CWE-22— Path Traversal
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.— MITRE CWE catalog
8,805 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-22page 121 of 177
- CVE-2024-3322CRITICALCVSS 9.8EG 8.42024-06-06
A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. The vulnerability arises from the improper limitation of a pathname to a restricted dire…
- CVE-2024-33274HIGHCVSS 7.5EG 7.52024-04-30
Directory Traversal vulnerability in FME Modules customfields v.2.2.7 and before allows a remote attacker to obtain sensitive information via the Custom Checkout Fields, Add Custom Fields to Checkout parameter of the ajax.php
- CVE-2024-33350CRITICALCVSS 9.8EG 9.82024-04-29
Directory Traversal vulnerability in TaoCMS v.3.0.2 allows a remote attacker to execute arbitrary code and obtain sensitive information via the include/model/file.php component.
- CVE-2024-33369HIGHCVSS 8.8EG 8.82024-09-27
Directory Traversal vulnerability in Plasmoapp RPShare Fabric mod v.1.0.0 allows a remote attacker to execute arbitrary code via the getFileNameFromConnection method in DownloadTask
- CVE-2024-33502MEDIUMCVSS 6.5EG 6.52025-01-14
An improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiManager, FortiAnalyzer versions 7.4.0 through 7.4.2 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.12 and 6.4.0 through 6.4.14 and 6.2.0 thro…
- CVE-2024-33535HIGHCVSS 7.5EG 7.52024-08-12
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can ex…
- CVE-2024-33541MEDIUMCVSS 6.5EG 6.52024-06-04
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in BetterAddons Better Elementor Addons allows PHP Local File Inclusion.This issue affects Better Elementor Addons: from n/a through 1.4.1.
- CVE-2024-33557HIGHCVSS 8.5EG 8.52024-06-04
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 8theme XStore Core allows PHP Local File Inclusion.This issue affects XStore Core: from n/a through 5.3.8.
- CVE-2024-33560CRITICALCVSS 9.0EG 9.02024-06-04
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 8theme XStore allows PHP Local File Inclusion.This issue affects XStore: from n/a through 9.3.8.
- CVE-2024-33568HIGHCVSS 8.5EG 8.52024-06-04
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Deserialization of Untrusted Data vulnerability in BdThemes Element Pack Pro allows Path Traversal, Object Injection.This issue affects Element Pack Pro: from …
- CVE-2024-33605HIGHCVSS 7.5EG 7.52024-11-26
Improper processing of some parameters of installed_emanual_list.html leads to a path traversal vulnerability. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective v…
- CVE-2024-33628HIGHCVSS 8.8EG 8.82024-06-04
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in XforWooCommerce allows PHP Local File Inclusion.This issue affects XforWooCommerce: from n/a through 2.0.2.
- CVE-2024-33869MEDIUMCVSS 5.3EG 5.32024-07-03
An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be…
- CVE-2024-33870MEDIUMCVSS 6.3EG 6.32024-07-03
An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of…
- CVE-2024-33879CRITICALCVSS 9.8EG 9.82024-06-24
An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows arbitrary file download and deletion via absolute path traversal …
- CVE-2024-33881MEDIUMCVSS 5.3EG 5.32024-06-24
An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows an NTLMv2 hash leak via a UNC share pathname in the path paramete…
- CVE-2024-3403HIGHCVSS 7.5EG 7.52024-05-16
imartinez/privategpt version 0.2.0 is vulnerable to a local file inclusion vulnerability that allows attackers to read arbitrary files from the filesystem. By manipulating file upload functionality to ingest arbitrary local files, attacker…
- CVE-2024-34033HIGHCVSS 8.8EG 8.82024-05-03
Delta Electronics DIAEnergie has insufficient input validation which makes it possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, the…
- CVE-2024-34060HIGHCVSS 8.8EG 8.82024-05-23
IrisEVTXModule is an interface module for Evtx2Splunk and Iris in order to ingest Microsoft EVTX log files. The `iris-evtx-module` is a pipeline plugin of `iris-web` that processes EVTX files through IRIS web application. During the upload…
- CVE-2024-34129HIGHCVSS 7.5EG 6.32024-06-13
Acrobat Mobile Sign Android versions 24.4.2.33155 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. An attacker could…
- CVE-2024-34193HIGHCVSS 7.5EG 7.52024-05-20
smanga 3.2.7 does not filter the file parameter at the PHP/get file flow.php interface, resulting in a path traversal vulnerability that can cause arbitrary file reading.
- CVE-2024-34245MEDIUMCVSS 6.5EG 6.52024-05-14
An arbitrary file read vulnerability in DedeCMS v5.7.114 allows authenticated attackers to read arbitrary files by specifying any path in makehtml_js_action.php.
- CVE-2024-3429CRITICALCVSS 9.8EG 9.82024-06-06
A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path` functions in `lollms_core\lollms\security.py`. This vulnerability allows for arbitrary file…
- CVE-2024-34313CRITICALCVSS 9.8EG 9.82024-06-24
An issue in VPL Jail System up to v4.0.2 allows attackers to execute a directory traversal via a crafted request to a public endpoint.
- CVE-2024-34315HIGHCVSS 7.5EG 7.52024-05-07
CmsEasy v7.7.7.9 was discovered to contain a local file inclusion vunerability via the file_get_contents function in the fckedit_action method of /admin/template_admin.php. This vulnerability allows attackers to read arbitrary files.
- CVE-2024-34384MEDIUMCVSS 6.5EG 6.52024-06-04
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SinaExtra Sina Extension for Elementor allows PHP Local File Inclusion.This issue affects Sina Extension for Elementor: from n/a through 3.5.1.
- CVE-2024-34471MEDIUMCVSS 5.4EG 5.42024-05-06
An issue was discovered in HSC Mailinspector 5.2.17-3. A Path Traversal vulnerability (resulting in file deletion) exists in the mliRealtimeEmails.php file. The filename parameter in the export HTML functionality does not properly validate…
- CVE-2024-34521LOWCVSS 3.5EG 3.52025-02-12
A directory traversal vulnerability exists in the Mavenir SCE Application Provisioning Portal, version PORTAL-LBS-R_1_0_24_0, which allows an administrative user to access system files with the file permissions of the privileged system use…
- CVE-2024-34523HIGHCVSS 7.5EG 7.52024-05-07
AChecker 1.5 allows remote attackers to read the contents of arbitrary files via the download.php path parameter by using Unauthenticated Path Traversal. This occurs through readfile in PHP. NOTE: This vulnerability only affects products t…
- CVE-2024-34551CRITICALCVSS 9.0EG 9.02024-06-04
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Select-Themes Stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through 9.6.
- CVE-2024-34552HIGHCVSS 8.5EG 8.52024-06-04
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Select-Themes Stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through 9.6.
- CVE-2024-34554HIGHCVSS 8.5EG 8.52024-06-04
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Select-Themes Stockholm Core allows PHP Local File Inclusion.This issue affects Stockholm Core: from n/a through 2.4.1.
- CVE-2024-34653MEDIUMCVSS 4.6EG 4.62024-09-04
Path Traversal in My Files prior to SMR Sep-2024 Release 1 allows physical attackers to access directories with My Files' privilege.
- CVE-2024-34656HIGHCVSS 7.3EG 7.32024-09-04
Path traversal in Samsung Notes prior to version 4.4.21.62 allows local attackers to execute arbitrary code.
- CVE-2024-34712MEDIUMCVSS 6.5EG 6.52024-05-14
Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being …
- CVE-2024-34762CRITICALCVSS 9.9EG 9.92024-06-10
Vulnerability discovered by executing a planned security audit. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPENGINE INC Advanced Custom Fields PRO allows PHP Local File Inclusion.This i…
- CVE-2024-34787HIGHCVSS 7.8EG 7.82024-11-13
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
- CVE-2024-34808MEDIUMCVSS 4.3EG 4.32024-05-16
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samuel Marshall JCH Optimize.This issue affects JCH Optimize: from n/a through 4.2.0.
- CVE-2024-34832CRITICALCVSS 9.8EG 9.82024-06-06
Directory Traversal vulnerability in CubeCart v.6.5.5 and before allows an attacker to execute arbitrary code via a crafted file uploaded to the _g and node parameters.
- CVE-2024-3484MEDIUMCVSS 5.7EG 5.72024-05-15
Path Traversal found in OpenText™ iManager 3.2.6.0200. This can lead to privilege escalation or file disclosure.
- CVE-2024-34854CRITICALCVSS 9.8EG 9.82024-05-28
F-logic DataCube3 v1.0 is vulnerable to File Upload via `/admin/transceiver_schedule.php.`
- CVE-2024-35081HIGHCVSS 7.5EG 7.52024-05-23
LuckyFrameWeb v3.5.2 was discovered to contain an arbitrary file deletion vulnerability via the fileName parameter in the fileDownload method.
- CVE-2024-35162MEDIUMCVSS 6.5EG 6.52024-05-22
Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with "switch_themes" privilege may obtain arbitrary files on the…
- CVE-2024-35205HIGHCVSS 7.8EG 7.82024-05-14
The WPS Office (aka cn.wps.moffice_eng) application before 17.0.0 for Android fails to properly sanitize file names before processing them through external application interactions, leading to a form of path traversal. This potentially ena…
- CVE-2024-35219HIGHCVSS 8.3EG 8.32024-05-27
OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Prior to version 7.6.0, attackers can exploit a path traversal vulnerability t…
- CVE-2024-35274LOWCVSS 2.3EG 2.32024-11-12
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiAnalyzer versions below 7.4.2, Fortinet FortiManager versions below 7.4.2 and Fortinet FortiAnalyzer-BigData version …
- CVE-2024-35308HIGHCVSS 8.8EG 8.82024-10-22
A post-authentication arbitrary file read vulnerability within the server plugins section in plugin edition feature. This issue affects Pandora FMS: from 700 through <777.3.
- CVE-2024-35324CRITICALCVSS 9.8EG 9.82024-05-28
Douchat 4.0.5 suffers from an arbitrary file upload vulnerability via Public/Plugins/webuploader/server/preview.php.
- CVE-2024-35428HIGHCVSS 7.1EG 7.12024-05-30
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticated user can delete local files from the server which can lead to DoS.
- CVE-2024-35429MEDIUMCVSS 6.5EG 6.52024-05-30
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord.
Map vulnerabilities like CWE-22 to your infrastructure
EchelonGraph correlates every CVE — across CWE-22 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →