Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-24 (路径遍历:’../filedir’) — Vulnerability Class 91

91 vulnerabilities classified as CWE-24 (路径遍历:’../filedir’). AI Chinese analysis included.

CWE-24 represents a critical input validation weakness where software fails to properly sanitize user-supplied data before constructing file paths. Attackers typically exploit this vulnerability by injecting directory traversal sequences, such as "../", into input fields to manipulate the resulting pathname. This manipulation allows the application to resolve paths outside the intended restricted directory, enabling unauthorized access to sensitive system files, configuration data, or source code. To mitigate this risk, developers must implement robust input validation strategies that strictly whitelist allowed characters and reject any path components containing traversal sequences. Additionally, employing canonicalization techniques to normalize paths before validation ensures that encoded or double-encoded attacks are detected. Restricting file system access through chroot jails or containerization further limits the potential impact of successful exploitation, ensuring that even if validation fails, the attacker cannot escape the designated secure boundary.

MITRE CWE Description
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The "../" manipulation is the canonical manipulation for operating systems that use "/" as directory separators, such as UNIX- and Linux-based systems. In some cases, it is useful for bypassing protection schemes in environments for which "/" is supported but not the primary separator, such as Windows, which uses "\" but can also accept "/".
Common Consequences (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
Mitigations (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE IDTitleCVSSSeverityPublished
CVE-2026-33431 Roxy-WI Vulnerable to Authenticated Arbitrary File Read via Path Traversal in Config Version Viewer — roxy-wi 8.1AIHighAI2026-04-20
CVE-2026-40318 SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView` — siyuan 8.5 High2026-04-16
CVE-2026-41082 opam 安全漏洞 — opam 7.3 High2026-04-16
CVE-2026-39813 Fortinet FortiSandbox 安全漏洞 — FortiSandbox 9.1 Critical2026-04-14
CVE-2026-28538 Huawei HarmonyOS 路径遍历漏洞 — HarmonyOS 5.9 Medium2026-03-05
CVE-2024-43035 Fonoster 安全漏洞 — Fonoster 5.8 Medium2026-03-05
CVE-2026-21857 Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read — redaxo 6.5 -2026-01-07
CVE-2026-21436 eopkg has Path Traversal: '../filedir' vulnerability — eopkg 9.1 -2026-01-01
CVE-2025-68430 CVAT vulnerable to directory traversal via mounted share listing — cvat 4.3AIMediumAI2025-12-19
CVE-2025-67845 Mintlify 安全漏洞 — Mintlify Platform 6.4 Medium2025-12-19
CVE-2025-13199 code-projects Email Logging Interface signup.cpp path traversal — Email Logging Interface 5.3 Medium2025-11-15
CVE-2023-53691 Hikvision CSMP iSecure Center 安全漏洞 — CSMP iSecure Center 8.3 High2025-10-22
CVE-2025-60344 D-Link DSR-150 安全漏洞 — DSR-150 8.6 High2025-10-21
CVE-2025-59342 esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header — esm.sh 7.5AIHighAI2025-09-17
CVE-2025-46094 Liquidfiles 安全漏洞 — LiquidFiles 3.8 Low2025-08-04
CVE-2025-44962 RUCKUS SmartZone 安全漏洞 — SmartZone 5.0 Medium2025-08-04
CVE-2025-54769 KL-001-2025-016: Xorux LPAR2RRD File Upload Directory Traversal — LPAR2RRD 8.8AIHighAI2025-07-28
CVE-2025-45582 GNU Tar 安全漏洞 — Tar 4.1 Medium2025-07-11
CVE-2025-53513 Zip slip vulnerability in Juju — Juju 8.8 High2025-07-08
CVE-2025-48050 DOMPurify 安全漏洞 — DOMPurify 7.5 High2025-05-15
CVE-2025-47423 Personal Weather Station Dashboard 安全漏洞 — Personal Weather Station Dashboard 5.8 Medium2025-05-07
CVE-2025-27920 Output Messenger 安全漏洞 — Output Messenger 7.2 High2025-05-05
CVE-2024-53636 Serosoft Solutions Academia Student Information System EagleR 安全漏洞 — Academia Student Information System 6.4 Medium2025-04-26
CVE-2025-46646 Artifex Ghostscript 安全漏洞 — Ghostscript 4.5 Medium2025-04-26
CVE-2025-43928 Infodraw Media Relay Service 安全漏洞 — Media Relay Service 5.8 Medium2025-04-20
CVE-2025-43919 GNU Mailman 安全漏洞 — Mailman 5.8 Medium2025-04-20
CVE-2025-32807 FusionDIrectory 安全漏洞 — FusionDirectory 5.3 Medium2025-04-10
CVE-2025-2961 opensolon org.noear.solon.core.handle.RenderManager aa render_mav path traversal — opensolon 4.3 Medium2025-03-30
CVE-2025-30343 OpenSlides 安全漏洞 — OpenSlides 3.0 Low2025-03-21
CVE-2025-1599 SourceCodester Best Church Management Software profile_crud.php path traversal — Best Church Management Software 5.4 Medium2025-02-24

Vulnerabilities classified as CWE-24 (路径遍历:’../filedir’) represent 91 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.