CWE-22 · Path Traversal
9261 CVEs classified under CWE-22 (Path Traversal). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-48282 | Critical | 10.0 | 2026-06-30 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability… |
CVE-2026-54917 | Critical | 10.0 | 2026-06-25 | SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST cat… |
CVE-2026-48020 | Critical | 10.0 | 2026-06-23 | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middle… |
CVE-2026-48055 | Critical | 10.0 | 2026-06-17 | Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability… |
CVE-2026-34909 | Critical | 10.0 | 2026-05-22 | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system th… |
CVE-2026-7411 | Critical | 10.0 | 2026-05-05 | In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote… |
CVE-2026-36767 | Critical | 10.0 | 2026-04-30 | A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafte… |
CVE-2026-41211 | Critical | 10.0 | 2026-04-23 | Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and… |
CVE-2026-39861 | Critical | 10.0 | 2026-04-21 | Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to lo… |
CVE-2025-15036 | Critical | 10.0 | 2026-03-30 | A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow… |
CVE-2026-33054 | Critical | 10.0 | 2026-03-20 | Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows a… |
CVE-2026-22557 | Critical | 10.0 | 2026-03-19 | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underly… |
CVE-2026-27897 | Critical | 10.0 | 2026-03-11 | Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the e… |
CVE-2025-69770 | Critical | 10.0 | 2026-02-13 | A zip slip vulnerability in the /DesignTools/SkinList.aspx endpoint of MojoPortal CMS v2.9.0.1 allows attackers to execute arbitrary commands via uploading a c… |
CVE-2025-64075 | Critical | 10.0 | 2026-02-11 | A path traversal vulnerability in the check_token function of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote attackers to bypass authenticati… |
CVE-2026-24897 | Critical | 10.0 | 2026-01-28 | Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any sp… |
CVE-2025-63414 | Critical | 10.0 | 2025-12-16 | A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By… |
CVE-2025-58321 | Critical | 10.0 | 2025-09-11 | Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability. |
CVE-2025-54261 | Critical | 10.0 | 2025-09-09 | ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vuln… |
CVE-2025-52562 | Critical | 10.0 | 2025-06-23 | Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the Loca… |