CWE-35 170 個 CVE MITRE 定義 ↗

CWE-35:Path Traversal: '.../...//'

概覽

CWE-35(Path Traversal: '.../...//')描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-49779 2026-07-02 Customer Path Traversal in Tax Exempt for WooCommerce <= 1.9.3 versions.
CVE-2026-52707 2026-06-17 Unauthenticated Local File Inclusion in Kastell <= 2.0 versions.
CVE-2026-52703 2026-06-15 Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.
CVE-2026-49112 2026-06-15 Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions.
CVE-2026-42661 2026-06-15 Custom role Path Traversal in WP Customer Area <= 8.3.4 versions.
CVE-2026-40128 2026-06-08 SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and…
CVE-2026-24315 2026-06-08 SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credenti…
CVE-2026-45661 2026-05-29 Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenticated users to write arbitra…
CVE-2026-44933 2026-05-20 `PluginScript` attempts to `chroot` the plugin to the `repoManagerRoot`, this root is frequently `/` (the system root) in standard configurations or when using `--root`. If the chroot target is `/`, i…
CVE-2026-45495 2026-05-18 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
CVE-2026-7302 2026-05-18 SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by i…
CVE-2026-42930 2026-05-13 When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP system.  Note: Software versions which have r…
CVE-2026-24464 2026-05-13 When running in Appliance mode, a directory traversal vulnerability exists in an undisclosed iControl REST endpoint that may allow an authenticated attacker with administrator role privileges to cross…
CVE-2026-25705 2026-05-13 A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher throug…
CVE-2026-0804 2026-05-12 An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis…
CVE-2026-42274 2026-05-08 Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstrea…
CVE-2026-20034 2026-05-06 A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is …
CVE-2026-0205 2026-04-29 A post-authentication Path Traversal vulnerability in SonicOS allows an attacker to interact with usually restricted services.
CVE-2026-6074 2026-04-23 Intrado 911 Emergency Gateway (EGW) 5.x, 6.x, and 7.x contain a path traversal vulnerability in the download_debuglog_file.php endpoint used for Debug Logs downloads. An unauthenticated attacker can m…
CVE-2026-28265 2026-04-01 PowerStore, contains a Path Traversal vulnerability in the Service user. A low privileged attacker with local access could potentially exploit this vulnerability, leading to modification of arbitrary …

曾用名

  • Path Issue - Doubled Triple Dot Slash - '.../...//' (2008-04-11)

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Potential_Mitigations, Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Description, Relationships, Taxonomy_Mappings
2008-10-14 CWE Content Team 1.0.1 updated Description
2008-11-24 CWE Content Team 1.1 updated Observed_Examples
2009-07-27 CWE Content Team 1.5 updated Potential_Mitigations
2010-06-21 CWE Content Team 1.9 updated Description, Potential_Mitigations
2010-12-13 CWE Content Team 1.11 updated Relationships
2011-03-29 CWE Content Team 1.12 updated Potential_Mitigations
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms
2020-02-24 CWE Content Team 4.0 updated Potential_Mitigations, Relationships
2020-06-25 CWE Content Team 4.1 updated Potential_Mitigations
2021-03-15 CWE Content Team 4.4 updated Potential_Mitigations
2021-10-28 CWE Content Team 4.6 updated Relationships
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-09-09 CWE Content Team 4.18 updated Affected_Resources, Functional_Areas
2025-12-11 CWE Content Team 4.19 updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Diagram, Potential_Mitigations, Weakness_Ordinalities
cvelogic Threat Intelligence