CWE-22: Path Traversal

LORIS versions before 26.0.5, 27.0.2, and 28.0.0 contain a path traversal vulnerability in the media module that allows authenticated users with suffi...

CVE-2026-26065 is a path traversal vulnerability in calibre's PDB readers that allows attackers to write arbitrary files anywhere the user has write p...

CVE-2026-26975 is a critical path traversal vulnerability in Music Assistant that allows unauthenticated attackers on the same network to write arbitr...

This vulnerability allows authenticated attackers with Subscriber-level access or higher to include and execute arbitrary .html files on WordPress ser...

This path traversal vulnerability in Alist allows authenticated attackers to bypass directory-level authorization by injecting traversal sequences int...

OpenList Frontend versions before 4.1.10 contain a path traversal vulnerability in file operation handlers that allows authenticated attackers to bypa...

A path traversal vulnerability in WebPros WordPress Toolkit before version 6.9.1 allows attackers to escalate privileges by manipulating WordPress dir...

A path traversal vulnerability in DevToys allows malicious extension packages to write files outside the intended directory, potentially overwriting s...

CVE-2025-69194 is a path traversal vulnerability in GNU Wget2's Metalink document handling that allows attackers to write files to arbitrary locations...

This vulnerability allows authenticated administrators in MyBB 1.8.32 to bypass avatar upload restrictions and execute arbitrary code through a chaine...

CVE-2025-66449 is an arbitrary file write vulnerability in ConvertX, a self-hosted online file converter. Authenticated users can upload files with ma...

A Zip Slip vulnerability in iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code by uploading a specially crafted Zip file. This affe...

The Player Leaderboard WordPress plugin contains a Local File Inclusion vulnerability that allows authenticated attackers with Contributor-level acces...

A directory traversal vulnerability in cPanel's Team Manager API allows attackers to overwrite arbitrary files, potentially leading to privilege escal...

CVE-2025-8110 is a path traversal vulnerability in Gogs' PutContents API that allows improper symbolic link handling, enabling authenticated attackers...

This vulnerability allows attackers to execute files outside of restricted paths in HP System Event Utility and Omen Gaming Hub software. It affects u...

This vulnerability in zdh_web allows authenticated users to upload arbitrary files to any location on the server due to insufficient path validation. ...

This vulnerability allows authenticated low-privilege users to upload ZIP files containing path traversal payloads, enabling arbitrary file writes to ...

This vulnerability allows authenticated users with account creation privileges to perform path traversal attacks when creating new users in Grav CMS. ...

This path traversal vulnerability in Algosec Firewall Analyzer allows authenticated users to upload files to restricted directories, potentially leadi...

This vulnerability in Dosage comic downloader allows remote attackers to write arbitrary files outside the target directory by manipulating HTTP Conte...

This vulnerability allows attackers to upload malicious configuration files to vulnerable systems, potentially causing denial-of-service, directory tr...

This vulnerability allows attackers to upload malicious configuration files that bypass directory traversal protections, leading to remote code execut...

This vulnerability allows authenticated remote attackers to create arbitrary files on Netgate pfSense CE systems via a path traversal flaw in the Suri...

This vulnerability in Cursor AI code editor allows attackers to bypass path manipulation detection by using backslashes instead of forward slashes, en...

This CVE describes a path traversal vulnerability in Cursor AI code editor that allows attackers to bypass sensitive file protections via NTFS path qu...

The XStore WordPress theme contains a Local File Inclusion vulnerability that allows authenticated attackers with Subscriber-level access or higher to...

CVE-2025-9713 is a path traversal vulnerability in Ivanti Endpoint Manager (EPM) that allows remote unauthenticated attackers to achieve remote code e...

This vulnerability allows authenticated attackers to upload arbitrary files to any writable location in Newforma Info Exchange (NIX), potentially enab...

This vulnerability in GTONE ChangeFlow allows attackers to upload malicious files and traverse directory paths to access restricted areas. It affects ...

A path traversal vulnerability in MarkAny SafePC Enterprise allows attackers to access server information, potentially enabling SQL injection and unre...

This vulnerability allows authenticated attackers to perform path traversal attacks via the 'Upload-Key' header, enabling arbitrary file writes outsid...

This vulnerability in MONAI allows path traversal attacks through malicious ZIP files. When MONAI processes compressed files using extractall(), attac...

Harness Gitness git LFS server prior to version 3.3.0 has an arbitrary file write vulnerability due to improper path sanitization in the upload API. A...

The Redirection for Contact Form 7 WordPress plugin has an arbitrary file deletion vulnerability that allows unauthenticated attackers to delete any f...

The WPGYM WordPress plugin has a Local File Inclusion vulnerability that allows authenticated attackers with Subscriber-level access to include and ex...

This path traversal vulnerability in Samsung MagicINFO 9 Server allows attackers to access files outside the intended directory, potentially leading t...

This Local File Inclusion vulnerability in the School Management System for WordPress plugin allows authenticated attackers with Subscriber-level acce...

A path traversal vulnerability in SINEC NMS allows attackers to write arbitrary files to restricted locations by uploading malicious ZIP archives. Thi...

The JKDEVKIT WordPress plugin allows authenticated attackers with Subscriber-level access (or Contributor-level if WooCommerce is enabled) to delete a...

This vulnerability allows authenticated attackers with Subscriber-level access or higher to delete arbitrary files on WordPress servers running the Ho...

The BeeTeam368 Extensions Pro WordPress plugin contains a directory traversal vulnerability that allows authenticated attackers with Subscriber-level ...

This vulnerability allows authenticated attackers with Contributor-level access or higher to perform Local File Inclusion attacks in the WordPress Rev...

This vulnerability allows a medium-integrity user process to interfere with Thunderbird's SYSTEM-level updater by manipulating file-locking behavior. ...

A path traversal vulnerability in the USB storage file-sharing function of HGW-BL1500HM devices allows attackers to access, modify, or delete files an...

This vulnerability allows unauthenticated attackers to delete arbitrary files on WordPress servers using the Drag and Drop Multiple File Upload for Co...

A path traversal vulnerability in transformeroptimus/superagi version 0.0.14 allows attackers to upload arbitrary files to any location on the server....

This vulnerability in NI FlexLogger's usiReg component allows remote attackers to create arbitrary files via directory traversal in URI file parsing. ...

The CS Framework WordPress plugin has an arbitrary file deletion vulnerability that allows authenticated attackers with Subscriber-level access or hig...

This vulnerability in the Car Dealer Automotive WordPress theme allows authenticated attackers with Subscriber-level access or higher to delete arbitr...