CWE-22— Path Traversal
4,762 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-22page 1 of 96
- CVE-2005-10002MEDIUMCVSS 5.5EG 5.52023-10-29
A vulnerability, which was classified as critical, was found in almosteffortless secure-files Plugin up to 1.1 on WordPress. Affected is the function sf_downloads of the file secure-files.php. The manipulation of the argument downloadfile …
- CVE-2005-2349HIGHCVSS 7.5EG 7.52019-10-28
Zoo 2.10 has Directory traversal
- CVE-2009-3721HIGHCVSS 7.8EG 7.82021-05-26
Multiple directory traversal and buffer overflow vulnerabilities were discovered in yTNEF, and in Evolution's TNEF parser that is derived from yTNEF. A crafted email could cause these applications to write data in arbitrary locations on th…
- CVE-2009-3887CRITICALCVSS 9.8EG 9.82019-10-29
ytnef has directory traversal
- CVE-2010-10011MEDIUMCVSS 4.3EG 4.32024-01-12
A vulnerability, which was classified as problematic, was found in Acritum Femitter Server 1.04. Affected is an unknown function. The manipulation leads to path traversal. It is possible to launch the attack remotely. The exploit has been …
- CVE-2010-20109HIGHCVSS 8.7EG 0.02025-08-21
Barracuda products, confirmed in Spam & Virus Firewall, SSL VPN, and Web Application Firewall versions prior to October 2010, contain a path traversal vulnerability in the view_help.cgi endpoint. The locale parameter fails to properly sani…
- CVE-2010-5334HIGHCVSS 7.5EG 7.52019-10-11
IceWarp Webclient before 10.2.1 has a directory traversal vulnerability. This can result in loss of confidential data of IceWarp Mailserver and the operating system. Input passed via a certain parameter (_c to basic/index.html) is not prop…
- CVE-2010-5335HIGHCVSS 7.5EG 7.52019-10-11
IceWarp Webclient before 10.2.1 has a directory traversal vulnerability. This can result in loss of confidential data of IceWarp Mailserver and the operating system. Input passed via a certain parameter (script to basic/minimizer/index.php…
- CVE-2011-4350MEDIUMCVSS 6.5EG 6.52019-11-26
Yaws 1.91 has a directory traversal vulnerability in the way certain URLs are processed. A remote authenticated user could use this flaw to obtain content of arbitrary local files via specially-crafted URL request.
- CVE-2012-10024HIGHCVSS 7.1EG 0.02025-08-05
XBMC version 11.0 contains a path traversal vulnerability in its embedded HTTP server. When accessed via HTTP Basic Authentication, the server fails to properly sanitize URI input, allowing authenticated users to request files outside the …
- CVE-2012-3337MEDIUMCVSS 5.3EG 5.32020-09-01
IBM InfoSphere Guardium 8.0, 8.01, and 8.2 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to download arbitrary fi…
- CVE-2012-6609HIGHCVSS 7.5EG 7.52020-01-28
Directory traversal vulnerability in a_getlog.cgi in Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote attackers to read arbitrary files via a .. (dot dot) in the name parameter.
- CVE-2012-6652CRITICALCVSS 9.82019-05-13
Directory traversal vulnerability in pageflipbook.php script from index.php in Page Flip Book plugin for WordPress (wppageflip) allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the pageflipbook_lan…
- CVE-2012-6664CRITICALCVSS 9.1EG 9.12024-06-21
Multiple directory traversal vulnerabilities in the TFTP Server in Distinct Intranet Servers 3.10 and earlier allow remote attackers to read or write arbitrary files via a .. (dot dot) in the (1) get or (2) put commands.
- CVE-2013-1597MEDIUMCVSS 6.5EG 6.52020-01-24
A Directory Traversal vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via a specially crafted GET request, which could let a malicious user obtain user credentials.
- CVE-2013-1891MEDIUMCVSS 6.5EG 6.52022-06-24
In OpenCart 1.4.7 to 1.5.5.1, implemented anti-traversal code in filemanager.php is ineffective and can be bypassed.
- CVE-2013-2474HIGHCVSS 7.5EG 7.52020-01-27
Directory traversal vulnerability in AWS XMS 2.5 allows remote attackers to view arbitrary files via the 'what' parameter.
- CVE-2013-2565MEDIUMCVSS 5.32019-02-15
A vulnerability in Mambo CMS v4.6.5 where the scripts thumbs.php, editorFrame.php, editor.php, images.php, manager.php discloses the root path of the webserver.
- CVE-2013-3001HIGHCVSS 7.52018-07-09
Directory traversal vulnerability in IBM InfoSphere Data Replication Dashboard 9.7 and 10.1 allows remote attackers to read arbitrary files via unspecified vectors. IBM X-Force ID: 84127.
- CVE-2013-3073CRITICALCVSS 9.8EG 9.82019-11-14
A Symlink Traversal vulnerability exists in NETGEAR Centria WNDR4700 Firmware 1.0.0.34.
- CVE-2013-3311HIGHCVSS 7.5EG 7.52019-11-21
Directory traversal vulnerability in the Loftek Nexus 543 IP Camera allows remote attackers to read arbitrary files via a .. (dot dot) in the URL of an HTTP GET request.
- CVE-2013-4654CRITICALCVSS 9.8EG 9.82019-11-13
Symlink Traversal vulnerability in TP-LINK TL-WDR4300 and TL-1043ND..
- CVE-2013-4656CRITICALCVSS 9.8EG 9.82019-11-13
Symlink Traversal vulnerability in ASUS RT-AC66U and RT-N56U due to misconfiguration in the SMB service.
- CVE-2013-4657CRITICALCVSS 9.8EG 9.82019-11-13
Symlink Traversal vulnerability in NETGEAR WNR3500U and WNR3500L due to misconfiguration in the SMB service.
- CVE-2013-4658CRITICALCVSS 9.8EG 9.82019-10-25
Linksys EA6500 has SMB Symlink Traversal allowing symbolic links to be created to locations outside of the Samba share.
- CVE-2013-4855HIGHCVSS 8.8EG 8.82019-10-25
D-Link DIR-865L has SMB Symlink Traversal due to misconfiguration in the SMB service allowing symbolic links to be created to locations outside of the Samba share.
- CVE-2013-4861MEDIUMCVSS 6.5EG 6.52020-01-28
Directory traversal vulnerability in cgi-bin/cmh/get_file.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote authenticated users to read arbirary files via a .. (dot dot) in the filename parameter.
- CVE-2013-6056HIGHCVSS 7.5EG 7.52020-01-27
OSSIM before 4.3.3.1 has tele_compress.php path traversal vulnerability
- CVE-2013-6225CRITICALCVSS 9.8EG 9.82020-01-13
LiveZilla 5.0.1.4 has a Remote Code Execution vulnerability
- CVE-2013-6785MEDIUMCVSS 4.3EG 4.32020-01-23
Directory traversal vulnerability in url_redirect.cgi in Supermicro IPMI before SMT_X9_315 allows authenticated attackers to read arbitrary files via the url_name parameter.
- CVE-2013-7466HIGHCVSS 8.8EG 8.82019-03-07
Simple Machines Forum (SMF) 2.0.4 allows local file inclusion, with resultant remote code execution, in install.php via ../ directory traversal in the db_type parameter if install.php remains present after installation.
- CVE-2014-10066HIGHCVSS 7.52018-05-31
Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as `../` to read files outside of the served directory.
- CVE-2014-10068HIGHCVSS 7.52018-05-29
The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when `showHidden` is false.
- CVE-2014-10073HIGHCVSS 7.52018-04-20
The create_response function in server/server.c in Psensor before 1.1.4 allows Directory Traversal because it lacks a check for whether a file is under the webserver directory.
- CVE-2014-10390CRITICALCVSS 9.1EG 9.12019-08-22
The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has directory traversal.
- CVE-2014-10396HIGHCVSS 7.5EG 7.52019-09-20
The epic theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to includes/download.php.
- CVE-2014-10397HIGHCVSS 7.5EG 7.52019-09-20
The Antioch theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to lib/scripts/download.php.
- CVE-2014-125033LOWCVSS 3.5EG 7.52023-01-02
A vulnerability was found in rails-cv-app. It has been rated as problematic. Affected by this issue is some unknown functionality of the file app/controllers/uploaded_files_controller.rb. The manipulation with the input ../../../etc/passwd…
- CVE-2014-125068MEDIUMCVSS 5.5EG 5.32023-01-08
A vulnerability was found in saxman maps-js-icoads and classified as critical. This issue affects some unknown processing of the file http-server.js. The manipulation leads to path traversal. The patch is named 34b8b0cce2807b119f4cffda2ac4…
- CVE-2014-125069MEDIUMCVSS 4.3EG 5.32023-01-08
A vulnerability was found in saxman maps-js-icoads. It has been classified as problematic. Affected is an unknown function. The manipulation leads to exposure of information through directory listing. It is possible to launch the attack re…
- CVE-2014-125080MEDIUMCVSS 5.5EG 9.82023-01-16
A vulnerability has been found in frontaccounting faplanet and classified as critical. This vulnerability affects unknown code. The manipulation leads to path traversal. The patch is identified as a5dcd87f46080a624b1a9ad4b0dd035bbd24ac50. …
- CVE-2014-1922HIGHCVSS 7.5EG 7.52020-01-24
Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote attackers to read arbitrary files via unspecified vectors.
- CVE-2014-1923HIGHCVSS 7.5EG 7.52020-01-24
Multiple directory traversal vulnerabilities in the (1) staff interface help editor (edithelp.pl) or (2) member-picupload.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allow remote attacke…
- CVE-2014-2069HIGHCVSS 7.52018-04-16
Absolute path traversal vulnerability in Eshtery CMS allows remote attackers to read arbitrary files via a full pathname in the file parameter to FileManager.aspx.
- CVE-2014-2674HIGHCVSS 7.52018-03-19
Directory traversal vulnerability in the Ajax Pagination (twitter Style) plugin 1.1 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the loop parameter in an ajax_navigation action to wp-admin/admin-ajax.…
- CVE-2014-3626HIGHCVSS 7.52018-03-19
The Grails Resource Plugin often has to exchange URIs for resources with other internal components. Those other components will decode any URI passed to them. To protect against directory traversal the Grails Resource Plugin did the follow…
- CVE-2014-3972MEDIUMCVSS 5.32018-02-19
Directory traversal vulnerability in Apexis APM-J601-WS cameras with firmware before 17.35.2.49 allows remote attackers to read arbitrary files via unspecified vectors.
- CVE-2014-4650CRITICALCVSS 9.8EG 9.82020-02-20
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute…
- CVE-2014-5007CRITICALCVSS 9.8EG 9.82020-01-17
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute ar…
- CVE-2014-5068HIGHCVSS 7.52018-01-11
Directory traversal vulnerability in the web application in Symmetricom s350i 2.70.15 allows remote attackers to read arbitrary files via a (1) ../ (dot dot slash) or (2) ..\ (dot dot forward slash) before a file name.
Map vulnerabilities like CWE-22 to your infrastructure
EchelonGraph correlates every CVE — across CWE-22 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →