CWE-22: Path Traversal

CVE-2026-24842 is a path traversal vulnerability in node-tar, a Node.js library for handling TAR archives, affecting versions prior to 7.5.7. It allow...

This path traversal vulnerability in Azure Logic Apps allows unauthorized attackers to access restricted directories and elevate privileges over the n...

CVE-2025-65025 is a path traversal vulnerability in esm.sh CDN service that allows attackers to write files to arbitrary server locations during NPM p...

This vulnerability in Liferay Portal/DXP allows remote attackers to perform path traversal attacks via the ComboServlet, potentially accessing arbitra...

The Counter live visitors for WooCommerce WordPress plugin has an arbitrary file deletion vulnerability that allows unauthenticated attackers to delet...

An unauthenticated directory traversal vulnerability in White Star Software Protop version 4.4.2-2024-11-27 allows remote attackers to read arbitrary ...

VMware Cloud Foundation contains a directory traversal vulnerability (CWE-22) that allows attackers with network access to port 443 to access internal...

CVE-2025-27147 is an improper access control vulnerability in the GLPI Inventory Plugin that allows unauthorized users to perform administrative actio...

This path traversal vulnerability in db-gpt version 0.6.0 allows attackers to delete arbitrary files on the server by manipulating the file_key parame...

This vulnerability in ESM 11.6.10 allows unauthenticated attackers to access internal Snowservice API endpoints via path traversal. This can lead to u...

CVE-2024-43395 is a path traversal vulnerability in CraftOS-PC 2 that allows attackers to escape the designated computer folder and access arbitrary f...

This vulnerability allows any user to delete any JSON file on the server through directory traversal attacks due to improper path validation. It affec...

This vulnerability in Bazaar v1.4.3 allows unauthenticated attackers to perform directory traversal attacks via the /api/swaggerui/static component. A...

This CVE describes a Local File Inclusion (LFI) vulnerability in Litestar/Starlite ASGI frameworks that allows attackers to exploit path traversal fla...

This vulnerability allows local attackers with high-privileged code execution on a Parallels Desktop guest system to escalate privileges on the host s...

This vulnerability in Obsidian desktop allows malicious webpages or markdown files to access local files through improper path handling. Attackers can...

CVE-2021-27771 is a path traversal vulnerability in HCL Sametime chat application where attackers can modify user session IDs to upload arbitrary file...

CVE-2021-41150 is a path traversal vulnerability in the Tough TUF library that allows attackers to overwrite arbitrary JSON files on the system when r...

CVE-2021-41149 is a path traversal vulnerability in the Tough TUF library that allows attackers to overwrite arbitrary files on the system when cachin...

This vulnerability in the npm tar package allows attackers to bypass symlink checks by exploiting Unicode normalization and Windows short path behavio...

The npm tar package before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has an arbitrary file creation/overwrite vulnerability due to insufficient sanitiz...

OpenClaw versions 2026.1.29-beta.1 through 2026.2.1 contain a path traversal vulnerability in plugin installation. Attackers can craft malicious plugi...

This path traversal vulnerability in ASUSTOR ADM FTP Backup allows attackers to access files outside the intended directory by manipulating file paths...

This vulnerability allows unauthenticated remote attackers to execute arbitrary code on MLflow Tracking Server installations via directory traversal i...

CVE-2026-24135 is a path traversal vulnerability in Gogs self-hosted Git service that allows authenticated users with wiki write access to delete arbi...

This vulnerability in n8n workflow automation platform allows attackers to write files to unintended locations on remote systems via SSH nodes, potent...

ConvertX versions before 0.17.0 have a path traversal vulnerability in the /delete endpoint that allows attackers to delete arbitrary files on the ser...

This path traversal vulnerability in VibeThemes WPLMS plugin allows attackers to delete arbitrary files on WordPress sites. It affects all WordPress i...

CVE-2025-66292 is an arbitrary file deletion vulnerability in DPanel server management panel. Authenticated users can delete any file on the server vi...

CVE-2025-68472 is an unauthenticated path traversal vulnerability in MindsDB's file upload API that allows attackers to read arbitrary files from the ...

Advantech WebAccess/SCADA is vulnerable to directory traversal that allows attackers to delete arbitrary files on the system. This affects industrial ...

This path traversal vulnerability allows authenticated users with limited privileges to upload malicious Arc data archives that can write arbitrary fi...

Warehouse Management System 1.2 contains an authenticated arbitrary file deletion vulnerability. Remote authenticated attackers can delete arbitrary f...

This vulnerability allows attackers to perform path traversal attacks via the size query parameter in Openatlas's /views/file.py endpoint. Attackers c...

This vulnerability in the Directorist WordPress plugin allows unauthenticated attackers to move arbitrary files on the server due to insufficient file...

Argo Workflows contains a Zip Slip path traversal vulnerability in artifact extraction that allows attackers to write arbitrary files outside the inte...

An authenticated path traversal vulnerability in Time Machine functionality allows limited-privilege users to manipulate files in the /data folder thr...

A path traversal vulnerability in Podman's kube play command allows attackers to overwrite arbitrary host files when Kubernetes YAML files contain sym...

The WooCommerce Purchase Orders plugin for WordPress has a vulnerability that allows authenticated users with Subscriber-level access or higher to del...

The Kallyas WordPress theme contains a vulnerability that allows authenticated attackers with Contributor-level access or higher to delete arbitrary f...

This CSRF vulnerability in the hiWeb Export Posts WordPress plugin allows unauthenticated attackers to delete arbitrary server files by tricking admin...

The Extensions For CF7 WordPress plugin has an arbitrary file deletion vulnerability that allows unauthenticated attackers to delete any file on the s...

The Vikinger WordPress theme allows authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server due to insu...

ServiceStack's FindType method contains a directory traversal vulnerability that allows remote attackers to execute arbitrary code by manipulating fil...

This path traversal vulnerability in Seofy Core WordPress plugin allows attackers to include arbitrary local PHP files via improper path validation. A...

CVE-2025-26692 is a path traversal vulnerability in Quick Agent V3 and V2 that allows remote unauthenticated attackers to execute arbitrary code with ...

The Avatar WordPress plugin has an arbitrary file deletion vulnerability that allows authenticated attackers with Subscriber-level access or higher to...

A path traversal vulnerability in mholt/archiver Go library allows attackers to create or overwrite arbitrary files by exploiting symlinks in crafted ...

This CVE describes a path traversal vulnerability in the WooCommerce Pickupp plugin that allows attackers to include arbitrary PHP files from the serv...

This path traversal vulnerability in DyaPress ERP/CRM allows attackers to include arbitrary PHP files from the server's filesystem, potentially leadin...