CWE-22 9302 個 CVE MITRE 定義 ↗

CWE-22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

概覽

CWE-22(Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology AI/ML Often

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-57571 2026-07-06 Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, when the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined …
CVE-2026-14468 2026-07-06 HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. Thi…
CVE-2026-9181 2026-07-06 ArcGIS Server contains a directory traversal vulnerability. An unauthenticated attacker could exploit this issue by sending crafted path parameters. Successful exploitation could allow access to sen…
CVE-2026-59196 2026-07-06 pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted node_modules directory. Traversal aliases could escape that directory, while r…
CVE-2026-59195 2026-07-06 pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlin…
CVE-2026-59194 2026-07-06 pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. …
CVE-2026-59152 2026-07-06 LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.8.18, an attacker who can send an HTTP request to a server running the LangSmith SDK's TracingMiddleware can…
CVE-2026-58203 2026-07-06 pydantic-settings provides settings management using Pydantic. From 2.12.0 until 2.14.2, NestedSecretsSettingsSource reads secret values from files in a configured secrets_dir. When secrets_nested_sub…
CVE-2026-7185 2026-07-06 A validation vulnerability has been identified in certain web features related to file management or upload in several products of the TAO 2.0 suite. This vulnerability could allow an attacker capable…
CVE-2026-49297 2026-07-06 Apache Airflow's Google provider operators `GCSToSFTPOperator` and `GCSTimeSpanFileTransformOperator` joined GCS object names returned by the bucket listing API directly to a destination filesystem pa…
CVE-2026-14783 2026-07-05 A vulnerability was determined in NousResearch hermes-agent 2026.5.29.2. The impacted element is the function skill_view of the file tools/skills_tool.py. Executing a manipulation of the argument Name…
CVE-2026-59510 2026-07-05 AIL Framework contains a path traversal vulnerability in its PDF object handling. Prior to commit 14c618fce4d1df02358717c48ea903706abecdf2, the PDF.get_filepath() function constructed a file path by j…
CVE-2026-14636 2026-07-04 A weakness has been identified in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 23105f25dadf57b4314fc015a63a7c6e910c89df. Impacted is the function do_upload_others_images of the file application/m…
CVE-2026-14635 2026-07-04 A security flaw has been discovered in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 222ff31c06687b1c6d0e1ab63953f82c3674c52b. This issue affects some unknown processing of the file application/mo…
CVE-2026-14628 2026-07-04 A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extract_media of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Perform…
CVE-2026-28705 2026-07-03 Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.
CVE-2026-41124 2026-07-03 Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 throu…
CVE-2026-47896 2026-07-03 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library). This issue affects Apache Lucene.Net.Replicator: fro…
CVE-2026-47897 2026-07-03 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library). This issue affects Apache Lucene.Net.Replicator: fro…
CVE-2026-9725 2026-07-03 The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2 This is due to insufficient path valid…

曾用名

  • Path Traversal (2010-02-16)

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Potential_Mitigations, Time_of_Introduction
2008-08-15 1.0 Suggested OWASP Top Ten 2004 mapping
2008-09-08 CWE Content Team 1.0 updated Alternate_Terms, Relationships, Other_Notes, Relationship_Notes, Relevant_Properties, Taxonomy_Mappings, Weakness_Ordinalities
2008-10-14 CWE Content Team 1.0.1 updated Description
2008-11-24 CWE Content Team 1.1 updated Relationships, Taxonomy_Mappings
2009-07-27 CWE Content Team 1.5 updated Potential_Mitigations
2010-02-16 CWE Content Team 1.8 updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Terminology_Notes, Time_of_Introduction, Weakness_Ordinalities
2010-06-21 CWE Content Team 1.9 updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Potential_Mitigations, References, Relationships
2010-09-27 CWE Content Team 1.10 updated Potential_Mitigations
2010-12-13 CWE Content Team 1.11 updated Potential_Mitigations
2011-03-29 CWE Content Team 1.12 updated Potential_Mitigations
2011-06-27 CWE Content Team 2.0 updated Relationships
2011-09-13 CWE Content Team 2.1 updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team 2.2 updated Demonstrative_Examples, References, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2013-02-21 CWE Content Team 2.4 updated Observed_Examples
2013-07-17 CWE Content Team 2.5 updated Related_Attack_Patterns, Relationships
2014-06-23 CWE Content Team 2.7 updated Other_Notes, Research_Gaps
2014-07-30 CWE Content Team 2.8 updated Detection_Factors, Relationships, Taxonomy_Mappings
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-01-19 CWE Content Team 2.10 updated Related_Attack_Patterns
2017-05-03 CWE Content Team 2.11 updated Demonstrative_Examples
2017-11-08 CWE Content Team 3.0 updated Affected_Resources, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Relevant_Properties, Taxonomy_Mappings
2018-03-27 CWE Content Team 3.1 updated References, Relationships
2019-01-03 CWE Content Team 3.2 updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
2019-06-20 CWE Content Team 3.3 updated Related_Attack_Patterns, Relationships, Type
2019-09-19 CWE Content Team 3.4 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Potential_Mitigations, Relationships
2020-06-25 CWE Content Team 4.1 updated Demonstrative_Examples, Potential_Mitigations
2020-08-20 CWE Content Team 4.2 updated Relationships
2020-12-10 CWE Content Team 4.3 updated Potential_Mitigations, Relationships
2021-03-15 CWE Content Team 4.4 updated Demonstrative_Examples, Relationships
2021-07-20 CWE Content Team 4.5 updated Relationships
2021-10-28 CWE Content Team 4.6 updated Observed_Examples, Relationships
2022-06-28 CWE Content Team 4.8 updated Observed_Examples, Relationships
2022-10-13 CWE Content Team 4.9 updated Observed_Examples, References
2023-01-31 CWE Content Team 4.10 updated Common_Consequences, Description, Detection_Factors
2023-04-27 CWE Content Team 4.11 updated Demonstrative_Examples, References, Relationships, Time_of_Introduction
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships
2023-10-26 CWE Content Team 4.13 updated Observed_Examples
2024-07-16 CWE Content Team 4.15 updated Common_Consequences, Description, Diagram, Observed_Examples, Other_Notes, References
2024-11-19 CWE Content Team 4.16 updated Demonstrative_Examples, Relationships
2025-04-03 CWE Content Team 4.17 updated Relationships
2025-09-09 CWE Content Team 4.18 updated Applicable_Platforms, Detection_Factors, Observed_Examples, Potential_Mitigations, References
2025-12-11 CWE Content Team 4.19 updated Mapping_Notes, Relationships
2026-04-30 CWE Content Team 4.20 updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Relationships

貢獻

類型 名稱 日期 評論
Feedback Nick Johnston 2022-07-11 Identified weakness in Perl demonstrative example
Content Abhi Balakrishnan 2024-02-29 Provided diagram to improve CWE usability
Feedback Drew Buttner 2024-11-01 Identified weakness in "good code" for Python demonstrative example
Content Affan Ahmed 2025-02-08 Provided a demonstrative example in PHP
cvelogic Threat Intelligence