Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-26 (路径遍历:’dir/../filename’) — Vulnerability Class 7

7 vulnerabilities classified as CWE-26 (路径遍历:’dir/../filename’). AI Chinese analysis included.

CWE-26 represents a critical input validation weakness where software fails to properly sanitize directory traversal sequences, specifically the “../” notation, when constructing file paths. Attackers typically exploit this vulnerability by injecting malicious path segments into user-supplied input, such as URL parameters or form fields, to manipulate the application’s file system navigation. By chaining these sequences, adversaries can escape the intended restricted directory and access sensitive files located elsewhere on the server, potentially leading to unauthorized data disclosure or remote code execution. To mitigate this risk, developers must rigorously validate and sanitize all external inputs before use. Implementing strict allowlists for permitted characters, normalizing paths to resolve any relative references, and employing chroot jails or containerization to isolate file access are essential strategies. Additionally, using safe APIs that abstract direct file system interactions can significantly reduce the attack surface associated with path manipulation.

MITRE CWE Description
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/dir/../filename" sequences that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The '/dir/../filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only checks for "../" at the beginning of the input, so a "/../" can bypass that check.
Common Consequences (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
Mitigations (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE IDTitleCVSSSeverityPublished
CVE-2025-53908 RomM vulnerable to Authenticated Path Traversal — romm 6.5AIMediumAI2025-07-16
CVE-2024-5866 Arbitrary Directory Listing in Centrify PAS — Centrify PAS 5.0 Medium2024-07-02
CVE-2024-5865 Arbitrary File Reading in Centrify PAS — Centrify PAS 7.7 High2024-07-02
CVE-2024-20345 Cisco AppDynamics Controller 安全漏洞 — Cisco AppDynamics 6.5 Medium2024-03-06
CVE-2023-25802 Roxy-WI has Path Traversal vulnerability — roxy-wi 7.5 High2023-03-13
CVE-2021-42021 Siveillance Video DLNA Server 路径遍历漏洞 — Siveillance Video DLNA Server 7.5 -2021-11-09
CVE-2021-34762 Cisco Firepower Management Center Software Authenticated Directory Traversal Vulnerability — Cisco Firepower Management Center 8.1 High2021-10-27

Vulnerabilities classified as CWE-26 (路径遍历:’dir/../filename’) represent 7 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.