CWE-22

High likelihood

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Parent: CWE-706 - Use of Incorrectly-Resolved Name or Reference

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

9,091 vulnerabilities with CWE-22
CVE-2026-40383 CRITICAL
Joomla! Core - [20260509] - LFI in HTMLView layout parameter
CVSS 9.8
CVE-2026-9550 HIGH
Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform upfile path traversal
CVSS 7.3
CVE-2026-41917 MEDIUM
OpenKM 6.3.12 Local File Inclusion via Admin Scripting
CVSS 4.9
CVE-2026-9473 MEDIUM
c-rick jimeng-mcp api.ts generateVideo path traversal
CVSS 6.3
CVE-2026-9472 MEDIUM
dazeb markdown-downloader index.ts create_subdirectory path traversal
CVSS 6.3
CVE-2026-9468 MEDIUM
dazeb cline-mcp-memory-bank index.ts handleInitializeMemoryBank path traversal
CVSS 6.3
CVE-2026-9467 MEDIUM
debugmcp mcp-debugger server.ts handleGetSourceContext path traversal
CVSS 4.3
CVE-2026-7766 HIGH
Path Traversal in Kenik cameras
CVE-2026-41863 MEDIUM
LLM-influenced filename used unsanitized in Path.resolve before file write in Spring AI support for Anthropic Skills API
CVSS 6.5
CVE-2026-9489 HIGH
NitroSense V3: Local Privilege Escalation (LPE) vulnerability
CVE-2026-9351 MEDIUM
NousResearch hermes-agent read_file Tool file_tools.py _is_blocked_device path traversal
CVSS 6.5
CVE-2026-36227 MEDIUM
Easy Chat Server 3.1 - Directory Traversal and Remote Code Execution via UserName Parameter
CVSS 6.5
CVE-2026-34911 HIGH
Ubiquiti INC UniFi OS Server - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS 7.7
CVE-2026-34909 CRITICAL
Ubiquiti INC UniFi OS Server - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS 10.0
CVE-2026-4858 HIGH
Path traversal in integration action URL leading to arbitrary API execution via system admin’s auth token.
CVSS 8.0
CVE-2026-44068 HIGH
Netatalk 2.1.0-4.4.2 - Authenticated Path Traversal via Extended Attribute Names
CVSS 7.6
CVE-2026-9129 CRITICAL
Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read
CVE-2026-9102 CRITICAL
Path Traversal in Altium Enterprise Server ComparisonService Allows Arbitrary File Write
CVE-2026-39405 CRITICAL
Frappe has Path Transversal via SCORM
CVE-2026-39352 HIGH
Frappe render_include - Arbitrary File Read
CVE-2026-24209 HIGH
Nvidia Triton Inference Server < r26.03 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS 7.5
CVE-2026-24208 MEDIUM
Nvidia Triton Inference Server < r26.03 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS 5.3
CVE-2026-35593 MEDIUM
Trilium Notes has Local File Inclusion via upload modified file API endpoint
CVSS 6.8
CVE-2026-36829 CRITICAL
Panabit PAP-XM320 <= v7.7 - Authentication Bypass via Directory Traversal in Session Cookie Validation
CVSS 9.8
CVE-2026-46724 MEDIUM
Path Traversal in extension "Faceted Search" (ke_search)
Details
Vulnerabilities 9,091
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits