CWE-22

High likelihood

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Parent: CWE-706 - Use of Incorrectly-Resolved Name or Reference

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

9,140 vulnerabilities with CWE-22
CVE-2025-54926 HIGH
EcoStruxure Power Monitoring Expert < 2024 R2 - Authenticated RCE via File Upload
CVSS 7.2
CVE-2025-54021 HIGH
Mitchell Bennis Simple File List <6.1.14 - Path Traversal
CVSS 7.5
CVE-2025-48158 HIGH
Alex Githatu BuddyPress XProfile Custom Image Field <3.0.1 - Path T...
CVSS 8.6
CVE-2025-47650 MEDIUM
Infility Global <2.14.7 - Path Traversal
CVSS 6.5
CVE-2025-8141 HIGH
Redirection for Contact Form 7 <3.2.4 - Path Traversal
CVSS 8.8
CVE-2025-55295 MEDIUM
qbit_manage >= 4.5.0 < 4.5.4 - Authenticated Path Traversal via Restore Config Backup Endpoint
CVSS 6.5
CVE-2025-55282 CRITICAL
aiven-db-migrate <1.0.7 - Privilege Escalation
CVSS 9.1
CVE-2025-55214 MEDIUM
Copier 7.1.0-9.9.0 - Path Traversal and Arbitrary File Write via Pathjoin Filter
CVE-2025-55201 HIGH
Copier < 9.9.1 - Path Traversal via Unconstrained Pathlib Path Objects
CVE-2025-41242 MEDIUM
Spring Framework 5.3.x-5.3.43 6.1.x-6.1.21 6.2.x-6.2.9 - Path Traversal via Static Resource Handling
CVSS 5.9
CVE-2025-3671 HIGH
WPGYM - Wordpress Gym Management System <67.7.0 - Local File Inclusion
CVSS 8.8
CVE-2025-7641 HIGH
Assistant for NextGEN Gallery <1.0.9 - Path Traversal
CVSS 7.5
CVE-2025-54715 MEDIUM
Barcode Scanner with Inventory & Order Manager <1.9.0 - Path Traversal
CVSS 4.9
CVE-2025-34154 CRITICAL
UnForm Server Manager <10.1.12 - Info Disclosure
CVE-2025-23304 HIGH
NVIDIA NeMo < 2.3.2 - Remote Code Execution via Malicious .nemo File Metadata
CVSS 7.8
CVE-2025-8941 HIGH
Red Hat Enterprise Linux 7 Extended Lifecycle Support - Privilege Escalation via pam_namespace Symlink Attack
CVSS 7.8
CVE-2025-8912 HIGH
WellChoose Organization Portal System < IFTOP_P3_2_1_197 - Arbitrary File Read via Path Traversal
CVSS 7.5
CVE-2025-8909 MEDIUM
WellChoose Organization Portal System < IFTOP_P3_2_1_197 - Authenticated Arbitrary File Read via Absolute Path Traversal
CVSS 6.5
CVE-2025-0818 MEDIUM
File Manager Pro - Filester < 1.8.9 - Unauthenticated Path Traversal and Arbitrary File Deletion
CVSS 6.5
CVE-2025-55169 MEDIUM
WeGIA < 3.4.8 - Path Traversal via Download Remessa Endpoint
CVSS 6.5
CVE-2025-53793 HIGH
Azure Stack Hub 1.2406.0.8-1.2406.1.23 - Unauthenticated Information Disclosure
CVSS 7.5
CVE-2025-49559 MEDIUM
Adobe Commerce < 2.4.4 - Path Traversal
CVSS 5.3
CVE-2025-55011 MEDIUM
kanboard < 1.2.47 - Unauthenticated Path Traversal and Arbitrary File Write via TaskFile API
CVSS 6.4
CVE-2025-8081 MEDIUM
Elementor Website Builder <= 3.30.2 - Authenticated Arbitrary File Read via Import_Images::import()
CVSS 4.9
CVE-2025-5391 HIGH
WooCommerce Purchase Orders <1.0.2 - Privilege Escalation
CVSS 8.1
Details
Vulnerabilities 9,140
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits