/blob/2ffd1538a296cff93a357bfba0dfca747480a1f8/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in#L31-L34).\n- The QEMU runtime-rs config template generates an installed config that uses standalone virtio-fs and points runtime-rs at the host `virtiofsd` binary: [`shared_fs` and `virtio_fs_daemon`](https://github.com/kata-containers/kata-containers/blob/2ffd1538a296cff93a357bfba0dfca747480a1f8/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in#L164-L171).\n- The runtime-rs Makefile resolves those placeholders to [`virtio-fs`](https://github.com/kata-containers/kata-containers/blob/2ffd1538a296cff93a357bfba0dfca747480a1f8/src/runtime-rs/Makefile#L496-L499) and [`$(LIBEXECDIR)/virtiofsd`](https://github.com/kata-containers/kata-containers/blob/2ffd1538a296cff93a357bfba0dfca747480a1f8/src/runtime-rs/Makefile#L184-L190).\n- runtime-rs selects the same standalone virtio-fs implementation whenever `shared_fs = \"virtio-fs\"`: [`ShareVirtioFsStandalone`](https://github.com/kata-containers/kata-containers/blob/2ffd1538a296cff93a357bfba0dfca747480a1f8/src/runtime-rs/crates/resource/src/share_fs/mod.rs#L158-L167).\n\n### Details\n\nThe guest kernel normally owns the virtio-fs client. A normal guest process will use filesystem syscalls, and the guest kernel will validate the paths, and only then does the kernel send FUSE messages to the host backend.\n\nAn attacker with root-equivalent access inside the guest can bypass that guest virtio-fs client. They can access the virtio-fs PCI device, mmap the virtio PCI BAR, recover guest physical addresses from `/proc/self/pagemap`, and build their own virtqueue from userspace. That queue can submit attacker-built FUSE messages directly to host `virtiofsd`.\n\nThe relevant primitive is `FUSE_SYMLINK`. An attacker can send a request whose body contains:\n\n```\nnew symlink name: /etc/cron.d/kata-go-escape-cron-\u003cpid\u003e\nsymlink target: /proc/\u003cpid\u003e/root/run/kata-containers/shared/sandboxes/\u003csid\u003e/ro/passthrough/\u003csid\u003e/rootfs/tmp/kata-go-escape-payload\n```\n\nThe new symlink name is an absolute host path. `virtiofsd` should reject that request or force it to resolve below the configured `--shared-dir`. In the tested runtime-rs path, host-root unsandboxed `virtiofsd` accepts the absolute name, creating a real host symlink under `/etc/cron.d`.\n\nThe attacker can make the symlink target resolve through `/proc/\u003cpid\u003e/root/...` for a live Kata runtime process whose mount namespace can see the guest-created payload. One matching runtime PID is enough.\n\nWhen the host cron reads `/etc/cron.d`, it follows the root-owned symlink, loads the guest-created crontab payload, and executes it as host root.\n\n### PoC\n\n```shell\nsudo timeout --foreground --kill-after=10s 600s ctr run --rm \\\n --runtime /opt/kata/runtime-rs/bin/containerd-shim-kata-v2 \\\n --runtime-config-path /opt/kata/share/defaults/kata-containers/runtime-rs/configuration-qemu-runtime-rs.toml \\\n --privileged \\\n --privileged-without-host-devices \\\n docker.io/library/kata-go-escape:local \\\n \"$run_id\"\n```\n\nThe container is privileged only to model the post-escape condition where the attacker already has guest-root capabilities. It is not the vulnerability by itself.\n\nInside the guest, the PoC:\n\n1. Writes a cron payload to guest `/tmp/kata-go-escape-payload`.\n2. Finds the virtio-fs PCI device in guest /sys.\n3. Takes over a virtio-fs queue from userspace.\n4. Sends `FUSE_INIT`.\n5. Discovers the current runtime-rs sandbox under `passthrough/`.\n6. Looks up `passthrough/\u003csid\u003e/rootfs/tmp/kata-go-escape-payload`.\n7. Sends raw `FUSE_SYMLINK` requests where the new symlink names are absolute host paths under `/etc/cron.d`.\n8. Keeps the guest alive while host cron scans.\n\nExample log lines:\n\n```\n[guest] virtio-fs PCI device: /sys/devices/pci0000:00/0000:00:05.0\n[res] sandbox_id=kata-go-escape-test-1778522686-1539\n[res] lookup_path_error=0 path=passthrough/kata-go-escape-test-1778522686-1539/rootfs/tmp/kata-go-escape-payload nodeid=21\n[spray] pid=1 err=-2 created_candidates=1\n```\n\n`err=-2` is expected for the symlink spray. `virtiofsd` can return `ENOENT` after the side effect because its follow-up lookup is still relative to the export root. The host symlink creation has already happened.\n\n### Impact\n\nThe PoC proves guest-root to host-root command execution.\n\nVerified host proof:\n\n```\n/run/kata-go-escape.proof\n\nuid=0(root) gid=0(root) groups=0(root)\nMon May 11 18:05:01 UTC 2026\n```\n\nThe proof file is written in host `/run` by host cron. It is not written by the guest process and not written by `virtiofsd`.\n\nAn attacker who reaches guest root can therefore cross the Kata isolation boundary and execute commands as host root on affected runtime-rs virtio-fs deployments.",
"id": "GHSA-2gv2-cffp-j227",
"modified": "2026-05-27T22:50:01Z",
"published": "2026-05-27T22:50:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kata-containers/kata-containers/security/advisories/GHSA-2gv2-cffp-j227"
},
{
"type": "WEB",
"url": "https://github.com/kata-containers/kata-containers/commit/ffa59ce3aa7877d067c9a372df0c329a23a01744"
},
{
"type": "PACKAGE",
"url": "https://github.com/kata-containers/kata-containers"
},
{
"type": "WEB",
"url": "https://github.com/kata-containers/kata-containers/releases/tag/3.31.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Kata guest escape: runtime-rs guest-root to host-root escape via virtiofs"
}
GHSA-2JJ9-P9WG-X9Q9
Vulnerability from github – Published: 2025-02-12 18:31 – Updated: 2025-02-24 18:32In Progress® Telerik® Reporting versions prior to 2025 Q1 (19.0.25.211), information disclosure is possible by a local threat actor through an absolute path vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-6097"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-12T18:15:21Z",
"severity": "MODERATE"
},
"details": "In Progress\u00ae Telerik\u00ae Reporting versions prior to 2025 Q1 (19.0.25.211), information disclosure is possible by a local threat actor through an absolute path vulnerability.",
"id": "GHSA-2jj9-p9wg-x9q9",
"modified": "2025-02-24T18:32:31Z",
"published": "2025-02-12T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6097"
},
{
"type": "WEB",
"url": "https://docs.telerik.com/reporting/knowledge-base/kb-security-absolute-path-traversal-CVE-2024-6097"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2JJP-7RW3-8XF9
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-08-06 00:00Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an affected system. These vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by using the web-based management interface to upload a file to location on an affected device that they should not have access to. A successful exploit could allow the attacker to overwrite files on the file system of the affected device.
{
"affected": [],
"aliases": [
"CVE-2021-1297"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-04T17:15:00Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an affected system. These vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by using the web-based management interface to upload a file to location on an affected device that they should not have access to. A successful exploit could allow the attacker to overwrite files on the file system of the affected device.",
"id": "GHSA-2jjp-7rw3-8xf9",
"modified": "2022-08-06T00:00:38Z",
"published": "2022-05-24T17:41:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1297"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv160-260-filewrite-7x9mnKjn"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-32MV-32JR-45Q9
Vulnerability from github – Published: 2023-05-17 18:30 – Updated: 2023-05-17 18:30A vulnerability has been found in Weaver OA up to 9.5 and classified as problematic. This vulnerability affects unknown code of the file /E-mobile/App/System/File/downfile.php. The manipulation of the argument url leads to absolute path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-229270 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2023-2765"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-17T17:15:17Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in Weaver OA up to 9.5 and classified as problematic. This vulnerability affects unknown code of the file /E-mobile/App/System/File/downfile.php. The manipulation of the argument url leads to absolute path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-229270 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-32mv-32jr-45q9",
"modified": "2023-05-17T18:30:30Z",
"published": "2023-05-17T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2765"
},
{
"type": "WEB",
"url": "https://github.com/eckert-lcc/cve/blob/main/Weaver%20oa.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.229270"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.229270"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3453-MRQQ-23PM
Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-20 15:31Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.
{
"affected": [],
"aliases": [
"CVE-2026-26337"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-19T18:24:59Z",
"severity": "HIGH"
},
"details": "Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.",
"id": "GHSA-3453-mrqq-23pm",
"modified": "2026-02-20T15:31:00Z",
"published": "2026-02-19T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26337"
},
{
"type": "WEB",
"url": "https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551"
},
{
"type": "WEB",
"url": "https://www.hyland.com/en/solutions/products/alfresco-platform"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-absolute-path-traversal-arbitrary-file-read-and-ssrf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-367V-5PPJ-2HRX
Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 19:58Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log.
HTML Publisher Plugin 427 displays only the parent directory name of files archived during the Publish HTML reports post-build step in its log messages.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:htmlpublisher"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "427"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53651"
],
"database_specific": {
"cwe_ids": [
"CWE-36",
"CWE-779"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T20:44:31Z",
"nvd_published_at": "2025-07-09T16:15:24Z",
"severity": "MODERATE"
},
"details": "Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log.\n\nHTML Publisher Plugin 427 displays only the parent directory name of files archived during the Publish HTML reports post-build step in its log messages.",
"id": "GHSA-367v-5ppj-2hrx",
"modified": "2025-11-05T19:58:40Z",
"published": "2025-07-09T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53651"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/htmlpublisher-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3547"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins HTML Publisher Plugin vulnerability displays controller file system information in its logs"
}
GHSA-39MP-8HJ3-5C49
Vulnerability from github – Published: 2026-03-01 01:28 – Updated: 2026-06-06 00:22Summary
Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system.
Details
Python 3.13+ changed the definition of os.path.isabs so that root-relative paths like /windows/win.ini on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely.
This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication.
PoC
% curl http://10.10.10.10:7860/static//windows/win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
Impact
Arbitrary file read in the context of the Windows user running Gradio.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "gradio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28414"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-01T01:28:41Z",
"nvd_published_at": "2026-02-27T22:16:24Z",
"severity": "HIGH"
},
"details": "### Summary\nGradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system.\n\n### Details\nPython 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio\u0027s logic for joining paths safely.\n\nThis can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication.\n\n### PoC\n```\n% curl http://10.10.10.10:7860/static//windows/win.ini\n; for 16-bit app support\n[fonts]\n[extensions]\n[mci extensions]\n[files]\n[Mail]\nMAPI=1\n```\n\n### Impact\nArbitrary file read in the context of the Windows user running Gradio.",
"id": "GHSA-39mp-8hj3-5c49",
"modified": "2026-06-06T00:22:19Z",
"published": "2026-03-01T01:28:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28414"
},
{
"type": "WEB",
"url": "https://github.com/gradio-app/gradio/commit/6011b00d0154b85532fa901dd73cf8fa7d86fd04"
},
{
"type": "PACKAGE",
"url": "https://github.com/gradio-app/gradio"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2026-64.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gradio is Vulnerable to Absolute Path Traversal on Windows with Python 3.13+"
}
GHSA-3F2H-3GPM-GQ2C
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-08-06 00:00Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an affected system. These vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by using the web-based management interface to upload a file to location on an affected device that they should not have access to. A successful exploit could allow the attacker to overwrite files on the file system of the affected device.
{
"affected": [],
"aliases": [
"CVE-2021-1296"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-04T17:15:00Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an affected system. These vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by using the web-based management interface to upload a file to location on an affected device that they should not have access to. A successful exploit could allow the attacker to overwrite files on the file system of the affected device.",
"id": "GHSA-3f2h-3gpm-gq2c",
"modified": "2022-08-06T00:00:38Z",
"published": "2022-05-24T17:41:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1296"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv160-260-filewrite-7x9mnKjn"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-597: Absolute Path Traversal
An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.