CWE-41 (Improper Resolution of Path Equivalence) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-5816 | 2026-04-22 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript… |
| CVE-2026-34510 | 2026-04-01 | OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can exploit th… |
| CVE-2026-34451 | 2026-03-31 | Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in th… |
| CVE-2026-23674 | 2026-03-10 | Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. |
| CVE-2025-58290 | 2025-10-11 | Denial of service (DoS) vulnerability in the office service. Successful exploitation of this vulnerability may affect availability. |
| CVE-2025-43298 | 2025-09-15 | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to gain… |
| CVE-2025-54107 | 2025-09-09 | Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. |
| CVE-2024-8765 | 2025-03-20 | In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. The system incorrectly identifies certain endpoints as public if the path contains '/auth/' anywhere within it. Thi… |
| CVE-2024-6839 | 2025-03-20 | corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to… |
| CVE-2025-0115 | 2025-03-12 | A vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated admin on the PAN-OS CLI to read arbitrary files. The attacker must have network access to the management interface (… |
| CVE-2025-21247 | 2025-03-11 | Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. |
| CVE-2025-24470 | 2025-02-11 | An Improper Resolution of Path Equivalence vulnerability [CWE-41] in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to retrieve … |
| CVE-2025-21332 | 2025-01-14 | MapUrlToZone Security Feature Bypass Vulnerability |
| CVE-2025-21329 | 2025-01-14 | MapUrlToZone Security Feature Bypass Vulnerability |
| CVE-2025-21328 | 2025-01-14 | MapUrlToZone Security Feature Bypass Vulnerability |
| CVE-2025-21269 | 2025-01-14 | Windows HTML Platforms Security Feature Bypass Vulnerability |
| CVE-2025-21268 | 2025-01-14 | MapUrlToZone Security Feature Bypass Vulnerability |
| CVE-2025-21219 | 2025-01-14 | MapUrlToZone Security Feature Bypass Vulnerability |
| CVE-2025-21189 | 2025-01-14 | MapUrlToZone Security Feature Bypass Vulnerability |
| CVE-2024-30073 | 2024-09-10 | Windows Security Zone Mapping Security Feature Bypass Vulnerability |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Potential_Mitigations, Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Other_Notes, Taxonomy_Mappings, Type |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Description |
| 2008-11-24 | CWE Content Team | 1.1 | — | updated Relationships, Taxonomy_Mappings |
| 2009-03-10 | CWE Content Team | 1.3 | — | updated Relationships |
| 2009-05-27 | CWE Content Team | 1.4 | — | updated Name |
| 2009-07-27 | CWE Content Team | 1.5 | — | updated Potential_Mitigations |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Other_Notes, Potential_Mitigations, Relationship_Notes |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2011-09-13 | CWE Content Team | 2.1 | — | updated Relationships, Taxonomy_Mappings |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Common_Consequences, Observed_Examples, Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Detection_Factors, Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Affected_Resources, Applicable_Platforms, Relationships, Taxonomy_Mappings |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Related_Attack_Patterns |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Potential_Mitigations, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Observed_Examples, Potential_Mitigations, Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2023-10-26 | CWE Content Team | 4.13 | — | updated Observed_Examples |
| 2024-02-29 | CWE Content Team | 4.14 | — | updated Observed_Examples |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Detection_Factors, Functional_Areas, References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Observed_Examples, Relationships, Weakness_Ordinalities |