CWE-22

High likelihood

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Parent: CWE-706 - Use of Incorrectly-Resolved Name or Reference

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

9,092 vulnerabilities with CWE-22
CVE-2026-43989 HIGH
JunoClaw: upload_wasm accepted arbitrary filesystem paths without validation
CVSS 8.5
CVE-2026-6865 HIGH
Improper Limitation of a Pathname to a Restricted Directory Vulnerability on Multiple Products
CVE-2026-41530 LOW
Chitora Soft Lhaz - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS 3.3
CVE-2026-43901 MEDIUM
Wireshark MCP: Arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured
CVSS 6.8
CVE-2026-43888 HIGH
Outline: Zip Extraction Path Escape via PATH_MAX Truncation in Collection Import
CVSS 8.7
CVE-2026-42600 MEDIUM
MinIO: Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint
CVSS 4.9
CVE-2026-42564 HIGH
jotty·page: Unauthenticated Path Traversal leads to sensitive file disclosure and session-token reuse impact
CVSS 8.2
CVE-2026-42888 MEDIUM
Audiobookshelf: Path Traversal vulnerability in the audiobookshelf project
CVE-2026-28915 HIGH
macOS - Privilege Escalation
CVSS 7.8
CVE-2026-42885 MEDIUM
Audiobookshelf: Path prefix bypass in filesystem existence check leaks out-of-scope file existence
CVSS 4.3
CVE-2026-42882 CRITICAL
oxyno-zeta/s3-proxy: Security Issues in Resource Path Matching
CVSS 9.4
CVE-2026-2614 HIGH
Arbitrary File Read via Prompt Tag Source Validation Bypass in mlflow/mlflow
CVSS 7.5
CVE-2026-45224 HIGH
Crabbox < 0.9.0 Path Traversal via Islo Provider Workspace Resolution
CVSS 7.1
CVE-2026-42866 MEDIUM
Tookie: Arbitrary file write via path traversal in -u username / -U userfile output filename
CVE-2026-44996 LOW
OpenClaw < 2026.4.15 - Arbitrary Local File Read via Webchat Audio Embedding
CVSS 3.7
CVE-2026-42315 HIGH
pyLoad: Path Traversal via Package Folder Name in set_package_data
CVSS 8.1
CVE-2026-42314 MEDIUM
pyLoad: Path Traversal via Package Folder Name
CVSS 6.5
CVE-2026-6815 MEDIUM
Casdoor < v2.328.0 - Authenticated Arbitrary File Write via Local File System Storage Provider
CVSS 5.9
CVE-2026-42608 CRITICAL
Grav: Unauthenticated Path Traversal & Arbitrary File Write in FormFlash component.
CVSS 9.1
CVE-2026-41951 HIGH
Growi - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS 7.2
CVE-2026-8274 MEDIUM
npitre cramfs-tools Directory cramfsck.c do_directory path traversal
CVSS 5.3
CVE-2026-8215 MEDIUM
Industrial Application Software IAS Canias ERP RMI iasRequestFileEvent path traversal
CVSS 5.3
CVE-2026-42605 HIGH
AzuraCast: Path Traversal in `currentDirectory` Parameter Enables Remote Code Execution via Media Upload
CVSS 8.8
CVE-2026-42574 HIGH
apko 0.14.8-1.2.4 dirFS - Symlink Path Traversal
CVSS 7.5
CVE-2026-42351 HIGH
pygeoapi: Path Traversal in STAC FileSystemProvider
CVSS 7.5
Details
Vulnerabilities 9,092
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits