Common Weakness Enumeration

CWE-35

Allowed

Path Traversal: '.../...//'

Abstraction: Variant · Status: Incomplete

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

334 vulnerabilities reference this CWE, most recent first.

GHSA-5X65-5VJ4-HXHR

Vulnerability from github – Published: 2024-10-06 15:32 – Updated: 2024-10-06 15:32
VLAI
Details

Multi-DNC – CWE-35: Path Traversal: '.../...//'

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-06T13:15:15Z",
    "severity": "HIGH"
  },
  "details": "Multi-DNC \u2013 CWE-35: Path Traversal: \u0027.../...//\u0027",
  "id": "GHSA-5x65-5vj4-hxhr",
  "modified": "2024-10-06T15:32:28Z",
  "published": "2024-10-06T15:32:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45248"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/Departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-624W-CG87-4JVW

Vulnerability from github – Published: 2025-01-07 12:30 – Updated: 2026-04-01 18:33
VLAI
Details

Path Traversal vulnerability in SMSA Express SMSA Shipping allows Path Traversal.This issue affects SMSA Shipping: from n/a through 2.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-07T11:15:07Z",
    "severity": "HIGH"
  },
  "details": "Path Traversal vulnerability in SMSA Express SMSA Shipping allows Path Traversal.This issue affects SMSA Shipping: from n/a through 2.3.",
  "id": "GHSA-624w-cg87-4jvw",
  "modified": "2026-04-01T18:33:01Z",
  "published": "2025-01-07T12:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49249"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/smsa-shipping-official/vulnerability/wordpress-smsa-shipping-plugin-2-3-arbitrary-file-deletion-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-62J6-3MX6-32XV

Vulnerability from github – Published: 2025-02-12 15:32 – Updated: 2025-02-12 15:32
VLAI
Details

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26355"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-12T14:15:35Z",
    "severity": "MODERATE"
  },
  "details": "A CWE-35 \"Path Traversal\" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.",
  "id": "GHSA-62j6-3mx6-32xv",
  "modified": "2025-02-12T15:32:01Z",
  "published": "2025-02-12T15:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26355"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26355"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-63XM-X5G2-5GR3

Vulnerability from github – Published: 2025-05-13 12:31 – Updated: 2025-05-13 12:31
VLAI
Details

A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions). Affected devices are vulnerable to path traversal attacks. This could allow a privileged local attacker to restore backups that are outside the backup folder.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-13T10:15:26Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions). Affected devices are vulnerable to path traversal attacks.\nThis could allow a privileged local attacker to restore backups that are outside the backup folder.",
  "id": "GHSA-63xm-x5g2-5gr3",
  "modified": "2025-05-13T12:31:36Z",
  "published": "2025-05-13T12:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40573"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-327438.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-64H4-VPPH-XC2H

Vulnerability from github – Published: 2026-02-03 06:31 – Updated: 2026-02-06 21:30
VLAI
Details

A vulnerability in Brocade Fabric OS before 9.2.1c2 could allow an authenticated attacker with admin privileges using the shell commands “source, ping6, sleep, disown, wait to modify the path variables and move upwards in the directory structure or to traverse to different directories.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58381"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-03T06:15:52Z",
    "severity": "MODERATE"
  },
  "details": "A\n vulnerability in Brocade Fabric OS before 9.2.1c2 could allow an \nauthenticated attacker with admin privileges using the shell commands \n\u201csource, ping6, sleep, disown, wait to modify the path variables and \nmove upwards in the directory structure or to traverse to different \ndirectories.",
  "id": "GHSA-64h4-vpph-xc2h",
  "modified": "2026-02-06T21:30:48Z",
  "published": "2026-02-03T06:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58381"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36853"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-669M-X2JM-GM59

Vulnerability from github – Published: 2026-04-01 09:31 – Updated: 2026-04-01 09:31
VLAI
Details

PowerStore, contains a Path Traversal vulnerability in the Service user. A low privileged attacker with local access could potentially exploit this vulnerability, leading to modification of arbitrary system files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-01T08:16:05Z",
    "severity": "MODERATE"
  },
  "details": "PowerStore, contains a Path Traversal vulnerability in the Service user. A low privileged attacker with local access could potentially exploit this vulnerability, leading to modification of arbitrary system files.",
  "id": "GHSA-669m-x2jm-gm59",
  "modified": "2026-04-01T09:31:27Z",
  "published": "2026-04-01T09:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28265"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000444169/dsa-2026-157-dell-powerstore-t-security-update-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6JG8-M9FF-FV96

Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2026-05-20 09:30
VLAI
Details

The Identity and Directory Management System developed by Çekino Bilgi Teknolojileri before version 2.1.25 has an unauthenticated Path traversal vulnerability. This has been fixed in the version 2.1.25

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-21T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Identity and Directory Management System developed by \u00c3\u2021ekino Bilgi Teknolojileri before version 2.1.25 has an unauthenticated Path traversal vulnerability. This has been fixed in the version 2.1.25",
  "id": "GHSA-6jg8-m9ff-fv96",
  "modified": "2026-05-20T09:30:32Z",
  "published": "2022-09-22T00:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2265"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-22-0636"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-22-0636"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6MX8-M8XP-F2VC

Vulnerability from github – Published: 2024-12-12 15:31 – Updated: 2024-12-12 15:31
VLAI
Details

ComfyUI-Impact-Pack is vulnerable to Path Traversal. The issue stems from missing validation of the image.filename field in a POST request sent to the /upload/temp endpoint added by the extension to the server. This results in writing arbitrary files to the file system which may, under some conditions, result in remote code execution (RCE).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21575"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-12T15:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "ComfyUI-Impact-Pack is vulnerable to Path Traversal. The issue stems from missing validation of the `image.filename` field in a POST request sent to the `/upload/temp` endpoint added by the extension to the server. This results in writing arbitrary files to the file system which may, under some conditions, result in remote code execution (RCE).",
  "id": "GHSA-6mx8-m8xp-f2vc",
  "modified": "2024-12-12T15:31:09Z",
  "published": "2024-12-12T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21575"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ltdrdata/ComfyUI-Impact-Pack/commit/a43dae373e648ae0f0cc0c9768c3cea6a72acff7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ltdrdata/ComfyUI-Impact-Pack/blob/1087f2ee063c9d53cd198add79b41a7a3465c05a/modules/impact/impact_server.py#L28"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6QXX-9RQV-5CJM

Vulnerability from github – Published: 2023-11-21 09:30 – Updated: 2023-11-21 09:30
VLAI
Details

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account however the impact is equal. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21416"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-21T07:15:08Z",
    "severity": "HIGH"
  },
  "details": "Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account however the impact is equal. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. \n\n",
  "id": "GHSA-6qxx-9rqv-5cjm",
  "modified": "2023-11-21T09:30:23Z",
  "published": "2023-11-21T09:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21416"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/35/2a/a6/cve-2023-21416-en-US-417790.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6VFV-V5V8-QX7Q

Vulnerability from github – Published: 2025-06-05 15:31 – Updated: 2025-06-17 21:32
VLAI
Details

A path traversal vulnerability in RSFirewall component 2.9.7 - 3.1.5 for Joomla was discovered. This vulnerability allows authenticated users to read arbitrary files outside the Joomla root directory. The flaw is caused by insufficient sanitization of user-supplied input in file path parameters, allowing attackers to exploit directory traversal sequences (e.g., ../) to access sensitive files

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-05T14:15:31Z",
    "severity": "MODERATE"
  },
  "details": "A path traversal vulnerability in RSFirewall component 2.9.7 - 3.1.5 for Joomla was discovered. This vulnerability allows authenticated users to read arbitrary files outside the Joomla root directory. The flaw is caused by insufficient sanitization of user-supplied input in file path parameters, allowing attackers to exploit directory traversal sequences (e.g., ../) to access sensitive files",
  "id": "GHSA-6vfv-v5v8-qx7q",
  "modified": "2025-06-17T21:32:02Z",
  "published": "2025-06-05T15:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27445"
    },
    {
      "type": "WEB",
      "url": "https://rsjoomla.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, the ".../...//" manipulation is useful for bypassing some path traversal protection schemes. If "../" sequences are removed from the ".../...//" string in a sequential fashion (as some regular expression engines and other algorithms operate) the string can collapse into the unsafe "../" value (CWE-182). Removing the first "../" yields "....//" and the second removal yields "../".
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.