CWE-22 · Path Traversal

9261 CVEs classified under CWE-22 (Path Traversal). Browse by severity and year.

Top CVEs for CWE-22
CVESeverityScorePublishedSummary
CVE-2026-48282Critical10.02026-06-30ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability…
CVE-2026-54917Critical10.02026-06-25SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST cat…
CVE-2026-48020Critical10.02026-06-23Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middle…
CVE-2026-48055Critical10.02026-06-17Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability…
CVE-2026-34909Critical10.02026-05-22A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system th…
CVE-2026-7411Critical10.02026-05-05In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote…
CVE-2026-36767Critical10.02026-04-30A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafte…
CVE-2026-41211Critical10.02026-04-23Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and…
CVE-2026-39861Critical10.02026-04-21Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to lo…
CVE-2025-15036Critical10.02026-03-30A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow…
CVE-2026-33054Critical10.02026-03-20Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows a…
CVE-2026-22557Critical10.02026-03-19A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underly…
CVE-2026-27897Critical10.02026-03-11Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the e…
CVE-2025-69770Critical10.02026-02-13A zip slip vulnerability in the /DesignTools/SkinList.aspx endpoint of MojoPortal CMS v2.9.0.1 allows attackers to execute arbitrary commands via uploading a c…
CVE-2025-64075Critical10.02026-02-11A path traversal vulnerability in the check_token function of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote attackers to bypass authenticati…
CVE-2026-24897Critical10.02026-01-28Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any sp…
CVE-2025-63414Critical10.02025-12-16A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By…
CVE-2025-58321Critical10.02025-09-11Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability.
CVE-2025-54261Critical10.02025-09-09ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vuln…
CVE-2025-52562Critical10.02025-06-23Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the Loca…