CWE-22

High likelihood

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Parent: CWE-706 - Use of Incorrectly-Resolved Name or Reference

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

8,747 vulnerabilities with CWE-22
CVE-2026-7085 MEDIUM
HBAI-Ltd Toonflow-app downloadApp Endpoint downloadApp.ts z.url path traversal
CVSS 5.0
CVE-2026-7059 MEDIUM
666ghj MiroFish Query Parameter simulation.py get_simulation_posts path traversal
CVSS 5.3
CVE-2026-7036 HIGH
Tenda i9 HTTP R7WebsSecurityHandlerfunction path traversal
CVSS 7.3
CVE-2026-7024 MEDIUM
rawchen sims deleteFileServlet Endpoint DeleteFileServlet.java path traversal
CVSS 5.4
CVE-2026-7020 MEDIUM
Ollama Tensor Model Transfer transfer.go digestToPath path traversal
CVSS 5.6
CVE-2026-6968 MEDIUM
Multiple Path Traversal Variants in awslabs/tough
CVSS 5.9
CVE-2026-41433 HIGH
OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR
CVSS 8.4
CVE-2026-41894 HIGH
SiYuan: Incomplete Fix Bypass for CVE-2026-30869: Path Traversal via Double URL Encoding in `/export/` Endpoint
CVE-2026-41419 HIGH
4ga Boards: Import Path Traversal Leads to Arbitrary File Read
CVSS 7.6
CVE-2026-41140
Poetry <2.3.4 - Path Traversal
CVE-2026-33077 HIGH
Roxy-WI has an arbitrary file read vulnerability
CVSS 7.5
CVE-2026-33076 CRITICAL
Roxy-WI vulnerable to path traversal and arbitrary file writing
CVSS 9.8
CVE-2026-29051 MEDIUM
melange has Path Traversal via .PKGINFO in --persist-lint-results
CVSS 4.4
CVE-2026-29050 MEDIUM
melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses
CVSS 6.1
CVE-2026-6941 MEDIUM
radare2 < 6.1.4 Project Notes Path Traversal via Symlink
CVSS 6.6
CVE-2026-6940 HIGH
radare2 < 6.1.4 Project Deletion Path Traversal Directory Deletion
CVSS 7.1
CVE-2026-41205 HIGH
Mako: Path traversal via double-slash URI prefix in TemplateLookup
CVSS 7.5
CVE-2026-6903 HIGH
Path Traversal Vulnerability in LabOne User Interface
CVSS 7.5
CVE-2026-41211 CRITICAL
`vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`
CVSS 10.0
CVE-2026-41180 HIGH
PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart
CVSS 7.5
CVE-2026-4917 MEDIUM
IBM Guardium Data Protection is affected by multiple vulnerabilities
CVSS 4.9
CVE-2026-40062 HIGH
Ziosoft, Inc. Ziostation2 - Path Traversal
CVSS 7.5
CVE-2026-33656 CRITICAL
EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, exploitable by admin user
CVSS 9.1
CVE-2026-34414 HIGH
Xerte Online Toolkits Path Traversal via connector.php
CVSS 7.1
CVE-2026-35363 MEDIUM
uutils coreutils rm Safeguard Bypass via Improper Path Normalization
CVSS 5.6
Details
Vulnerabilities 8,747
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits