CWE-36
AllowedAbsolute Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
245 vulnerabilities reference this CWE, most recent first.
GHSA-MR42-8XPC-QJ99
Vulnerability from github – Published: 2024-10-14 06:30 – Updated: 2024-10-14 06:30The fix for CVE-2024-26261 was incomplete, and and the specific package for OAKlouds from Hgiga remains at risk. Unauthenticated remote attackers still can download arbitrary system files, which may be deleted subsequently .
{
"affected": [],
"aliases": [
"CVE-2024-9924"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-14T04:15:06Z",
"severity": "CRITICAL"
},
"details": "The fix for CVE-2024-26261 was incomplete, and and the specific package for OAKlouds from Hgiga remains at risk. Unauthenticated remote attackers still can download arbitrary system files, which may be deleted subsequently .",
"id": "GHSA-mr42-8xpc-qj99",
"modified": "2024-10-14T06:30:43Z",
"published": "2024-10-14T06:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9924"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-8131-0b5e1-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-8130-89bb1-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MXR6-VW74-C6QJ
Vulnerability from github – Published: 2026-01-05 09:30 – Updated: 2026-01-05 09:30QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-15236"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-05T08:15:57Z",
"severity": "MODERATE"
},
"details": "QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability.",
"id": "GHSA-mxr6-vw74-c6qj",
"modified": "2026-01-05T09:30:19Z",
"published": "2026-01-05T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15236"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P3J8-Q3F7-M9XC
Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-01-13 18:31Absolute path traversal in Windows Shell allows an unauthorized attacker to perform spoofing with a physical attack.
{
"affected": [],
"aliases": [
"CVE-2026-20834"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T18:16:11Z",
"severity": "MODERATE"
},
"details": "Absolute path traversal in Windows Shell allows an unauthorized attacker to perform spoofing with a physical attack.",
"id": "GHSA-p3j8-q3f7-m9xc",
"modified": "2026-01-13T18:31:09Z",
"published": "2026-01-13T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20834"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20834"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P6H7-HFJ2-VMCF
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2026-06-05 14:14An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agentscope version v0.0.4. This vulnerability allows any user to download any file from the rpc_agent's host by exploiting the download_file method. This can lead to unauthorized access to sensitive information, including configuration files, credentials, and potentially system files, which may facilitate further exploitation such as privilege escalation or lateral movement within the network.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "agentscope"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-8501"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-21T21:56:53Z",
"nvd_published_at": "2025-03-20T10:15:42Z",
"severity": "HIGH"
},
"details": "An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agentscope version v0.0.4. This vulnerability allows any user to download any file from the rpc_agent\u0027s host by exploiting the download_file method. This can lead to unauthorized access to sensitive information, including configuration files, credentials, and potentially system files, which may facilitate further exploitation such as privilege escalation or lateral movement within the network.",
"id": "GHSA-p6h7-hfj2-vmcf",
"modified": "2026-06-05T14:14:02Z",
"published": "2025-03-20T12:32:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8501"
},
{
"type": "PACKAGE",
"url": "https://github.com/modelscope/agentscope"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/agentscope/PYSEC-2025-82.yaml"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/83e433c0-ed2d-4b10-8358-d3c1eee0a47c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "AgentScope arbitrary file download vulnerability in rpc_agent_client"
}
GHSA-P836-RWW8-FF8F
Vulnerability from github – Published: 2024-12-16 09:31 – Updated: 2024-12-16 09:31The topm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.
{
"affected": [],
"aliases": [
"CVE-2024-12646"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-16T07:15:06Z",
"severity": "HIGH"
},
"details": "The topm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user\u0027s system.",
"id": "GHSA-p836-rww8-ff8f",
"modified": "2024-12-16T09:31:10Z",
"published": "2024-12-16T09:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12646"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-8304-b83f8-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-8298-10b36-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8H7-C8GW-6X8C
Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-09-13 19:34A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in version 9.5.0. The vulnerability arises due to improper validation of file paths between Windows and Linux environments, allowing attackers to traverse beyond the intended directory and read any file on the Windows system. Specifically, the application fails to adequately sanitize file paths containing backslashes (\), which can be exploited to access the root directory and read, or even delete, sensitive files. This issue was discovered in the context of the /user_infos endpoint, where a crafted request using backslashes to reference a file (e.g., \windows\win.ini) could result in unauthorized file access. The impact of this vulnerability includes the potential for attackers to access sensitive information such as environment variables, database files, and configuration files, which could lead to further compromise of the system.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "lollms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-4881"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-13T19:34:56Z",
"nvd_published_at": "2024-06-06T19:16:03Z",
"severity": "HIGH"
},
"details": "A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in version 9.5.0. The vulnerability arises due to improper validation of file paths between Windows and Linux environments, allowing attackers to traverse beyond the intended directory and read any file on the Windows system. Specifically, the application fails to adequately sanitize file paths containing backslashes (`\\`), which can be exploited to access the root directory and read, or even delete, sensitive files. This issue was discovered in the context of the `/user_infos` endpoint, where a crafted request using backslashes to reference a file (e.g., `\\windows\\win.ini`) could result in unauthorized file access. The impact of this vulnerability includes the potential for attackers to access sensitive information such as environment variables, database files, and configuration files, which could lead to further compromise of the system.",
"id": "GHSA-p8h7-c8gw-6x8c",
"modified": "2024-09-13T19:34:56Z",
"published": "2024-06-06T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4881"
},
{
"type": "WEB",
"url": "https://github.com/parisneo/lollms/commit/95ad36eeffc6a6be3e3f35ed35a384d768f0ecf6"
},
{
"type": "PACKAGE",
"url": "https://github.com/parisneo/lollms"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/94f7f901-80b0-4cf5-b545-ac5c1e7635e9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "LoLLMS Path Traversal vulnerability"
}
GHSA-P998-JP59-783M
Vulnerability from github – Published: 2026-04-01 21:26 – Updated: 2026-04-06 16:47Summary
On Windows the static resource handler may expose information about a NTLMv2 remote path.
Impact
If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.
Patch: https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.13.3"
},
"package": {
"ecosystem": "PyPI",
"name": "aiohttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.13.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34515"
],
"database_specific": {
"cwe_ids": [
"CWE-36",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T21:26:36Z",
"nvd_published_at": "2026-04-01T21:16:59Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nOn Windows the static resource handler may expose information about a NTLMv2 remote path.\n\n### Impact\n\nIf an application is running on Windows, and using aiohttp\u0027s static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user\u0027s credentials from there.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d",
"id": "GHSA-p998-jp59-783m",
"modified": "2026-04-06T16:47:09Z",
"published": "2026-04-01T21:26:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-p998-jp59-783m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34515"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d"
},
{
"type": "PACKAGE",
"url": "https://github.com/aio-libs/aiohttp"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows"
}
GHSA-PJ9F-9JR9-4WM7
Vulnerability from github – Published: 2024-10-23 18:33 – Updated: 2024-10-23 18:33A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to read arbitrary files from the underlying operating system.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system of the affected device. The attacker would need valid user credentials to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-20379"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-23T18:15:06Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to read arbitrary files from the underlying operating system.\n\n This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system of the affected device. The attacker would need valid user credentials to exploit this vulnerability.",
"id": "GHSA-pj9f-9jr9-4wm7",
"modified": "2024-10-23T18:33:09Z",
"published": "2024-10-23T18:33:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20379"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-file-read-5q4mQRn"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PMWQ-WF2P-4CJV
Vulnerability from github – Published: 2026-01-16 03:30 – Updated: 2026-01-16 03:30Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory.
{
"affected": [],
"aliases": [
"CVE-2026-1020"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T03:16:18Z",
"severity": "MODERATE"
},
"details": "Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory.",
"id": "GHSA-pmwq-wf2p-4cjv",
"modified": "2026-01-16T03:30:22Z",
"published": "2026-01-16T03:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1020"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PV73-6JM3-25WX
Vulnerability from github – Published: 2025-12-18 21:31 – Updated: 2025-12-18 21:31Advantech WebAccess/SCADA is vulnerable to absolute directory traversal, which may allow an attacker to determine the existence of arbitrary files.
{
"affected": [],
"aliases": [
"CVE-2025-14848"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T21:15:52Z",
"severity": "MODERATE"
},
"details": "Advantech WebAccess/SCADA\nis vulnerable to absolute directory traversal, which may allow an attacker to determine the existence of arbitrary files.",
"id": "GHSA-pv73-6jm3-25wx",
"modified": "2025-12-18T21:31:44Z",
"published": "2025-12-18T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14848"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-06.json"
},
{
"type": "WEB",
"url": "https://www.advantech.com/en-us/support/details/installation?id=1-MS9MJV"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-597: Absolute Path Traversal
An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.