CWE-22

High likelihood

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Parent: CWE-706 - Use of Incorrectly-Resolved Name or Reference

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

9,091 vulnerabilities with CWE-22
CVE-2026-49766 CRITICAL
WordPress WP User Manager plugin <= 2.9.16 - Arbitrary File Deletion vulnerability
CVSS 9.9
CVE-2026-49061 HIGH
WordPress WPC Product Options for WooCommerce plugin <= 3.2.1 - Arbitrary File Download vulnerability
CVSS 7.5
CVE-2026-40779 HIGH
WordPress Link Library plugin <= 7.8.8 - Arbitrary File Deletion vulnerability
CVSS 7.7
CVE-2026-40769 HIGH
WordPress Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field plugin <= 1.0.6 - Arbitrary File Deletion vulnerability
CVSS 8.6
CVE-2026-40727 HIGH
WordPress Groundhogg plugin <= 4.4 - Arbitrary File Deletion vulnerability
CVSS 7.7
CVE-2026-39489 MEDIUM
WordPress Download Monitor plugin <= 5.1.9 - Non-Arbitrary File Download vulnerability
CVSS 4.4
CVE-2026-39468 MEDIUM
WordPress Meta Box – WordPress Custom Fields Framework plugin <= 5.11.1 - Arbitrary File Deletion vulnerability
CVSS 6.8
CVE-2026-20262 MEDIUM KEV
Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability
CVSS 6.5
CVE-2026-12211 LOW
Intelbras iNVU 7016 FT Web syslog path traversal
CVSS 2.7
CVE-2026-12198 HIGH
Microweber API Endpoint thumbnail_img userfiles_path path traversal
CVSS 7.3
CVE-2026-9062 LOW
Agile Store Locator < 1.6.9 - Admin+ Arbitrary File Read via Path Traversal
CVSS 3.4
CVE-2026-12089 MEDIUM
WS Optimize – All-in-One Speed Booster & Cache Tools <= 3.3.19 - Authenticated (Editor+) Arbitrary File Read
CVSS 4.9
CVE-2026-11442 MEDIUM
Allegra exportReport Directory Traversal Information Disclosure Vulnerability
CVSS 6.5
CVE-2026-53825 MEDIUM
OpenClaw < 2026.4.7 - Arbitrary Local File Read via memory-wiki Ingest with operator.write Scope
CVSS 6.5
CVE-2026-53519 CRITICAL
Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key
CVSS 9.1
CVE-2026-54394 MEDIUM
MISP organisation logo path traversal allows retrieval of arbitrary PNG/SVG files
CVE-2026-45775 MEDIUM
Discourse: Cross-site backup access via path traversal in multisite local backups
CVSS 6.8
CVE-2026-43872 MEDIUM
actual-server has a path traversal vulnerability
CVE-2026-44171 MEDIUM
MariaDB: path traversal in mbstream
CVSS 6.3
CVE-2026-6961 HIGH
CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync
CVSS 7.6
CVE-2026-3840 HIGH
Path Traversal in kedro-org/kedro
CVSS 7.1
CVE-2026-11847 MEDIUM
Integration Corp|iVEC-IEI Virtualization Edge Computer - Arbitrary File Deletion
CVSS 4.3
CVE-2026-11846 HIGH
IEI Integration Corp|iVEC-IEI Virtualization Edge Computer - Arbitrary File Deletion
CVSS 8.1
CVE-2026-11844 MEDIUM
IEI Integration Corp|iVEC-IEI Virtualization Edge Computer - Arbitrary File Read
CVSS 4.9
CVE-2026-47368 HIGH
Ubiquiti INC UNAS-Pro-4 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS 8.6
Details
Vulnerabilities 9,091
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits