CWE-35
AllowedPath Traversal: '.../...//'
Abstraction: Variant · Status: Incomplete
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
334 vulnerabilities reference this CWE, most recent first.
GHSA-FG59-J242-RCJ9
Vulnerability from github – Published: 2024-07-01 18:32 – Updated: 2024-07-01 18:32In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.
{
"affected": [],
"aliases": [
"CVE-2024-36991"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-01T17:15:07Z",
"severity": "HIGH"
},
"details": "In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.",
"id": "GHSA-fg59-j242-rcj9",
"modified": "2024-07-01T18:32:41Z",
"published": "2024-07-01T18:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36991"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2024-0711"
},
{
"type": "WEB",
"url": "https://research.splunk.com/application/e7c2b064-524e-4d65-8002-efce808567aa"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FM87-46VV-JQRR
Vulnerability from github – Published: 2018-09-18 13:45 – Updated: 2023-01-31 01:40Versions of html-pages before 2.1.0 are vulnerable to path traversal.
Recommendation
Update to version 2.1.0 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "html-pages"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-3744"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:34:53Z",
"nvd_published_at": "2018-05-29T20:29:00Z",
"severity": "CRITICAL"
},
"details": "Versions of `html-pages` before 2.1.0 are vulnerable to path traversal.\n\n\n## Recommendation\n\nUpdate to version 2.1.0 or later.",
"id": "GHSA-fm87-46vv-jqrr",
"modified": "2023-01-31T01:40:06Z",
"published": "2018-09-18T13:45:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3744"
},
{
"type": "WEB",
"url": "https://github.com/danielcardoso/html-pages/issues/2"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/306607"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-fm87-46vv-jqrr"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/665"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Path Traversal in html-pages"
}
GHSA-FMMX-7C8X-CQV9
Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-11 15:30Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with a .png suffix.
{
"affected": [],
"aliases": [
"CVE-2024-39171"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T17:15:48Z",
"severity": "HIGH"
},
"details": "Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with a .png suffix.",
"id": "GHSA-fmmx-7c8x-cqv9",
"modified": "2024-07-11T15:30:44Z",
"published": "2024-07-09T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39171"
},
{
"type": "WEB",
"url": "https://github.com/751897386/PHPVibe_vulnerability_Directory-Traversal"
},
{
"type": "WEB",
"url": "http://phpvibe.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FP27-QFPM-95W8
Vulnerability from github – Published: 2023-10-16 09:30 – Updated: 2024-04-04 08:39Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
{
"affected": [],
"aliases": [
"CVE-2023-21415"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-16T07:15:08Z",
"severity": "HIGH"
},
"details": "Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. \n",
"id": "GHSA-fp27-qfpm-95w8",
"modified": "2024-04-04T08:39:25Z",
"published": "2023-10-16T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21415"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/58/0b/36/cve-2023-21415pdf-en-US-412759.pdf"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/b6/55/e2/cve-2023-21415pdf-en-US-416245.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FPX7-Q8WV-4MJ3
Vulnerability from github – Published: 2025-05-16 18:31 – Updated: 2026-04-28 21:35Path Traversal vulnerability in WHMPress WHMpress allows Relative Path Traversal. This issue affects WHMpress: from 6.2 through revision.
{
"affected": [],
"aliases": [
"CVE-2025-39492"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-16T16:15:40Z",
"severity": "HIGH"
},
"details": "Path Traversal vulnerability in WHMPress WHMpress allows Relative Path Traversal. This issue affects WHMpress: from 6.2 through revision.",
"id": "GHSA-fpx7-q8wv-4mj3",
"modified": "2026-04-28T21:35:36Z",
"published": "2025-05-16T18:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39492"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/whmpress/vulnerability/wordpress-whmpress-plugin-6-2-revision-9-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FVM8-PGM7-CG8J
Vulnerability from github – Published: 2024-04-09 21:32 – Updated: 2024-04-09 21:32The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.2.5 via the fm_download_backup function. This makes it possible for authenticated attackers, with administrator access and above, to read the contents of arbitrary zip files on the server, which can contain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2024-2654"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T19:15:35Z",
"severity": "MODERATE"
},
"details": "The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.2.5 via the fm_download_backup function. This makes it possible for authenticated attackers, with administrator access and above, to read the contents of arbitrary zip files on the server, which can contain sensitive information.",
"id": "GHSA-fvm8-pgm7-cg8j",
"modified": "2024-04-09T21:32:00Z",
"published": "2024-04-09T21:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2654"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-file-manager/trunk/file_folder_manager.php#L1353"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3062387/wp-file-manager/trunk?contextall=1\u0026old=3051451\u0026old_path=%2Fwp-file-manager%2Ftrunk"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ca98fbc6-8cfa-4997-8a46-344afb75a97e?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G385-HXMR-GHGC
Vulnerability from github – Published: 2024-09-10 06:30 – Updated: 2024-09-10 06:30Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
{
"affected": [],
"aliases": [
"CVE-2024-0067"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T05:15:10Z",
"severity": "MODERATE"
},
"details": "Marinus Pfund, member of the AXIS OS Bug Bounty Program, \nhas found the VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device. \nAxis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.",
"id": "GHSA-g385-hxmr-ghgc",
"modified": "2024-09-10T06:30:48Z",
"published": "2024-09-10T06:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0067"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/c7/d0/91/cve-2024-0067-en-US-448994.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G4W8-7722-55PW
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-04-01 18:36Path Traversal vulnerability in Stefan Keller WooCommerce Payment Gateway for Saferpay allows Path Traversal. This issue affects WooCommerce Payment Gateway for Saferpay: from n/a through 0.4.9.
{
"affected": [],
"aliases": [
"CVE-2025-48317"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T17:15:37Z",
"severity": "HIGH"
},
"details": "Path Traversal vulnerability in Stefan Keller WooCommerce Payment Gateway for Saferpay allows Path Traversal. This issue affects WooCommerce Payment Gateway for Saferpay: from n/a through 0.4.9.",
"id": "GHSA-g4w8-7722-55pw",
"modified": "2026-04-01T18:36:07Z",
"published": "2025-09-05T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48317"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/woocommerce-payment-gateway-for-saferpay/vulnerability/wordpress-woocommerce-payment-gateway-for-saferpay-plugin-0-4-9-path-traversal-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G54F-66MW-HV66
Vulnerability from github – Published: 2024-09-26 18:16 – Updated: 2024-09-26 21:11Summary
A vulnerability has been discovered in Agnai that permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement.
This does not affect:
- agnai.chat
- installations using S3-compatible storage
- self-hosting that is not publicly exposed
CWE-35: Path Traversal
https://cwe.mitre.org/data/definitions/35.html
CVSS4.0 - 2.3 Low
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Details
This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the editCharacter handler https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140:
POST /api/character/28cbe508-2fa9-4890-886e-61d73e22006c%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2f%64%69%73%74%2f%64%61%6e%79%61%6e%67 HTTP/1.1
The path traversal character sequence makes it’s way into the id variable which is then string interpolated into filename.
export async function entityUpload(kind: string, id: string, attachment?: Attachment) {
if (!attachment) return
const filename = `${kind}-${id}`
return upload(attachment, filename)
}
https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55
No path normalization is conducted nor checked, so attackers can freely manipulate the path which the file is uploaded to.
Impact
This vulnerability is classified as a path traversal vulnerability. Attackers can upload image files to arbitrary locations, potentially overwriting critical system image files.
Credit
Security research in collaboration with Analyst Danyang Liu (noe223) @noe233
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "agnai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.330"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47171"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-35"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-26T18:16:13Z",
"nvd_published_at": "2024-09-26T18:15:10Z",
"severity": "LOW"
},
"details": "### Summary\n\nA vulnerability has been discovered in **Agnai** that permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement.\n\nThis does not affect:\n\n- agnai.chat\n- installations using S3-compatible storage\n- self-hosting that is not publicly exposed\n\n### CWE-35: Path Traversal\n\nhttps://cwe.mitre.org/data/definitions/35.html\n\n### CVSS4.0 - 2.3 Low\n\nCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N\n\n### Details\n\nThis is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the `editCharacter` handler https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140:\n\n```tsx\nPOST /api/character/28cbe508-2fa9-4890-886e-61d73e22006c%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2f%64%69%73%74%2f%64%61%6e%79%61%6e%67 HTTP/1.1\n```\n\nThe path traversal character sequence makes it\u2019s way into the `id` variable which is then string interpolated into `filename`. \n\n```jsx\nexport async function entityUpload(kind: string, id: string, attachment?: Attachment) {\n if (!attachment) return\n const filename = `${kind}-${id}`\n return upload(attachment, filename)\n}\n```\n\nhttps://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55\n\nNo path normalization is conducted nor checked, so attackers can freely manipulate the path which the file is uploaded to.\n\n### Impact\n\nThis vulnerability is classified as a path traversal vulnerability. Attackers can upload image files to arbitrary locations, potentially overwriting critical system image files.\n\n### Credit\nSecurity research in collaboration with Analyst [Danyang Liu (noe223)](https://github.com/noe233) @noe233",
"id": "GHSA-g54f-66mw-hv66",
"modified": "2024-09-26T21:11:07Z",
"published": "2024-09-26T18:16:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/agnaistic/agnai/security/advisories/GHSA-g54f-66mw-hv66"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47171"
},
{
"type": "PACKAGE",
"url": "https://github.com/agnaistic/agnai"
},
{
"type": "WEB",
"url": "https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140:"
},
{
"type": "WEB",
"url": "https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Agnai vulnerable to Relative Path Traversal in Image Upload"
}
GHSA-G5HG-47XM-JFG5
Vulnerability from github – Published: 2025-06-04 12:30 – Updated: 2025-06-04 12:30Path Traversal vulnerability in WF Steuerungstechnik GmbH airleader MASTER allows Retrieve Embedded Sensitive Data.This issue affects airleader MASTER: 3.0046.
{
"affected": [],
"aliases": [
"CVE-2025-5598"
],
"database_specific": {
"cwe_ids": [
"CWE-35"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-04T12:15:21Z",
"severity": "CRITICAL"
},
"details": "Path Traversal vulnerability in WF Steuerungstechnik GmbH airleader MASTER allows Retrieve Embedded Sensitive Data.This issue affects airleader MASTER: 3.0046.",
"id": "GHSA-g5hg-47xm-jfg5",
"modified": "2025-06-04T12:30:36Z",
"published": "2025-06-04T12:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5598"
},
{
"type": "WEB",
"url": "https://github.com/migros/migros-security-advisories/blob/main/advisories/msec-2025-004_wf-seuerungstechnik-gmbh_airleader-master_path-traversal.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, the ".../...//" manipulation is useful for bypassing some path traversal protection schemes. If "../" sequences are removed from the ".../...//" string in a sequential fashion (as some regular expression engines and other algorithms operate) the string can collapse into the unsafe "../" value (CWE-182). Removing the first "../" yields "....//" and the second removal yields "../".
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.