By weakness (CWE)
CWE-22: related vulnerabilities
CVEs classified under CWE-22. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
23 published vulnerabilities
- CVE-2026-35082HIGH 8.8
A vulnerability in MBS Solutions' universal gateway firmware and related products allows an authenticated user to read arbitrary files from the affected system. The ugw-logread method does not properly validate file path inputs, enabling attackers with legitimate user credentials to bypass access controls and retrieve sensitive data they shouldn't be able to access. This is a local file disclosure issue that requires valid user credentials to exploit.
- CVE-2024-40646HIGH 8.6
Vertex, a management tool for private tracker users, contains a path traversal vulnerability that allows remote attackers to access files outside their intended directory. An attacker can craft malicious requests to navigate the file system and read sensitive data without authentication. The vulnerability affects all versions prior to a specific patch commit and carries a high severity rating due to its ease of exploitation and significant impact on confidentiality.
- CVE-2026-43624HIGH 8.2
F5-TTS versions up to 1.1.20 contain a path traversal vulnerability in their finetune Gradio interface that lets unauthenticated attackers write files anywhere on the server's filesystem. The flaw stems from inadequate validation of project names before they're used in file system operations. An attacker can bypass the intended directory boundary by supplying absolute paths (like /tmp/EVIL) and create malicious files with arbitrary content in locations the web server can access. No authentication is required to exploit this.
- CVE-2018-25408HIGH 7.5
A vulnerability in Open ISES Project version 3.30A allows anyone on the internet to download files from an affected server without needing to log in. An attacker can craft a specially formatted request to the ajax/download.php endpoint that uses path traversal techniques (such as ../ sequences) to escape the intended download directory and retrieve sensitive files like configuration files, database backups, or system files. The vulnerability requires no authentication, no special user interaction, and can be exploited over the network.
- CVE-2026-10108HIGH 7.5
xiaomusic version 0.5.7 contains an unauthenticated vulnerability that allows attackers to download files from anywhere on the server, not just the music directory. The flaw exists in how the application validates file paths when serving content. An attacker can craft special requests that bypass this validation to read sensitive files—such as configuration files, private keys, or application source code—without needing any credentials. The vulnerability affects any exposed xiaomusic instance running the affected version.
- CVE-2026-32847HIGH 7.5
DeepCode contains a path traversal vulnerability that allows anyone on the internet to read sensitive files from the server without needing to authenticate or provide credentials. An attacker can craft specially-encoded URLs that trick the application into serving files it shouldn't, such as SSH keys, TLS certificates, and application secrets. The vulnerability exists in how the application handles file paths in its web interface, and the encoding bypass makes it straightforward to exploit.
- CVE-2026-44594HIGH 7.5
esm.sh, a popular CDN for JavaScript development that eliminates the need for build processes, contains a vulnerability in how it processes package metadata. An attacker can publish a malicious npm package that tricks the esm.sh server into reading and exposing sensitive files from its own filesystem. This happens because the service doesn't properly validate how it interprets the 'browser' field in package.json during the build process. While the attacker cannot modify files or crash the service, they can gain unauthorized access to confidential data stored on esm.sh infrastructure.
- CVE-2026-45017HIGH 7.5
Python Liquid is a templating engine used to process dynamic content. Versions before 2.2.0 contain a path traversal flaw that lets an attacker with the ability to author templates bypass security restrictions and read arbitrary files from the server. An attacker could use the {% include %} or {% render %} template tags with absolute file paths to access files outside the intended template directory. The compromised files are then processed as templates, potentially exposing their contents. This requires the attacker to have template authoring privileges and targets files readable by the application.
- CVE-2026-39276HIGH 7.2
Emlog Pro v2.6.9 contains a path traversal flaw in its template upload feature that allows authenticated administrators to upload malicious files and execute arbitrary PHP code on the server. An attacker with admin credentials can craft a specially crafted ZIP archive with directory traversal sequences (such as '../') in filenames to escape the intended upload directory, overwrite legitimate template files, or inject malicious code that gets executed by the web server. This is a post-authentication vulnerability, meaning the attacker must already have admin access to the Emlog installation.
- CVE-2018-25393MEDIUM 6.5
Navigate CMS version 2.8.5 contains a flaw that allows authenticated users to download files they shouldn't have access to by manipulating the download request. An attacker with valid login credentials can craft specially-formed requests to the navigate_download.php component using directory traversal patterns (such as ../../../) to sidestep folder boundaries and retrieve sensitive system files like configuration files outside the application's normal download directory.
- CVE-2018-25421MEDIUM 6.5
Open STA Manager version 2.3 has a security flaw that allows authenticated users to download files they shouldn't have access to. An attacker with valid login credentials can manipulate web requests to trick the application into retrieving sensitive system files, such as configuration files or data stored outside the intended application directory. The vulnerability exists in the backup module and exploits how the application handles file path requests.
- CVE-2019-25740MEDIUM 6.5
A vulnerability in Joomla's com_jsjobs extension version 1.2.6 allows authenticated users to delete files from the web server. An attacker who has valid login credentials can craft a malicious request that exploits how the extension handles file path parameters, bypassing intended restrictions and removing files the web server can access. This is a path traversal flaw that turns file upload/management functionality into an unauthorized deletion mechanism.
- CVE-2026-35718MEDIUM 6.5
VIVOTEK FD8136 network cameras running firmware version 0300a contain a path traversal vulnerability in their administrative media download function. An authenticated attacker can craft requests to the vulnerable endpoint to read files anywhere on the device, potentially exposing sensitive configuration data, credentials, or system files. This requires valid login credentials but does not require user interaction to exploit.
- CVE-2026-42679MEDIUM 6.5
CVE-2026-42679 is a path traversal vulnerability in Mamunur Rashid Classified Listing that allows authenticated users to read sensitive files outside the application's intended directory structure. An attacker with valid login credentials can craft specially formatted file path requests to access restricted files on the server, potentially exposing configuration data, database backups, or other confidential information. The vulnerability affects Classified Listing versions up through 5.3.8.
- CVE-2026-10278MEDIUM 6.3
A path traversal vulnerability exists in the excel-mcp project (versions up to 1.0.2) that allows authenticated users to access files and directories outside the intended scope by manipulating file path parameters. An attacker with valid credentials can read or write files on the affected system by crafting malicious file path arguments, potentially exposing sensitive data or modifying system files. The vulnerability has been publicly disclosed, increasing the risk of active exploitation.
- CVE-2026-0055MEDIUM 6.2
A path traversal vulnerability in Android's PackageInstallerService allows an attacker to write a Device Policy Controller (DPC) application to an unintended directory. By exploiting this flaw, an unprivileged local process can escalate its privileges without requiring user interaction or additional system permissions. The vulnerability affects multiple Android versions and could allow an attacker with local access to gain elevated capabilities on the device.
- CVE-2026-10213MEDIUM 5.4
AstrBot version 4.23.6 contains a path traversal vulnerability in its API endpoint that handles skill deletion. An authenticated attacker can manipulate the Name parameter to traverse the file system and read or modify files outside the intended directory structure. The vulnerability is network-accessible and does not require user interaction beyond the attacker having valid credentials. Public exploit code is available, increasing the risk of active exploitation.
- CVE-2026-41412MEDIUM 4.9
alf.io is an open-source ticketing platform used by conferences and events to manage reservations. The vulnerability lies in how alf.io sandboxes custom extensions (plugins) that users can write to extend functionality. The sandbox was designed to safely run untrusted extension code, but it failed to protect file access. Specifically, extensions have access to an HTTP client tool that includes a method for uploading files. This method does not validate or restrict which files can be read—a malicious extension can read any file that the alf.io application has permission to access on the server, then send that file's contents to an attacker's server. An attacker would need to either write a malicious extension or trick an administrator into installing one, but once active, the extension can quietly exfiltrate sensitive data like configuration files, database credentials, or user records.
- CVE-2026-33462MEDIUM 4.6
A path traversal flaw in Kibana's dashboard management allows an authenticated user with basic permissions to craft a malicious dashboard identifier. When an administrator deletes this dashboard, the deletion request bypasses security controls and targets unintended internal endpoints—potentially destroying user accounts or other critical resources. The vulnerability requires an administrator to take action on the malicious object, making it a privilege-escalation path rather than a self-executing exploit.
- CVE-2024-47273MEDIUM 4.3
Synology Hyper Backup versions before 4.1.2-4036 contain a path traversal vulnerability in the Backup Task feature that allows an authenticated user to write files outside their intended directory. An attacker with valid credentials could exploit this to place files in restricted locations on the system, potentially compromising system integrity or enabling lateral movement.
- CVE-2024-47263MEDIUM 4.1
A path traversal flaw in Synology Hyper Backup's web API allows administrators who already have legitimate access to write files outside their intended directory. The vulnerability is constrained to non-sensitive file types, limiting immediate damage, but represents a control-boundary weakness that could enable privilege misuse or lateral movement in environments where admin accounts are compromised or where insider threat is a concern.
- CVE-2019-25734MEDIUM 4.0
Contact Form by WD version 1.13.1 has a security flaw that combines two weaknesses: a cross-site request forgery (CSRF) vulnerability and local file inclusion (LFI). An unauthenticated attacker can craft a malicious web form that, when visited by an admin, tricks the admin's browser into loading arbitrary files from the server using directory traversal sequences. This bypasses the normal authentication checks on certain WordPress AJAX actions, potentially exposing sensitive files.
- CVE-2026-10264LOW 3.5
CVE-2026-10264 is a path traversal vulnerability in lharries whatsapp-mcp version 0.0.1, located in the SendMessageRequest function of the Send API Endpoint. An attacker with local access and user privileges can manipulate the mediaPath argument to traverse the file system and read sensitive files, though exploitation impact is limited to information disclosure. The vulnerability has been publicly disclosed.