CWE-23 · Relative Path Traversal
428 CVEs classified under CWE-23 (Relative Path Traversal). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-52813 | Critical | 10.0 | 2026-06-24 | Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and reposit… |
CVE-2026-33494 | Critical | 10.0 | 2026-03-26 | ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior… |
CVE-2023-3941 | Critical | 10.0 | 2024-05-21 | Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to write any file on the system with root privileges. This issue affec… |
CVE-2024-24578 | Critical | 10.0 | 2024-03-18 | RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a u… |
CVE-2012-6069 | Critical | 10.0 | 2013-01-21 | The CoDeSys Runtime Toolkit’s file transfer functionality does not perform input validation, which allows an attacker to access files and directories outside… |
CVE-2025-62878 | Critical | 9.9 | 2026-02-25 | A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensiti… |
CVE-2025-52207 | Critical | 9.9 | 2025-06-27 | PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory. |
CVE-2023-40714 | Critical | 9.9 | 2025-04-02 | A relative path traversal in Fortinet FortiSIEM versions 7.0.0, 6.7.0 through 6.7.2, 6.6.0 through 6.6.3, 6.5.1, 6.5.0 allows attacker to escalate privilege vi… |
CVE-2024-3025 | Critical | 9.9 | 2024-04-10 | mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. At… |
CVE-2023-6825 | Critical | 9.9 | 2024-03-13 | The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version)… |
CVE-2023-37913 | Critical | 9.9 | 2023-10-25 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 3.5-milestone-1 and prior to versi… |
CVE-2023-3701 | Critical | 9.9 | 2023-10-04 | Aqua Drive, in its 2.4 version, is vulnerable to a relative path traversal vulnerability. By exploiting this vulnerability, an authenticated non privileged use… |
CVE-2026-21659 | Critical | 9.8 | 2026-02-27 | Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD … |
CVE-2024-47856 | Critical | 9.8 | 2025-11-24 | In RSA Authentication Agent before 7.4.7, service paths and shortcut paths may be vulnerable to path interception if the path has one or more spaces and is not… |
CVE-2025-64446 | Critical | 9.8 | 2025-11-14 | A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 th… |
CVE-2025-3365 | Critical | 9.8 | 2025-06-06 | A missing protection against path traversal allows to access any file on the server. |
CVE-2025-23410 | Critical | 9.8 | 2025-03-05 | When uploading organism or sequence data via the web interface, GMOD Apollo will unzip and inspect the files and will not check for path traversal in supp… |
CVE-2023-34990 | Critical | 9.8 | 2024-12-18 | A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via… |
CVE-2024-11315 | Critical | 9.8 | 2024-11-18 | The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to uploa… |
CVE-2024-11314 | Critical | 9.8 | 2024-11-18 | The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to uploa… |