CWE-22

High likelihood

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Parent: CWE-706 - Use of Incorrectly-Resolved Name or Reference

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

8,747 vulnerabilities with CWE-22
CVE-2026-5597 MEDIUM
griptape-ai griptape ComputerTool tool.py path traversal
CVSS 6.3
CVE-2026-5595 MEDIUM
griptape-ai griptape FileManagerTool save_memory_artifacts_to_disk path traversal
CVSS 6.3
CVE-2026-5535 MEDIUM
FedML-AI FedML MQTT Message FileUtils.java path traversal
CVSS 4.3
CVE-2026-3666 HIGH
wpForo Forum <= 2.4.16 - Authenticated (Subscriber+) Arbitrary File Deletion via Post Body
CVSS 8.8
CVE-2026-34607 HIGH
Emlog: Path Traversal in emUnZip() allows arbitrary file write leading to RCE
CVSS 7.2
CVE-2026-34978 MEDIUM
OpenPrinting CUPS: Path traversal in RSS notify-recipient-uri enables file write outside CacheDir/rss (and clobbering of job.cache)
CVSS 6.5
CVE-2026-26058 MEDIUM
Zulip: Path Traversal in Import
CVSS 6.1
CVE-2026-22661 HIGH
prompts.chat Path Traversal via Skill File Handling
CVSS 8.1
CVE-2026-28373 CRITICAL
Stackfield Desktop App <1.10.2 - Path Traversal
CVSS 9.6
CVE-2026-35214 HIGH
Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
CVSS 8.7
CVE-2026-4350 HIGH
Perfmatters <= 2.5.9.1 - Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' Parameter
CVSS 8.1
CVE-2026-34745 CRITICAL
Fireshare < 1.5.3 - Unauthenticated Path Traversal and Arbitrary File Write
CVSS 9.1
CVE-2026-34730 MEDIUM
Copier `_external_data` allows path traversal and absolute-path local file read without unsafe mode
CVSS 5.5
CVE-2026-34726 MEDIUM
Copier `_subdirectory` allows template root escape via parent-directory traversal
CVSS 4.4
CVE-2026-34591 MEDIUM
Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write
CVSS 6.5
CVE-2026-34524 HIGH
SillyTavern: Path traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user data root
CVSS 8.3
CVE-2026-34523 MEDIUM
SillyTavern: Path traversal allows file existence oracle
CVSS 5.3
CVE-2026-34522 HIGH
SillyTavern: Path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory
CVSS 8.1
CVE-2026-5344 MEDIUM
Textpattern XML-RPC TXP_RPCServer.php mt_uploadImage path traversal
CVSS 6.3
CVE-2026-34790 HIGH
Endian Firewall /cgi-bin/backup.cgi remove ARCHIVE Directory Traversal
CVSS 7.1
CVE-2026-34728 HIGH
phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController
CVSS 8.7
CVE-2026-5331 MEDIUM
OpenCart Extension Installer installer.php path traversal
CVSS 4.7
CVE-2026-4347 HIGH
MW WP Form <= 5.1.0 - Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir
CVSS 8.1
CVE-2026-3987 HIGH
WatchGuard Firebox Arbitrary File Write vis Path Traversal in Fireware Web UI
CVE-2026-34750 MEDIUM
Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints
CVSS 6.5
Details
Vulnerabilities 8,747
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits