Common Weakness Enumeration

CWE-24

Allowed

Path Traversal: '../filedir'

Abstraction: Variant · Status: Incomplete

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

187 vulnerabilities reference this CWE, most recent first.

GHSA-W9QQ-JMGQ-WFV5

Vulnerability from github – Published: 2025-07-29 00:30 – Updated: 2025-11-03 21:34
VLAI
Details

An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54769"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-29T00:15:24Z",
    "severity": "HIGH"
  },
  "details": "An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing.  This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker.",
  "id": "GHSA-w9qq-jmgq-wfv5",
  "modified": "2025-11-03T21:34:11Z",
  "published": "2025-07-29T00:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54769"
    },
    {
      "type": "WEB",
      "url": "https://korelogic.com/Resources/Advisories/KL-001-2025-016.txt"
    },
    {
      "type": "WEB",
      "url": "https://lpar2rrd.com/note800.php"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jul/19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQ5X-HGVH-F6JV

Vulnerability from github – Published: 2023-12-17 15:30 – Updated: 2023-12-17 15:30
VLAI
Details

A vulnerability, which was classified as critical, has been found in rmountjoy92 DashMachine 0.5-4. Affected by this issue is some unknown functionality of the file /settings/delete_file. The manipulation of the argument file leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. VDB-248258 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-17T14:15:36Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as critical, has been found in rmountjoy92 DashMachine 0.5-4. Affected by this issue is some unknown functionality of the file /settings/delete_file. The manipulation of the argument file leads to path traversal: \u0027../filedir\u0027. The exploit has been disclosed to the public and may be used. VDB-248258 is the identifier assigned to this vulnerability.",
  "id": "GHSA-wq5x-hgvh-f6jv",
  "modified": "2023-12-17T15:30:19Z",
  "published": "2023-12-17T15:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6900"
    },
    {
      "type": "WEB",
      "url": "https://treasure-blarney-085.notion.site/DashMachine-Arbitrary-File-Deletion-ab44f2fe68e843c393ae9e0c1d487676"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.248258"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.248258"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXJ3-5CJF-39GH

Vulnerability from github – Published: 2024-04-03 00:30 – Updated: 2024-04-03 00:30
VLAI
Details

A vulnerability classified as critical has been found in Shibang Communications IP Network Intercom Broadcasting System 1.0. This affects an unknown part of the file /php/busyscreenshotpush.php. The manipulation of the argument jsondata[callee]/jsondata[imagename] leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259065 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-03T00:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as critical has been found in Shibang Communications IP Network Intercom Broadcasting System 1.0. This affects an unknown part of the file /php/busyscreenshotpush.php. The manipulation of the argument jsondata[callee]/jsondata[imagename] leads to path traversal: \u0027../filedir\u0027. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259065 was assigned to this vulnerability.",
  "id": "GHSA-wxj3-5cjf-39gh",
  "modified": "2024-04-03T00:30:56Z",
  "published": "2024-04-03T00:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3218"
    },
    {
      "type": "WEB",
      "url": "https://github.com/garboa/cve_3/blob/main/file_put_content.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.259065"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.259065"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.308510"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X3WR-P869-7P3G

Vulnerability from github – Published: 2025-05-07 18:30 – Updated: 2025-05-07 18:30
VLAI
Details

Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ directory traversal in the test parameter to /others/_test.php, as demonstrated by reading the server's private SSL key in cleartext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47423"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-07T18:15:43Z",
    "severity": "MODERATE"
  },
  "details": "Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ directory traversal in the test parameter to /others/_test.php, as demonstrated by reading the server\u0027s private SSL key in cleartext.",
  "id": "GHSA-x3wr-p869-7p3g",
  "modified": "2025-05-07T18:30:50Z",
  "published": "2025-05-07T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47423"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haluka92/CVE-2025-47423"
    },
    {
      "type": "WEB",
      "url": "https://pwsdashboard.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X4XJ-9MHP-W8JM

Vulnerability from github – Published: 2026-03-05 09:30 – Updated: 2026-03-06 00:31
VLAI
Details

Path traversal vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28538"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-05T08:15:58Z",
    "severity": "MODERATE"
  },
  "details": "Path traversal vulnerability in the certificate management module.\u00a0Impact: Successful exploitation of this vulnerability may affect availability.",
  "id": "GHSA-x4xj-9mhp-w8jm",
  "modified": "2026-03-06T00:31:30Z",
  "published": "2026-03-05T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28538"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2026/3"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletinlaptops/2026/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPX4-57H5-9V98

Vulnerability from github – Published: 2025-11-19 21:31 – Updated: 2025-11-20 21:30
VLAI
Details

A path Traversal vulnerability found in FileCodeBox v2.2 and earlier allows arbitrary file writes when application is configured to use local filesystem storage. SystemFileStorage.save_file method in core/storage.py uses filenames from user input without validation to construct save_path and save files. This allows remote attackers to perform arbitrary file writes outside the intended directory by sending crafted POST requests with malicious traversal sequences to /share/file/ upload endpoint, which does not require any authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-51661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-19T20:15:52Z",
    "severity": "HIGH"
  },
  "details": "A path Traversal vulnerability found in FileCodeBox v2.2 and earlier allows arbitrary file writes when application is configured to use local filesystem storage. SystemFileStorage.save_file method in core/storage.py uses filenames from user input without validation to construct save_path and save files. This allows remote attackers to perform arbitrary file writes outside the intended directory by sending crafted POST requests with malicious traversal sequences to /share/file/ upload endpoint, which does not require any authorization.",
  "id": "GHSA-xpx4-57h5-9v98",
  "modified": "2025-11-20T21:30:31Z",
  "published": "2025-11-19T21:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51661"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vastsa/FileCodeBox/issues/349"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vastsa/FileCodeBox"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XQ3X-GRRJ-FJ6X

Vulnerability from github – Published: 2023-04-02 12:30 – Updated: 2024-05-20 21:50
VLAI
Summary
sjqzhang go-fastdfs vulnerable to path traversal
Details

sjqzhang go-fastdfs up to 1.4.3 is vulnerable to path traversal in the function upload of the file /group1/upload of the component File Upload Handler. The attack may be launched remotely and the exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sjqzhang/go-fastdfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.5-0.20230408141131-61cbff5124c6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-1800"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-24",
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-07T22:24:59Z",
    "nvd_published_at": "2023-04-02T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "sjqzhang go-fastdfs up to 1.4.3 is vulnerable to path traversal in the function upload of the file `/group1/upload` of the component `File Upload Handler`. The attack may be launched remotely and the exploit has been disclosed to the public and may be used.",
  "id": "GHSA-xq3x-grrj-fj6x",
  "modified": "2024-05-20T21:50:28Z",
  "published": "2023-04-02T12:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1800"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sjqzhang/go-fastdfs/commit/61cbff5124c61e292994099372b11c06cdb5b80b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sjqzhang/go-fastdfs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yangyanglo/ForCVE/blob/93a16663cd32a36d37d8a0f0102e1592254d0279/2023-0x05.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yangyanglo/ForCVE/blob/main/2023-0x05.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.224768"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.224768"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "sjqzhang go-fastdfs vulnerable to path traversal"
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.