CWE-24
AllowedPath Traversal: '../filedir'
Abstraction: Variant · Status: Incomplete
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.
187 vulnerabilities reference this CWE, most recent first.
GHSA-CVJ3-F4X8-HW28
Vulnerability from github – Published: 2024-01-11 18:31 – Updated: 2024-01-11 18:31A vulnerability, which was classified as critical, has been found in DeShang DSMall up to 5.0.3. Affected by this issue is some unknown functionality of the file application/home/controller/MemberAuth.php. The manipulation of the argument file_name leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250436.
{
"affected": [],
"aliases": [
"CVE-2024-0416"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-11T18:15:44Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, has been found in DeShang DSMall up to 5.0.3. Affected by this issue is some unknown functionality of the file application/home/controller/MemberAuth.php. The manipulation of the argument file_name leads to path traversal: \u0027../filedir\u0027. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250436.",
"id": "GHSA-cvj3-f4x8-hw28",
"modified": "2024-01-11T18:31:29Z",
"published": "2024-01-11T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0416"
},
{
"type": "WEB",
"url": "https://note.zhaoj.in/share/DxR7FZsCKJQ1"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.250436"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.250436"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-F5GV-M2H2-FPC6
Vulnerability from github – Published: 2024-03-17 15:30 – Updated: 2024-03-17 15:30A vulnerability was found in PandaXGO PandaX up to 20240310 and classified as critical. This issue affects the function ExportUser of the file /apps/system/api/user.go. The manipulation of the argument filename leads to path traversal: '../filedir'. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257063.
{
"affected": [],
"aliases": [
"CVE-2024-2564"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-17T14:15:06Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in PandaXGO PandaX up to 20240310 and classified as critical. This issue affects the function ExportUser of the file /apps/system/api/user.go. The manipulation of the argument filename leads to path traversal: \u0027../filedir\u0027. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257063.",
"id": "GHSA-f5gv-m2h2-fpc6",
"modified": "2024-03-17T15:30:30Z",
"published": "2024-03-17T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2564"
},
{
"type": "WEB",
"url": "https://github.com/PandaXGO/PandaX/issues/6"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.257063"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.257063"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-F93M-9MQ4-2FJJ
Vulnerability from github – Published: 2025-07-11 18:30 – Updated: 2025-11-02 03:30GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages).
{
"affected": [],
"aliases": [
"CVE-2025-45582"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-11T17:15:37Z",
"severity": "MODERATE"
},
"details": "GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file\u0027s name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of \"Member name contains \u0027..\u0027\" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain \"x -\u003e ../../../../../home/victim/.ssh\" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which \"tar xf\" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages).",
"id": "GHSA-f93m-9mq4-2fjj",
"modified": "2025-11-02T03:30:13Z",
"published": "2025-07-11T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45582"
},
{
"type": "WEB",
"url": "https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html"
},
{
"type": "WEB",
"url": "https://www.gnu.org/software/tar"
},
{
"type": "WEB",
"url": "https://www.gnu.org/software/tar/manual/html_node/Integrity.html"
},
{
"type": "WEB",
"url": "https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/11/01/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FGMH-2JHG-VQ8C
Vulnerability from github – Published: 2024-04-03 03:30 – Updated: 2024-04-03 03:30A vulnerability was found in Panwei eoffice OA up to 9.5. It has been declared as critical. This vulnerability affects unknown code of the file /general/system/interface/theme_set/save_image.php of the component Backend. The manipulation of the argument image_type leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259072.
{
"affected": [],
"aliases": [
"CVE-2024-3227"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-03T03:15:11Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Panwei eoffice OA up to 9.5. It has been declared as critical. This vulnerability affects unknown code of the file /general/system/interface/theme_set/save_image.php of the component Backend. The manipulation of the argument image_type leads to path traversal: \u0027../filedir\u0027. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259072.",
"id": "GHSA-fgmh-2jhg-vq8c",
"modified": "2024-04-03T03:30:30Z",
"published": "2024-04-03T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3227"
},
{
"type": "WEB",
"url": "https://github.com/garboa/cve_3/blob/main/upload.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.259072"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.259072"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.308750"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FQV6-CRJX-GM34
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2025-04-04 15:30A vulnerability classified as problematic has been found in DedeCMS 5.7.114. This affects an unknown part of the file /sys_verifies.php?action=view. The manipulation of the argument filename with the input ../../../../../etc/passwd leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263889 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-4790"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:44:44Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic has been found in DedeCMS 5.7.114. This affects an unknown part of the file /sys_verifies.php?action=view. The manipulation of the argument filename with the input ../../../../../etc/passwd leads to path traversal: \u0027../filedir\u0027. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263889 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-fqv6-crjx-gm34",
"modified": "2025-04-04T15:30:53Z",
"published": "2024-05-14T18:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4790"
},
{
"type": "WEB",
"url": "https://github.com/gatsby2003/DedeCms/blob/main/Directory_traversal_arbitrary_file_read.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.263889"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.263889"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.329483"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FV2P-QJ5P-WQQ4
Vulnerability from github – Published: 2025-07-03 14:18 – Updated: 2025-07-03 14:18Summary
Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. In this case, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.
Details
The file handler function trusts the filename provided by the user. This includes the cases when the user uses a path instead of the filename. This makes possible to write arbitrary files to the system and replace the files owned by kuiper user on the filesystem. The vulnerable function is fileUploadHandler which is shown below:
https://github.com/lf-edge/ekuiper/blob/1e6b6b6601445eb05316532f5fbef7f0a863ecfe/internal/server/rest.go#L329-L359
Exploitation of this vulnerability allows an attacker to rewrite the files owned by ekuiper including the main kuiper binaries as they are owned by kuiper user:
PoC
- The files should be uploaded to
/kuiper/data/uploadsdirectory. So let's move to the/kuiper/data, examine the existing files and create an emptytraversal-pocfile owned by kuiper:
- Now, we can go to Services > Configuration > File Management and try to upload file with name
../test:
In the response we can see the path of the uploaded file and can assume that the traversal worked.
- Now we can try to change the
traversal-pocfile that we know exists on the server. It can be made with the following request:
- Now, if we look at the server, we can see the file created in the traversed directory and the replaced poc-file:
Impact
- Possibility to upload files to external directories;
- Possibility to rewrite any file owned by kuiper user on the filesystem.
Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lf-edge/ekuiper/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/lf-edge/ekuiper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.14.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-03T14:18:04Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nPath traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. In this case, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.\n\n### Details\nThe file handler function trusts the filename provided by the user. This includes the cases when the user uses a path instead of the filename. This makes possible to write arbitrary files to the system and **replace** the files owned by _kuiper_ user on the filesystem. The vulnerable function is `fileUploadHandler` which is shown below:\n\nhttps://github.com/lf-edge/ekuiper/blob/1e6b6b6601445eb05316532f5fbef7f0a863ecfe/internal/server/rest.go#L329-L359\n\nExploitation of this vulnerability allows an attacker to rewrite the files owned by ekuiper including the main kuiper binaries as they are owned by _kuiper_ user:\n\n\n\n\n### PoC\n0. The files should be uploaded to `/kuiper/data/uploads` directory. So let\u0027s move to the `/kuiper/data`, examine the existing files and create an empty `traversal-poc` file owned by _kuiper_:\n\n\n\n1. Now, we can go to _Services \u003e Configuration \u003e File Management_ and try to upload file with name `../test`:\n\n\n\n\n\nIn the response we can see the path of the uploaded file and can assume that the traversal worked.\n\n2. Now we can try to change the `traversal-poc` file that we know exists on the server. It can be made with the following request:\n\n\n\n3. Now, if we look at the server, we can see the file created in the traversed directory and the replaced poc-file:\n\n\n\n### Impact\n- Possibility to upload files to external directories;\n- Possibility to rewrite any file owned by _kuiper_ user on the filesystem.\n\nReported by Alexey Kosmachev, Lead Pentester from Bi.Zone",
"id": "GHSA-fv2p-qj5p-wqq4",
"modified": "2025-07-03T14:18:04Z",
"published": "2025-07-03T14:18:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-fv2p-qj5p-wqq4"
},
{
"type": "PACKAGE",
"url": "https://github.com/lf-edge/ekuiper"
},
{
"type": "WEB",
"url": "https://github.com/lf-edge/ekuiper/blob/1e6b6b6601445eb05316532f5fbef7f0a863ecfe/internal/server/rest.go#L329-L359"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "LF Edge eKuiper vulnerable to File Path Traversal leading to file replacement"
}
GHSA-G2H5-CVVR-7GMW
Vulnerability from github – Published: 2025-09-17 19:03 – Updated: 2026-01-14 15:51Summary
A path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories (example observed: ~/.esmd/modules/transform/<id>/ instead of ~/.esmd/storage/modules/transform).
Severity: Medium
Component / Endpoint:
POST /transform — handling of X-Zone-Id header
The vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411
Impact: Arbitrary file creation / overwrite outside intended storage directory (file write to attacker-controlled path). Possible remote code execution, persistence, tampering with application files, or facilitating further path-traversal attacks.
Proof of Concept (POC)
Request (attacker-supplied X-Zone-Id contains path traversal):
POST /transform HTTP/1.1
Host: localhost:8888
User-Agent: Den/8.7.1
Accept: */*
Connection: keep-alive
Referer: http://localhost:9999/
Content-Type: application/json
X-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/
Content-Length: 325
{
"filename": "example2.js",
"lang": "js",
"code": "console.log('hello');",
"importMap": {
"imports": {
"react": "https://esm.sh/react",
"react-dom": "https://esm.sh/react-dom"
}
},
"jsxImportSource": "react",
"target": "es2022",
"sourceMap": "external",
"minify": true
}
Observed result: file written to ~/.esmd/modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/example2.js instead of the intended ~/.esmd/storage/modules/transform/.
This can be trigger with another path traversal request below
GET /+c245626ef6ca0fd9ee37759c5fac606c6ec99daa./../../../esm.db?.css HTTP/1.1
Host: localhost:8888
User-Agent: localhost
Accept: */*
Connection: keep-alive
X-Zone-Id: ../
Referer: http://localhost:9999/
Remediation
Simply remove any .. in the X-Zone-Id header before actually process the file.
Credits
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 136"
},
"package": {
"ecosystem": "Go",
"name": "github.com/esm-dev/esm.sh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "136.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59342"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-17T19:03:05Z",
"nvd_published_at": "2025-09-17T18:15:53Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA path-traversal flaw in the handling of the `X-Zone-Id` HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application\u2019s storage base directory. As a result, supplying `../` sequences in `X-Zone-Id` causes files to be written to arbitrary directories (example observed: `~/.esmd/modules/transform/\u003cid\u003e/` instead of `~/.esmd/storage/modules/transform`).\n\n**Severity:** Medium\n\n**Component / Endpoint:** \n\n`POST /transform` \u2014 handling of `X-Zone-Id` header\n\nThe vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411 \n\n**Impact:** Arbitrary file creation / overwrite outside intended storage directory (file write to attacker-controlled path). Possible remote code execution, persistence, tampering with application files, or facilitating further path-traversal attacks.\n\n---\n\n## Proof of Concept (POC)\n\nRequest (attacker-supplied `X-Zone-Id` contains path traversal):\n\n```\nPOST /transform HTTP/1.1\nHost: localhost:8888\nUser-Agent: Den/8.7.1\nAccept: */*\nConnection: keep-alive\nReferer: http://localhost:9999/\nContent-Type: application/json\nX-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/\nContent-Length: 325\n\n{\n \"filename\": \"example2.js\",\n \"lang\": \"js\",\n \"code\": \"console.log(\u0027hello\u0027);\",\n \"importMap\": {\n \"imports\": {\n \"react\": \"https://esm.sh/react\",\n \"react-dom\": \"https://esm.sh/react-dom\"\n }\n },\n \"jsxImportSource\": \"react\",\n \"target\": \"es2022\",\n \"sourceMap\": \"external\",\n \"minify\": true\n}\n```\n\u003cimg width=\"2496\" height=\"1214\" alt=\"Screenshot 2025-09-16 at 21 40 57\" src=\"https://github.com/user-attachments/assets/f878c3f0-5d7d-410c-97ac-20116f5496db\" /\u003e\n\n\nObserved result: file written to `~/.esmd/modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/example2.js` instead of the intended `~/.esmd/storage/modules/transform/`.\n\nThis can be trigger with another path traversal request below\n\n```\nGET /+c245626ef6ca0fd9ee37759c5fac606c6ec99daa./../../../esm.db?.css HTTP/1.1\nHost: localhost:8888\nUser-Agent: localhost\nAccept: */*\nConnection: keep-alive\nX-Zone-Id: ../\nReferer: http://localhost:9999/\n\n```\n\u003cimg width=\"2516\" height=\"710\" alt=\"Screenshot 2025-09-16 at 21 37 07\" src=\"https://github.com/user-attachments/assets/1fcfbed3-c1d2-4093-82d8-4afda225c685\" /\u003e\n\n---\n\n## Remediation\n\nSimply remove any .. in the `X-Zone-Id` header before actually process the file.\n\n## Credits\n\n- [Ai Ho (Jessie)](https://github.com/j3ssie)\n- [CL Yang](https://github.com/A11riseforme)",
"id": "GHSA-g2h5-cvvr-7gmw",
"modified": "2026-01-14T15:51:07Z",
"published": "2025-09-17T19:03:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59342"
},
{
"type": "WEB",
"url": "https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151"
},
{
"type": "PACKAGE",
"url": "https://github.com/esm-dev/esm.sh"
},
{
"type": "WEB",
"url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116"
},
{
"type": "WEB",
"url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3967"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header"
}
GHSA-G5PM-7QX6-F2HG
Vulnerability from github – Published: 2025-12-19 03:31 – Updated: 2025-12-19 18:31A Directory Traversal vulnerability in the Static Asset Proxy Endpoint in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via a crafted URL containing path traversal sequences.
{
"affected": [],
"aliases": [
"CVE-2025-67845"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-19T02:16:09Z",
"severity": "MODERATE"
},
"details": "A Directory Traversal vulnerability in the Static Asset Proxy Endpoint in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via a crafted URL containing path traversal sequences.",
"id": "GHSA-g5pm-7qx6-f2hg",
"modified": "2025-12-19T18:31:17Z",
"published": "2025-12-19T03:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67845"
},
{
"type": "WEB",
"url": "https://heartbreak.ing"
},
{
"type": "WEB",
"url": "https://kibty.town/blog/mintlify"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=46317098"
},
{
"type": "WEB",
"url": "https://www.mintlify.com/blog/working-with-security-researchers-november-2025"
},
{
"type": "WEB",
"url": "https://www.mintlify.com/docs/changelog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G8M5-CCPX-MH32
Vulnerability from github – Published: 2023-12-28 21:30 – Updated: 2023-12-28 21:30A vulnerability was found in SourceCodester Medicine Tracking System 1.0. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument page leads to path traversal: '../filedir'. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249137 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-7134"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-28T20:16:07Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in SourceCodester Medicine Tracking System 1.0. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument page leads to path traversal: \u0027../filedir\u0027. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249137 was assigned to this vulnerability.",
"id": "GHSA-g8m5-ccpx-mh32",
"modified": "2023-12-28T21:30:38Z",
"published": "2023-12-28T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7134"
},
{
"type": "WEB",
"url": "https://medium.com/@2839549219ljk/medicine-tracking-system-rce-vulnerability-1f009165b915"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.249137"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.249137"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-GCMJ-C9GG-9VH6
Vulnerability from github – Published: 2026-05-15 16:27 – Updated: 2026-05-19 16:08Summary
A path traversal vulnerability in the OneNote importer allows overwriting arbitrary files on disk.
Details
The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file.
One affected location is embedded_file.rs, which generates a file name from a string previously parsed from the .one file,
https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16
Above, determine_filename passes through the provided file name.
Similar logic has been present since 4d7fa5972fe2986eae14cbf3a2801835cbe1384e (Joplin 3.2.2), when the OneNote importer was first introduced.
PoC
Screencast from 2025-11-20 13-50-21.webm
- Import poc_v2.zip.
- Open the application's profile directory, then open
log.txt. - Observe that
log.txthas been overwritten non-log-file content (a WAV file).
Tested on Fedora Linux 43 with Joplin 3.4.12 (prod, linux) and Joplin 3.5.6 (dev, linux).
Note: The PoC ZIP file overwrites Joplin's log.txt. It is also possible to craft a file that overwrites more sensitive system files (e.g. .bashrc on Linux).
Impact
This is a path traversal vulnerability that impacts all versions of Joplin (<= v3.5.6) that include a OneNote importer. Importing a crafted OneNote export file allows an attacker to overwrite arbitrary files, potentially leading to remote code execution.
Patched in
- Joplin: https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c
- one2html: https://github.com/msiemens/one2html/commit/948d65cdca5bb35d776b8b235ec05ff15249fd41
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@joplin/onenote-converter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22810"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-15T16:27:11Z",
"nvd_published_at": "2026-05-18T21:16:39Z",
"severity": "HIGH"
},
"details": "### Summary\nA path traversal vulnerability in the OneNote importer allows overwriting arbitrary files on disk.\n\n### Details\nThe OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it\u0027s possible for an attacker to create a malicious `.one` file that includes file names containing `../../`, that are then interpreted as part of the target path when extracting attachments from the `.one` file.\n\nOne affected location is `embedded_file.rs`, which generates a file name from a string previously parsed from the `.one` file,\nhttps://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16\n\nAbove, [`determine_filename`](https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L56-L64) passes through the provided file name.\n\n[Similar logic](https://github.com/laurent22/joplin/blob/4d7fa5972fe2986eae14cbf3a2801835cbe1384e/packages/onenote-converter/src/page/embedded_file.rs#L14) has been present since 4d7fa5972fe2986eae14cbf3a2801835cbe1384e (Joplin 3.2.2), when the OneNote importer was first introduced.\n\n### PoC\n\n[Screencast from 2025-11-20 13-50-21.webm](https://github.com/user-attachments/assets/a9d6cc64-ec11-4f33-9f92-32efe0eaab23)\n\n\n1. Import [poc_v2.zip](https://github.com/user-attachments/files/23664109/poc_v2.zip).\n2. Open the application\u0027s profile directory, then open `log.txt`.\n3. Observe that `log.txt` has been overwritten non-log-file content (a WAV file).\n\nTested on Fedora Linux 43 with Joplin 3.4.12 (prod, linux) and Joplin 3.5.6 (dev, linux).\n\n**Note**: The PoC ZIP file overwrites Joplin\u0027s `log.txt`. It is also possible to craft a file that overwrites more sensitive system files (e.g. `.bashrc` on Linux).\n\n### Impact\nThis is a path traversal vulnerability that impacts **all versions of Joplin (\u003c= v3.5.6) that include a OneNote importer**. Importing a crafted OneNote export file allows an attacker to overwrite arbitrary files, potentially leading to remote code execution.\n\n### Patched in\n\n- **Joplin**: https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c\n- **one2html**: https://github.com/msiemens/one2html/commit/948d65cdca5bb35d776b8b235ec05ff15249fd41",
"id": "GHSA-gcmj-c9gg-9vh6",
"modified": "2026-05-19T16:08:55Z",
"published": "2026-05-15T16:27:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-gcmj-c9gg-9vh6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22810"
},
{
"type": "WEB",
"url": "https://github.com/laurent22/joplin/pull/13736"
},
{
"type": "WEB",
"url": "https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c"
},
{
"type": "PACKAGE",
"url": "https://github.com/laurent22/joplin"
},
{
"type": "WEB",
"url": "https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16"
},
{
"type": "WEB",
"url": "https://github.com/laurent22/joplin/releases/tag/v3.5.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "@joplin/onenote-converter: Path traversal in OneNote importer allows overwriting arbitrary files"
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.