Login Sign Up

CWE-706: CWE-706

25
Total CVEs
5
Critical
11
High
7.4
Avg CVSS

Yearly Trend

2026
2
2025
5
2024
9
2023
4
2022
1

Top Affected Vendors

1 Oracle 1
2 Splunk 1
3 Nextcloud 1
4 Hono 1
5 Cszcms 1
6 Linux 1
7 Phpgurukul 1
8 Logpoint 1
9 Dlink 1
10 Namelessmc 1

All CWE-706 CVEs (25)

CVE-2024-35198
9.8

This vulnerability in TorchServe allows attackers to bypass URL validation checks by using directory traversal sequences like '..' in URLs, enabling t...

Jul 19, 2024
CVE-2023-31814
9.8

This CVE describes a file inclusion vulnerability in D-Link DIR-300 routers that allows attackers to include arbitrary files from the filesystem via t...

May 23, 2023
CVE-2021-40539
9.8

This vulnerability allows attackers to bypass authentication in Zoho ManageEngine ADSelfService Plus REST API, leading to remote code execution. It af...

Sep 7, 2021
CVE-2021-37315
9.1

This vulnerability allows remote attackers to write arbitrary files on ASUS RT-AC68U routers via improper input sanitization in Cloud Disk's COPY and ...

Feb 3, 2023
CVE-2021-37144
9.1

CVE-2021-37144 is an arbitrary file deletion vulnerability in CSZ CMS 1.2.9 that allows attackers to delete files on the server by exploiting insuffic...

Jul 30, 2021
CVE-2021-37214
8.8

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Flygo's employee management page. Authenticated general users can manip...

Aug 9, 2021
CVE-2024-27295
8.2

This vulnerability in Directus allows attackers to hijack password reset emails by using email addresses with accented characters that MySQL/MariaDB t...

Mar 1, 2024
CVE-2026-25890
8.1

In File Browser versions before 2.57.1, authenticated users can bypass file access restrictions by adding extra slashes to file paths in requests. Thi...

Feb 9, 2026
CVE-2022-27778
8.1

This vulnerability in curl versions before 7.83.1 could cause the wrong file to be deleted when using the --no-clobber option with --remove-on-error. ...

Jun 2, 2022
CVE-2023-42125
7.8

This vulnerability in Avast Premium Security allows local attackers to escalate privileges from low-privileged user accounts to SYSTEM-level access by...

May 3, 2024
CVE-2025-58362
7.5

This vulnerability in Hono web framework versions 4.8.0 through 4.9.5 allows path confusion attacks that could bypass proxy-level access controls like...

Sep 5, 2025
CVE-2024-4887
7.5

The Qi Addons For Elementor WordPress plugin has a Remote File Inclusion vulnerability that allows authenticated attackers with Contributor-level acce...

Jun 7, 2024
CVE-2024-27292
7.5

This vulnerability in Docassemble allows attackers to access sensitive information through URL manipulation. It affects versions 1.4.53 to 1.4.96 of t...

Mar 21, 2024
CVE-2023-42451
7.4

This vulnerability in Mastodon allows attackers to spoof domains they don't own by exploiting flaws in domain name normalization. This could enable im...

Sep 19, 2023
CVE-2025-30357
7.3

In NamelessMC versions 2.1.4 and earlier, when an administrator deletes a spammer's account, all posts by that user are deleted along with entire disc...

Apr 18, 2025
CVE-2021-31933
7.2

This vulnerability allows remote authenticated administrators in Chamilo LMS to upload malicious PHP files through directory traversal, leading to rem...

Apr 30, 2021
CVE-2025-62378
6.1

A logic flaw in CommandKit's message command handler exposes the alias name instead of the canonical command name in middleware and execution contexts...

Oct 15, 2025
CVE-2024-52515
5.7

This vulnerability in Nextcloud Server allows a malicious user to upload a manipulated SVG file that references other file paths. If the referenced fi...

Nov 15, 2024
CVE-2021-47276
5.5

A memory access vulnerability in the Linux kernel's ftrace subsystem could cause kernel panics when handling invalid instruction pointer addresses. Th...

May 21, 2024
CVE-2025-29914
5.4

CVE-2025-29914 is a path normalization vulnerability in OWASP Coraza WAF where requests starting with double slashes (//) cause incorrect REQUEST_FILE...

Mar 20, 2025
CVE-2023-28628
5.4

This vulnerability in the lambdaisland/uri library allows attackers to craft malicious URLs that cause incorrect authority parsing, potentially bypass...

Mar 27, 2023
CVE-2024-36383
5.3

This vulnerability in Logpoint SAML Authentication allows attackers to delete arbitrary files by injecting crafted filenames into SAML SSO-URL respons...

May 27, 2024
CVE-2024-55058
4.3

An insecure direct object reference (IDOR) vulnerability in PHPGurukul Online Birth Certificate System v1.0 allows authenticated users to access other...

Dec 17, 2024
CVE-2026-25067
N/A

SmarterMail versions before build 9518 have an unauthenticated path coercion vulnerability that allows attackers to force the service to authenticate ...

Jan 29, 2026
CVE-2025-13437
N/A

This vulnerability in the zx CLI tool allows arbitrary directory deletion when using the --prefer-local flag. Attackers can delete external node_modul...

Nov 20, 2025

About CWE-706 (CWE-706)

Our database tracks 25 CVEs classified as CWE-706, with 5 rated critical and 11 rated high severity. The average CVSS score for CWE-706 vulnerabilities is 7.4.

External reference: View CWE-706 on MITRE CWE →

Monitor CWE-706 Vulnerabilities

Get alerted when new CWE-706 CVEs affect your infrastructure.

Start Monitoring Free