MITRE ATT&CK CVE list for this attack path. Use risk scores and timeline to decide what to patch first and what to track next.
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2026-56196 | Relative path traversal in Windows Admin Center allows an authorized attacker to execute code over a network. | 8.8 | N/A | 2026-07-14 | 2026-07-14 |
| CVE-2026-50454 | Relative path traversal in Windows User Interface Core allows an authorized attacker to elevate privileges locally. | 7.8 | N/A | 2026-07-14 | 2026-07-14 |
| CVE-2026-50426 | Relative path traversal in DNS Server allows an authorized attacker to execute code over an adjacent network. | 6.8 | N/A | 2026-07-14 | 2026-07-14 |
| CVE-2026-50663 | Relative path traversal in Age of Empires II: Definitive Edition Game allows an unauthorized attacker to execute code over a network. | 8.8 | N/A | 2026-07-14 | 2026-07-14 |
| CVE-2026-40400 | Relative path traversal in Windows PowerShell allows an authorized attacker to execute code over a network. | 8.0 | N/A | 2026-07-14 | 2026-07-14 |
| CVE-2026-14903 | Path traversal in Ivanti Xtraction before version 2026.2.1 allows a remote authenticated attacker to read arbitrary files outside the web root. | 7.7 | N/A | 2026-07-14 | 2026-07-14 |
| CVE-2026-55474 | Snipe-IT is an IT asset/license management system. Prior to 8.5.0, ActionlogController::displaySig concatenates the route filename parameter into a private upload-directory path without sanitization, allowing an authenticated attacker to traverse outside the intended directory and read arbitrary files accessible to the web server process. This issue is fixed in version 8.5.0. | 7.1 | 0.33% | 2026-07-10 | 2026-07-10 |
| CVE-2026-59792 | In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible | 9.6 | 0.42% | 2026-07-10 | 2026-07-14 |
| CVE-2026-50181 | Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, Langroid's `ReadFileTool` and `WriteFileTool` appear to treat `curr_dir` as the intended working-directory boundary for file operations. However, the tools only change the process working directory to `curr_dir` and then operate on the user-supplied `file_path` without resolving and enforcing that the final path remains inside `curr_dir`. As a result, a tool caller can supply path traversal s | 7.1 | 0.18% | 2026-07-09 | 2026-07-13 |
| CVE-2026-59832 | SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the /snippets/*filepath route handler serveSnippets in kernel/server/serve.go joins a single-decoded request path with the snippets directory without subpath containment or sensitive-path checks, allowing an authenticated request such as /snippets/%2e%2e/%2e%2e/conf/conf.json to read workspace secrets and the document database. This issue is fixed in versions 3.7.1. | 7.7 | 0.32% | 2026-07-09 | 2026-07-10 |
| CVE-2026-59149 | Mockoon provides way to design and run mock APIs. Prior to 9.7.0, a FILE response whose filePath embeds request data is confined by getSafeFilePath in packages/commons-server/src/libs/server/server.ts with resolvedPath.startsWith(staticBaseDir). That prefix test has no path-separator boundary, so a ../-escaped path whose absolute form string-prefixes the base directory passes, allowing an unauthenticated client to read files from sibling paths outside the served directory through HTTP sendFile, | 6.5 | 0.33% | 2026-07-09 | 2026-07-10 |
| CVE-2026-61343 | LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0. | 8.6 | 0.84% | 2026-07-09 | 2026-07-09 |
| CVE-2026-8650 | Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module). This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3. | 4.5 | 0.36% | 2026-07-08 | 2026-07-09 |
| CVE-2026-59996 | scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations. | 4.2 | 0.20% | 2026-07-07 | 2026-07-09 |
| CVE-2026-59995 | sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server. | 4.2 | 0.20% | 2026-07-07 | 2026-07-09 |
| CVE-2026-14476 | A path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass. | 8.0 | 0.50% | 2026-07-07 | 2026-07-07 |
| CVE-2026-57871 | Relative path traversal vulnerability in MicroRealEstate file upload functionality allows attackers to potentially overwrite system files. This issue affects MicroRealEstate: through 1.0.0-alpha3. | 7.1 | 0.36% | 2026-07-07 | 2026-07-07 |
| CVE-2025-53829 | ownCloud is a file storage, synchronization, and sharing application. In ownCloud 10 prior to version 10.15.3, an attacker with administrative privileges can exploit a path traversal vulnerability in the system to execute arbitrary code. Upgrade ownCloud 10 to version 10.15.3 or later to receive a patch. | 8.0 | 0.34% | 2026-07-06 | 2026-07-08 |
| CVE-2026-58522 | Relative path traversal in Microsoft Edge for Android allows an unauthorized attacker to disclose information locally. | 6.8 | 0.29% | 2026-07-03 | 2026-07-07 |
| CVE-2026-57988 | Relative path traversal in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. | 7.1 | 0.54% | 2026-07-03 | 2026-07-07 |