CWE-35— Path Traversal: '.../...//'
70 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-35page 1 of 2
- CVE-2018-3744CRITICALCVSS 9.82018-05-29
The html-pages node module contains a path traversal vulnerabilities that allows an attacker to read any file from the server with cURL.
- CVE-2020-26073HIGHCVSS 7.5EG 9.02024-11-18
A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory …
- CVE-2020-27130CRITICALCVSS 9.1EG 9.12020-11-17
A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within requests t…
- CVE-2021-1132MEDIUMCVSS 5.3EG 5.32024-11-18
A vulnerability in the API subsystem and in the web-management interface of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to access sensitive data. This vulnerability exists because the web…
- CVE-2021-1282MEDIUMCVSS 6.5EG 4.92021-01-20
Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL inje…
- CVE-2021-1355MEDIUMCVSS 6.5EG 6.52021-01-20
Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL inje…
- CVE-2021-1357MEDIUMCVSS 6.5EG 6.52021-01-20
Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL inje…
- CVE-2021-1364MEDIUMCVSS 6.5EG 6.52021-01-20
Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL inje…
- CVE-2022-2265HIGHCVSS 7.5EG 7.52022-09-21
The Identity and Directory Management System developed by Çekino Bilgi Teknolojileri before version 2.1.25 has an unauthenticated Path traversal vulnerability. This has been fixed in the version 2.1.25
- CVE-2022-24774HIGHCVSS 7.1EG 7.12022-03-22
CycloneDX BOM Repository Server is a bill of materials (BOM) repository server for distributing CycloneDX BOMs. CycloneDX BOM Repository Server before version 2.0.1 has an improper input validation vulnerability leading to path traversal. …
- CVE-2022-36928MEDIUMCVSS 6.1EG 7.12023-01-09
Zoom for Android clients before version 5.13.0 contain a path traversal vulnerability. A third party app could exploit this vulnerability to read and write to the Zoom application data directory.
- CVE-2022-3693HIGHCVSS 7.5EG 7.52023-01-13
Path Traversal vulnerability in Deytek Informatics FileOrbis File Management System allows Path Traversal. This issue affects FileOrbis File Management System: from unspecified before 10.6.3.
- CVE-2022-46826MEDIUMCVSS 6.2EG 5.52022-12-08
In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability.
- CVE-2022-48476HIGHCVSS 7.5EG 7.52023-04-24
In JetBrains Ktor before 2.3.0 path traversal in the `resolveResource` method was possible
- CVE-2023-21415MEDIUMCVSS 6.5EG 6.52023-10-16
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operat…
- CVE-2023-21416HIGHCVSS 7.1EG 7.12023-11-21
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web inte…
- CVE-2023-21417HIGHCVSS 7.1EG 7.12023-11-21
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerable to path traversal attacks that allows for file/folder deletion. This flaw can only be exploited after authenticatin…
- CVE-2023-21418HIGHCVSS 7.1EG 7.12023-11-21
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operato…
- CVE-2023-32714HIGHCVSS 8.1EG 8.12023-06-01
In the Splunk App for Lookup File Editing versions below 4.0.1, a low-privileged user can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk ins…
- CVE-2023-39916CRITICALCVSS 9.3EG 9.32023-09-13
NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as 0.14.0 up to and including 0.14.2 contains a possible path traversal vulnerability in the optional, off-by-default keep-rrdp-responses feature that allows users to store …
- CVE-2023-41793MEDIUMCVSS 6.7EG 6.72024-03-19
: Path Traversal vulnerability in Pandora FMS on all allows Path Traversal. This vulnerability allowed changing directories and creating files and downloading them outside the allowed directories. This issue affects Pandora FMS: from 700…
- CVE-2023-46690HIGHCVSS 8.8EG 8.82023-11-30
In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an attacker to write to any file to any location of the filesystem, which could lead to remote code execution.
- CVE-2023-47279HIGHCVSS 7.5EG 7.52023-11-30
In Delta Electronics InfraSuite Device Master v.1.0.7, A vulnerability exists that allows an unauthenticated attacker to disclose user information through a single UDP packet, obtain plaintext credentials, or perform NTLM relaying.
- CVE-2023-5800MEDIUMCVSS 5.4EG 5.42024-02-05
Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticati…
- CVE-2023-5885MEDIUMCVSS 6.5EG 6.52023-11-27
The discontinued FFS Colibri product allows a remote user to access files on the system including files containing login credentials for other users.
- CVE-2023-6252HIGHCVSS 7.5EG 7.52023-11-22
Path traversal vulnerability in Chalemelon Power framework, affecting the getImage parameter. This vulnerability could allow a remote user to read files located on the server and gain access to sensitive information such as configuration f…
- CVE-2023-7263HIGHCVSS 7.3EG 7.32024-12-28
Some Huawei home music system products have a path traversal vulnerability. Successful exploitation of this vulnerability may cause unauthorized file deletion or file permission change.(Vulnerability ID:HWPSIRT-2023-53450) This vulnerabil…
- CVE-2023-7300HIGHCVSS 8.0EG 8.02024-12-26
Huawei Home Music System has a path traversal vulnerability. Successful exploitation of this vulnerability may cause the music host file to be deleted or the file permission to be changed.(Vulnerability ID:HWPSIRT-2023-60613)
- CVE-2024-0067MEDIUMCVSS 4.3EG 4.32024-09-10
Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device. Axis has released pat…
- CVE-2024-0113HIGHCVSS 7.5EG 7.52024-08-12
NVIDIA Mellanox OS, ONYX, Skyway, and MetroX-3 XCC contain a vulnerability in the web support, where an attacker can cause a CGI path traversal by a specially crafted URI. A successful exploit of this vulnerability might lead to escalation…
- CVE-2024-10857MEDIUMCVSS 6.5EG 6.52024-11-26
The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.9 via the handle_downloads() function due to insufficient file path validation/sanitization. This ma…
- CVE-2024-11136HIGHCVSS 8.2EG 0.02024-11-14
The default TCL Camera application exposes a provider vulnerable to path traversal vulnerability. Malicious application can supply malicious URI path and delete arbitrary files from user’s external storage.
- CVE-2024-1886LOWCVSS 3.0EG 3.02024-02-26
This vulnerability allows remote attackers to traverse the directory on the affected webOS of LG Signage.
- CVE-2024-21575HIGHCVSS 8.6EG 8.62024-12-12
ComfyUI-Impact-Pack is vulnerable to Path Traversal. The issue stems from missing validation of the `image.filename` field in a POST request sent to the `/upload/temp` endpoint added by the extension to the server. This results in writing …
- CVE-2024-2654MEDIUMCVSS 6.8EG 6.82024-04-09
The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.2.5 via the fm_download_backup function. This makes it possible for authenticated attackers, with administrator access and a…
- CVE-2024-27901HIGHCVSS 7.2EG 7.22024-04-09
SAP Asset Accounting could allow a high privileged attacker to exploit insufficient validation of path information provided by the users and pass it through to the file API's. Thus, causing a considerable impact on confidentiality, integri…
- CVE-2024-2863MEDIUMCVSS 5.3EG 5.32024-03-25
This vulnerability allows remote attackers to traverse paths via file upload on the affected LG LED Assistant.
- CVE-2024-34191MEDIUMCVSS 6.5EG 6.52024-05-14
htmly v2.9.6 was discovered to contain an arbitrary file deletion vulnerability via the delete_post() function at admin.php. This vulnerability allows attackers to delete arbitrary files via a crafted request.
- CVE-2024-36991HIGHCVSS 7.5EG 9.02024-07-01
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterpris…
- CVE-2024-38706MEDIUMCVSS 6.5EG 6.52024-07-12
Path Traversal: '.../...//' vulnerability in DevItems HT Mega ht-mega-for-elementor.This issue affects HT Mega: from n/a through <= 2.5.7.
- CVE-2024-39171CRITICALCVSS 9.8EG 8.82024-07-09
Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with a .png suffix.
- CVE-2024-40505CRITICALCVSS 9.3EG 9.32024-07-16
Directory Traversal vulnerability in D-Link DAP-1650 Firmware v.1.03 allows a local attacker to escalate privileges via the hedwig.cgi component.
- CVE-2024-41972MEDIUMCVSS 6.5EG 6.52024-11-18
A low privileged remote attacker can overwrite an arbitrary file on the filesystem which may lead to an arbitrary file read with root privileges.
- CVE-2024-41973HIGHCVSS 8.1EG 8.12024-11-18
A low privileged remote attacker can specify an arbitrary file on the filesystem which may lead to an arbitrary file writes with root privileges.
- CVE-2024-45190MEDIUMCVSS 6.5EG 6.52024-08-23
Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Pipeline Interaction" request
- CVE-2024-45248HIGHCVSS 7.5EG 7.52024-10-06
Multi-DNC – CWE-35: Path Traversal: '.../...//'
- CVE-2024-47169HIGHCVSS 8.8EG 8.82024-09-26
Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload arbitrary files to attacker-chosen locations on the server, including JavaS…
- CVE-2024-47170MEDIUMCVSS 4.3EG 4.32024-09-26
Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue c…
- CVE-2024-47171MEDIUMCVSS 4.3EG 4.32024-09-26
Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload image files at attacker-chosen location on the server. This issue can lead …
- CVE-2024-47324HIGHCVSS 7.5EG 7.52024-10-05
Path Traversal: '.../...//' vulnerability in Ex-Themes WP Timeline – Vertical and Horizontal timeline plugin wp-timelines.This issue affects WP Timeline – Vertical and Horizontal timeline plugin: from n/a through <= 3.6.7.
Map vulnerabilities like CWE-35 to your infrastructure
EchelonGraph correlates every CVE — across CWE-35 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →