CWE-41— Improper Resolution of Path Equivalence
The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.— MITRE CWE catalog
26 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-41page 1 of 1
- CVE-2022-0855MEDIUMCVSS 6.1EG 6.12022-03-04
Improper Resolution of Path Equivalence in GitHub repository microweber-dev/whmcs_plugin prior to 0.0.4.
- CVE-2023-36396HIGHCVSS 7.8EG 7.82023-11-14
Windows Compressed Folder Remote Code Execution Vulnerability
- CVE-2023-46169MEDIUMCVSS 6.5EG 6.52024-03-07
IBM DS8900F HMC 89.21.19.0, 89.21.31.0, 89.30.68.0, 89.32.40.0, and 89.33.48.0 could allow an authenticated user to arbitrarily delete a file. IBM X-Force ID: 269406.
- CVE-2024-30036MEDIUMCVSS 6.5EG 6.52024-05-14
Windows Deployment Services Information Disclosure Vulnerability
- CVE-2024-30073HIGHCVSS 7.8EG 7.82024-09-10
Windows Security Zone Mapping Security Feature Bypass Vulnerability
- CVE-2024-45405MEDIUMCVSS 6.0EG 6.02024-09-06
`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the …
- CVE-2024-6839MEDIUMCVSS 5.3EG 5.32025-03-20
corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being a…
- CVE-2024-8765HIGHCVSS 7.3EG 7.32025-03-20
In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. The system incorrectly identifies certain endpoints as public if the path contains '/auth/' anywhere within it. This allows unauthenticated attackers to a…
- CVE-2025-0115MEDIUMCVSS 6.8EG 6.82025-03-12
A vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated admin on the PAN-OS CLI to read arbitrary files. The attacker must have network access to the management interface (web, SSH, console, or telnet) and succe…
- CVE-2025-21189MEDIUMCVSS 4.3EG 4.32025-01-14
MapUrlToZone Security Feature Bypass Vulnerability
- CVE-2025-21219MEDIUMCVSS 4.3EG 4.32025-01-14
MapUrlToZone Security Feature Bypass Vulnerability
- CVE-2025-21247MEDIUMCVSS 4.3EG 4.32025-03-11
Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2025-21268MEDIUMCVSS 4.3EG 4.32025-01-14
MapUrlToZone Security Feature Bypass Vulnerability
- CVE-2025-21269MEDIUMCVSS 4.3EG 4.32025-01-14
Windows HTML Platforms Security Feature Bypass Vulnerability
- CVE-2025-21328MEDIUMCVSS 4.3EG 4.32025-01-14
MapUrlToZone Security Feature Bypass Vulnerability
- CVE-2025-21329MEDIUMCVSS 4.3EG 4.32025-01-14
MapUrlToZone Security Feature Bypass Vulnerability
- CVE-2025-21332MEDIUMCVSS 4.3EG 4.32025-01-14
MapUrlToZone Security Feature Bypass Vulnerability
- CVE-2025-24470HIGHCVSS 8.6EG 8.62025-02-11
An Improper Resolution of Path Equivalence vulnerability [CWE-41] in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to retrieve source code via crafted HTTP requests.
- CVE-2025-43298HIGHCVSS 7.8EG 7.82025-09-15
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to gain root privileges.
- CVE-2025-54107MEDIUMCVSS 4.3EG 4.32025-09-09
Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2025-58290LOWCVSS 3.3EG 3.32025-10-11
Denial of service (DoS) vulnerability in the office service. Successful exploitation of this vulnerability may affect availability.
- CVE-2026-23674HIGHCVSS 7.5EG 7.52026-03-10
Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2026-34510MEDIUMCVSS 5.3EG 5.32026-04-01
OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can exploit this by providing network-hosted file tar…
- CVE-2026-49401HIGHCVSS 8.4EG 8.42026-06-16
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --d…
- CVE-2026-50568LOWCVSS 3.6EG 3.62026-06-10
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed unde…
- CVE-2026-5816HIGHCVSS 8.0EG 8.02026-04-22
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to imp…
Map vulnerabilities like CWE-41 to your infrastructure
EchelonGraph correlates every CVE — across CWE-41 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →