CWE-24 (Path Traversal: '../filedir') documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-49103 | 2026-05-27 | Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi. |
| CVE-2026-22810 | 2026-05-18 | Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows ov… |
| CVE-2026-33431 | 2026-04-20 | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver parameter that is dire… |
| CVE-2026-40318 | 2026-04-16 | SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id par… |
| CVE-2026-41082 | 2026-04-16 | In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory. |
| CVE-2026-39813 | 2026-04-14 | A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via <insert attack vector here… |
| CVE-2024-43035 | 2026-03-05 | Fonoster 0.5.5 before 0.6.1 allows ../ directory traversal to read arbitrary files via the /sounds/:file or /tts/:file VoiceServer endpoint. This occurs in serveFiles in mods/voice/src/utils.ts. NOTE:… |
| CVE-2026-28538 | 2026-03-05 | Path traversal vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect availability. |
| CVE-2026-28427 | 2026-03-04 | OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By… |
| CVE-2026-21857 | 2026-01-07 | REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon… |
| CVE-2025-67364 | 2026-01-07 | fast-filesystem-mcp version 3.4.0 contains a critical path traversal vulnerability in its file operation tools including fast_read_file. This vulnerability arises from improper path validation that fa… |
| CVE-2026-21436 | 2026-01-01 | eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from… |
| CVE-2025-68430 | 2025-12-19 | CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.8.1 through 2.52.0, an attacker with an account on a CVAT instance is able to retrieve the content… |
| CVE-2025-67845 | 2025-12-19 | A Directory Traversal vulnerability in the Static Asset Proxy Endpoint in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via a crafted URL containin… |
| CVE-2025-61318 | 2025-12-08 | Emlog Pro 2.5.20 has an arbitrary file deletion vulnerability. This vulnerability stems from the admin/template.php component and the admin/plugin.php component. They fail to perform path verification… |
| CVE-2025-51661 | 2025-11-19 | A path Traversal vulnerability found in FileCodeBox v2.2 and earlier allows arbitrary file writes when application is configured to use local filesystem storage. SystemFileStorage.save_file method in … |
| CVE-2025-13199 | 2025-11-15 | A vulnerability was found in code-projects Email Logging Interface 2.0. Affected is an unknown function of the file signup.cpp. The manipulation of the argument Username results in path traversal: '..… |
| CVE-2025-63298 | 2025-10-30 | A path traversal vulnerability was identified in SourceCodester Pet Grooming Management System 1.0, affecting the admin/manage_website.php component. An authenticated user with administrative privileg… |
| CVE-2023-53691 | 2025-10-22 | Hikvision CSMP (Comprehensive Security Management Platform) iSecure Center through 2023-06-25 allows file upload via /center/api/files directory traversal, as exploited in the wild in 2024 and 2025. |
| CVE-2025-60344 | 2025-10-21 | A path traversal (directory traversal) vulnerability in D-Link DSR series routers allows unauthenticated remote attackers to manipulate input parameters used for file or directory path resolution (e.g… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Potential_Mitigations, Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Taxonomy_Mappings |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Description |
| 2009-07-27 | CWE Content Team | 1.5 | — | updated Potential_Mitigations |
| 2010-06-21 | CWE Content Team | 1.9 | — | updated Description, Potential_Mitigations |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Potential_Mitigations |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Potential_Mitigations, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Potential_Mitigations |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Relationships, Time_of_Introduction |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2023-10-26 | CWE Content Team | 4.13 | — | updated Observed_Examples |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Affected_Resources, Functional_Areas |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Detection_Factors, Weakness_Ordinalities |