Common Weakness Enumeration

CWE-23

Allowed

Relative Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

778 vulnerabilities reference this CWE, most recent first.

GHSA-654W-WX9H-5MGG

Vulnerability from github – Published: 2025-11-20 15:30 – Updated: 2025-11-20 21:30
VLAI
Details

A Path Traversal vulnerability has been identified in the Email Security appliance allows an attacker to manipulate file system paths by injecting crafted directory-traversal sequences (such as ../) and may access files and directories outside the intended restricted path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40605"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-20T15:17:28Z",
    "severity": "MODERATE"
  },
  "details": "A Path Traversal vulnerability has been identified in the Email Security appliance allows an attacker to manipulate file system paths by injecting crafted directory-traversal sequences (such as ../) and may access files and directories outside the intended restricted path.",
  "id": "GHSA-654w-wx9h-5mgg",
  "modified": "2025-11-20T21:30:32Z",
  "published": "2025-11-20T15:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40605"
    },
    {
      "type": "WEB",
      "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0018"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6578-P64M-WJXR

Vulnerability from github – Published: 2025-06-27 18:30 – Updated: 2025-06-27 18:30
VLAI
Details

PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52207"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-27T17:15:34Z",
    "severity": "CRITICAL"
  },
  "details": "PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.",
  "id": "GHSA-6578-p64m-wjxr",
  "modified": "2025-06-27T18:30:43Z",
  "published": "2025-06-27T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52207"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mikopbx/Core/commit/3ee785429d3f1b33c9ab387ef4221127c9b8c5f3"
    },
    {
      "type": "WEB",
      "url": "https://www.mikopbx.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-66J6-P8C8-V9H3

Vulnerability from github – Published: 2022-12-29 21:30 – Updated: 2023-01-06 00:30
VLAI
Details

In some non-default installations of Esri Portal for ArcGIS versions 10.9.1 and below, a directory traversal issue may allow a remote, unauthenticated attacker to traverse the file system and lead to the disclosure of sensitive data (not customer-published content).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-29T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "In some non-default installations of Esri Portal for ArcGIS versions 10.9.1 and below, a directory traversal issue may allow a remote, unauthenticated attacker to traverse the file system and lead to the disclosure of sensitive data (not customer-published content).",
  "id": "GHSA-66j6-p8c8-v9h3",
  "modified": "2023-01-06T00:30:18Z",
  "published": "2022-12-29T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38205"
    },
    {
      "type": "WEB",
      "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2022-update-2-patch-is-now-available"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-66Q9-F7FF-MMX6

Vulnerability from github – Published: 2020-03-25 17:35 – Updated: 2021-01-14 17:48
VLAI
Summary
Local file inclusion vulnerability in http4s
Details

Impact

This vulnerability applies to all users of: * org.http4s.server.staticcontent.FileService * org.http4s.server.staticcontent.ResourceService * org.http4s.server.staticcontent.WebjarService

Path escaping

URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. Specifically:

  • FileService may expose any file on the local file system.
  • ResourceService may expose any resource on the class path.

Prefix matching

When the service is configured with a non-empty pathPrefix that doesn't end in a slash, any directories whose names are a prefix of systemPath (from FileService) or pathPrefix (from ResourceService) are exposed. For example, if pathPrefix is /foo and systemPath is /bar, a request to /foobaz/quux.txt exposes file /barbaz/quux.txt, when only files beneath /bar should be available.

URI decoding

URI segments are not decoded before resource resolution. This causes resources with reserved characters in their name to incorrectly return a 404. It also may incorrectly expose the rare resource whose name is URI encoded. This applies to FileService, ResourceService, and WebjarService.

Patches

In all three services, paths with an empty segment, a . segment, or a .. segment are now rejected with a 400 Bad Request response. This fixes exposure outside the configured root. Many clients already eliminate dot segments according to the rules in RFC3986, Section 5.2.4. A middleware that does so at the server level may be considered if there is demand.

If pathInfo is non-empty, and does not begin with /, then a 404 response is generated. This fixes the prefix matching exposure.

All path segments are URI decoded before being passed to the file system or resource path. This allows resolution of resources with reserved characters in the name, and prevents incorrect exposure of resources whose names are themselves URI encoded.

Workarounds

The recommended course is to upgrade: * v0.18.26, binary compatible with the 0.18.x series * v0.20.20, binary compatible with the 0.20.x series * v0.21.2, binary compatible with the 0.21.x series

Note that 0.19.0 is a deprecated release and has never been supported.

If an upgrade is impossible:

  • Temporarily copy FileService.scala, ResourceService.scala, and WebjarService.scala from the appropriate release series into your project and recompile with that, changing the package name and reference in your application.
  • Users of a servlet backend can use the servlet container's file serving capabilities.

Credits

Thank you to Thomas Gøytil for the discovery, responsible disclosure, and assistance testing of this vulnerability.

For more information

If you have any questions or comments about this advisory: * Open an issue in http4s/http4s * Email a maintainer: * Ross A. Baker

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:http4s-server_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.18.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:http4s-server_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.19.0"
            },
            {
              "fixed": "0.20.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:http4s-server_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.21.0"
            },
            {
              "fixed": "0.21.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-25T17:34:45Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThis vulnerability applies to all users of:\n* `org.http4s.server.staticcontent.FileService`\n* `org.http4s.server.staticcontent.ResourceService`\n* `org.http4s.server.staticcontent.WebjarService`\n\n#### Path escaping\n\nURI normalization is applied incorrectly.  Requests whose path info contain `../` or `//` can expose resources outside of the configured location.  Specifically:\n\n* `FileService` may expose any file on the local file system.\n* `ResourceService` may expose any resource on the class path.\n\n#### Prefix matching\n\nWhen the service is configured with a non-empty `pathPrefix` that doesn\u0027t end in a slash, any directories whose names are a prefix of `systemPath` (from `FileService`) or `pathPrefix` (from `ResourceService`) are exposed.  For example, if `pathPrefix` is `/foo` and `systemPath` is `/bar`, a request to `/foobaz/quux.txt` exposes file `/barbaz/quux.txt`, when only files beneath `/bar` should be available.\n\n#### URI decoding\n\nURI segments are not decoded before resource resolution.  This causes resources with reserved characters in their name to incorrectly return a 404.  It also may incorrectly expose the rare resource whose name is URI encoded.  This applies to `FileService`, `ResourceService`, and `WebjarService`.\n\n### Patches\n\nIn all three services, paths with an empty segment, a `.` segment, or a `..` segment are now rejected with a `400 Bad Request` response.  This fixes exposure outside the configured root.  Many clients already eliminate dot segments according to the rules in [RFC3986, Section 5.2.4](https://tools.ietf.org/html/rfc3986#section-5.2.4).  A middleware that does so at the server level may be considered if there is demand.\n\nIf `pathInfo` is non-empty, and does not begin with `/`, then a 404 response is generated.  This fixes the prefix matching exposure.\n\nAll path segments are URI decoded before being passed to the file system or resource path.  This allows resolution of resources with reserved characters in the name, and prevents incorrect exposure of resources whose names are themselves URI encoded.\n\n### Workarounds\n\nThe recommended course is to upgrade:\n* v0.18.26, binary compatible with the 0.18.x series\n* v0.20.20, binary compatible with the 0.20.x series\n* v0.21.2, binary compatible with the 0.21.x series\n\nNote that 0.19.0 is a deprecated release and has never been supported.\n\nIf an upgrade is impossible:\n\n* Temporarily copy `FileService.scala`, `ResourceService.scala`, and `WebjarService.scala` from the appropriate release series into your project and recompile with that, changing the package name and reference in your application.\n* Users of a servlet backend can use the servlet container\u0027s file serving capabilities.\n\n### Credits\n\nThank you to Thomas G\u00f8ytil for the discovery, responsible disclosure, and assistance testing of this vulnerability.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [http4s/http4s](http://github.com/http4s/http4s)\n* Email a maintainer:\n  * [Ross A. Baker](mailto:ross@rossabaker.com)",
  "id": "GHSA-66q9-f7ff-mmx6",
  "modified": "2021-01-14T17:48:17Z",
  "published": "2020-03-25T17:35:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5280"
    },
    {
      "type": "WEB",
      "url": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"
    },
    {
      "type": "WEB",
      "url": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Local file inclusion vulnerability in http4s"
}

GHSA-6746-2X3C-CW74

Vulnerability from github – Published: 2023-02-26 15:30 – Updated: 2023-03-03 06:30
VLAI
Details

A vulnerability was found in MuYuCMS 2.2. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /editor/index.php. The manipulation of the argument file_path leads to relative path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-221803.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1044"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-26T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in MuYuCMS 2.2. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /editor/index.php. The manipulation of the argument file_path leads to relative path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-221803.",
  "id": "GHSA-6746-2x3c-cw74",
  "modified": "2023-03-03T06:30:17Z",
  "published": "2023-02-26T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1044"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MuYuCMS/MuYuCMS/issues/5"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.221803"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.221803"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-67QG-7284-2277

Vulnerability from github – Published: 2026-05-05 20:05 – Updated: 2026-05-13 16:31
VLAI
Summary
django-s3file is vulnerable to relative path traversal
Details

Impact

S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into request.FILES

Depending on how files are handled, this may lead to confidentiality and integrity issues.

Patches

Django-S3File urges all users to update to a patched version >=7.0.2.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.0.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "django-s3file"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23",
      "CWE-26"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T20:05:49Z",
    "nvd_published_at": "2026-05-12T22:16:34Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n`S3FileMiddleware` is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into `request.FILES`\n\nDepending on how files are handled, this may lead to confidentiality and integrity issues.\n\n### Patches\nDjango-S3File urges all users to update to a patched version \u003e=7.0.2.",
  "id": "GHSA-67qg-7284-2277",
  "modified": "2026-05-13T16:31:46Z",
  "published": "2026-05-05T20:05:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/codingjoe/django-s3file/security/advisories/GHSA-67qg-7284-2277"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42196"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/codingjoe/django-s3file"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "django-s3file is vulnerable to relative path traversal"
}

GHSA-68M5-5W2H-H837

Vulnerability from github – Published: 2026-02-10 00:29 – Updated: 2026-02-10 14:18
VLAI
Summary
FUXA Affected by a Path Traversal Sanitization Bypass
Details

Summary

A flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release .

Details

This report describes a new, distinct vulnerability that differs from previous Path Traversal advisories (such as CVE-2023-31718) in several ways:

Patch Bypass (Regression): The vulnerability circumvents the existing sanitization logic implemented to fix previous traversal issues. The current "single-pass" regex approach is insufficient against nested sequences. Expansion of Scope: Unlike previous reports that focused primarily on /api/download, this bypass affects multiple critical endpoints, including /api/upload, /api/resources/remove, and /api/logs. Escalation to RCE: By targeting the upload and remove functionalities, this vulnerability directly leads to Remote Code Execution, which is a higher impact than the information disclosure typically associated with previous traversal reports.

Impact

Remote Code Execution (RCE): Transition from application admin to full system control. SCADA Operational Disruption: Potential for physical or operational sabotage by manipulating tags and alarms. Data Integrity & Availability: Full access to projects, credentials, and historical logs.

Patches

This issue has been patched in FUXA version 1.2.11. Users are strongly encouraged to update to the latest available release.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.2.10"
      },
      "package": {
        "ecosystem": "npm",
        "name": "fuxa-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25951"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-10T00:29:00Z",
    "nvd_published_at": "2026-02-09T23:16:06Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release .\n\n\n### Details\nThis report describes a new, distinct vulnerability that differs from previous Path Traversal advisories (such as CVE-2023-31718) in several ways:\n\nPatch Bypass (Regression): The vulnerability circumvents the existing sanitization logic implemented to fix previous traversal issues. The current \"single-pass\" regex approach is insufficient against nested sequences.\nExpansion of Scope: Unlike previous reports that focused primarily on /api/download, this bypass affects multiple critical endpoints, including /api/upload, /api/resources/remove, and /api/logs.\nEscalation to RCE: By targeting the \nupload\n and remove functionalities, this vulnerability directly leads to Remote Code Execution, which is a higher impact than the information disclosure typically associated with previous traversal reports.\n\n\n### Impact\nRemote Code Execution (RCE): Transition from application admin to full system control.\nSCADA Operational Disruption: Potential for physical or operational sabotage by manipulating tags and alarms.\nData Integrity \u0026 Availability: Full access to projects, credentials, and historical logs.\n\n### Patches\n\nThis issue has been patched in FUXA version 1.2.11. Users are strongly encouraged to update to the latest available release.",
  "id": "GHSA-68m5-5w2h-h837",
  "modified": "2026-02-10T14:18:49Z",
  "published": "2026-02-10T00:29:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-68m5-5w2h-h837"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25951"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/pull/2177"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/commit/3ecce46333ed33e3f66f378e38e317cde702b0ae"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/commit/f7a9f04b2ab97ab5421e4ec4e711c51e9f4b65c8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/frangoteam/FUXA"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FUXA Affected by a Path Traversal Sanitization Bypass"
}

GHSA-694Q-5223-W869

Vulnerability from github – Published: 2024-05-15 21:31 – Updated: 2024-05-15 21:31
VLAI
Details

A specially crafted Zip file containing path traversal characters can be imported to the CyberPower PowerPanel

server, which allows file writing to the server outside the intended scope, and could allow an attacker to achieve remote code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33615"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-15T20:15:12Z",
    "severity": "HIGH"
  },
  "details": "A specially crafted Zip file containing path traversal characters can be\n imported to the \nCyberPower PowerPanel \n\nserver, which allows file writing to the server outside\n the intended scope, and could allow an attacker to achieve remote code \nexecution.",
  "id": "GHSA-694q-5223-w869",
  "modified": "2024-05-15T21:31:25Z",
  "published": "2024-05-15T21:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33615"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
    },
    {
      "type": "WEB",
      "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6F7V-4C46-HRP4

Vulnerability from github – Published: 2026-07-10 15:31 – Updated: 2026-07-10 15:31
VLAI
Details

In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-59792"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-10T15:16:48Z",
    "severity": "CRITICAL"
  },
  "details": "In JetBrains IntelliJ IDEA before 2026.1.4, \n2026.2 code execution via path traversal in project workspace ID handling was possible",
  "id": "GHSA-6f7v-4c46-hrp4",
  "modified": "2026-07-10T15:31:41Z",
  "published": "2026-07-10T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59792"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6H64-G7CJ-HJ56

Vulnerability from github – Published: 2024-10-11 18:32 – Updated: 2024-10-11 19:44
VLAI
Summary
Lord of Large Language Models (LoLLMs) path traversal vulnerability in the api open_personality_folder endpoint
Details

A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lollms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "9.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-11T19:44:03Z",
    "nvd_published_at": "2024-10-11T16:15:14Z",
    "severity": "MODERATE"
  },
  "details": "A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms. This vulnerability allows an attacker to read any folder in the personality_folder on the victim\u0027s computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.",
  "id": "GHSA-6h64-g7cj-hj56",
  "modified": "2024-10-11T19:44:03Z",
  "published": "2024-10-11T18:32:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6985"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parisneo/lollms/commit/28ee567a9a120967215ff19b96ab7515ce469620"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ParisNeo/lollms"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/79c11579-47d8-4e68-8466-b47c3bf5ef6a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Lord of Large Language Models (LoLLMs)  path traversal vulnerability in the api open_personality_folder endpoint"
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-139: Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.