CWE-22

High likelihood

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Parent: CWE-706 - Use of Incorrectly-Resolved Name or Reference

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

9,091 vulnerabilities with CWE-22
CVE-2026-7565 MEDIUM
LearnPress <= 4.1.4 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'import-user-file' Parameter
CVSS 4.9
CVE-2026-2500 MEDIUM
Quick Playground <= 1.3.4 - Authenticated (Administrator+) Arbitrary File Read via 'filename' Parameter
CVSS 4.4
CVE-2026-9290 HIGH
WP User Manager <= 2.9.17 - Unauthenticated Path Traversal to Local File Inclusion via 'tab' Query Parameter
CVSS 7.5
CVE-2026-11431 HIGH
Path Traversal in Altium Projects Service Allows Arbitrary File Read
CVE-2026-11429 CRITICAL
Path Traversal in Altium Git Service Allows Remote Code Execution
CVE-2026-11416 HIGH
MoviePilot Path Traversal via Cloud Storage Download Handlers
CVSS 8.1
CVE-2026-11423 CRITICAL
Path Traversal in Altium Enterprise Server Collaboration Service Allows Privilege Escalation
CVE-2026-46397 MEDIUM
haxcms-php Local File Inclusion via saveOutline API Location Parameter v2.0
CVSS 6.5
CVE-2026-11420 CRITICAL
Path Traversal in Altium Enterprise Server NIS Allows Unauthenticated Arbitrary File Write and File Read
CVE-2026-11419 CRITICAL
Path Traversal in Altium Enterprise Server Vault UploadController Allows Arbitrary File Write
CVE-2026-11414 CRITICAL
Unauthenticated File Exfiltration in Altium Enterprise Server Vault Service via Hard-coded Cryptographic Key and Path Traversal
CVE-2026-36500 CRITICAL
Controller v12.0.5 - Path Traversal via Backup-Datastore Request
CVSS 9.1
CVE-2026-50234 HIGH
Lyrion Music Server 9.2.0 Path Traversal File Read
CVSS 7.5
CVE-2026-7774 MEDIUM
tarfile.data_filter path traversal bypass allows writing outside the extraction directory
CVE-2026-40605 MEDIUM
Tautulli Vulnerable to Authenticated Path Traversal in Cache Deletion API
CVE-2026-50207 HIGH
Acer Connect M6E 5G Portable WiFi Router - Local Modem Manipulation via Binder Interfaces
CVSS 7.8
CVE-2026-35082 HIGH
Local file inclusion vulnerability and deletion in ugw-logread method
CVSS 8.8
CVE-2026-41412 MEDIUM
alf.io vulnerable to Arbitrary File Read and Exfil via simpleHttpClient Extension Script
CVSS 4.9
CVE-2026-49144 MEDIUM
BrowserStack Runner 0.9.5 Path Traversal via _default HTTP Handler
CVSS 6.5
CVE-2026-35718 MEDIUM
VIVOTEK INC FD8136-VVTK 0300a - Authenticated Path Traversal via /admin/downloadMedias.cgi
CVSS 6.5
CVE-2026-43965 MEDIUM
Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion
CVE-2026-32685 MEDIUM
Path Traversal in gleam docs build via documentation.pages Allows Arbitrary File Read and Write
CVE-2026-0055 MEDIUM
Android PackageInstallerService - Path Traversal and Local Privilege Escalation via createSessionInternal
CVSS 6.2
CVE-2026-49136 HIGH
Banana Slides <= 0.4.0 - Unauthenticated Path Traversal via AI Service generate_image Function
CVSS 7.5
CVE-2026-45727 HIGH
CloakBrowser < 0.3.28 - Unauthenticated Path Traversal and Arbitrary Directory Deletion via Fingerprint Parameter
Details
Vulnerabilities 9,091
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits