CWE-35— Path Traversal: '.../...//'
161 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-35page 2 of 4
- CVE-2024-49249HIGHCVSS 8.6EG 8.62025-01-07
Path Traversal: '.../...//' vulnerability in SMSA Express SMSA Shipping smsa-shipping-official allows Path Traversal.This issue affects SMSA Shipping: from n/a through <= 2.3.
- CVE-2024-49258MEDIUMCVSS 6.5EG 6.52024-10-16
Path Traversal: '.../...//' vulnerability in Limbcode WordPress Gallery Plugin – Limb Image Gallery limb-gallery.This issue affects WordPress Gallery Plugin – Limb Image Gallery: from n/a through <= 1.5.7.
- CVE-2024-49770HIGHCVSS 7.7EG 7.52024-11-01
`oak` is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default `oak` does not allow transferring of hidden files with `Context.send` API. However, prior to version…
- CVE-2024-50054HIGHCVSS 7.5EG 7.52024-11-22
The back-end does not sufficiently verify the user-controlled filename parameter which makes it possible for an attacker to perform a path traversal attack and retrieve arbitrary files from the file system.
- CVE-2024-51582HIGHCVSS 7.5EG 7.52024-11-04
Path Traversal: '.../...//' vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows PHP Local File Inclusion.This issue affects WP Hotel Booking: from n/a through <= 2.2.9.
- CVE-2024-52390MEDIUMCVSS 4.9EG 4.92024-11-18
Path Traversal: '.../...//' vulnerability in Greg Ross CYAN Backup cyan-backup allows Path Traversal.This issue affects CYAN Backup: from n/a through <= 2.5.3.
- CVE-2024-52447HIGHCVSS 8.6EG 8.62024-11-20
Path Traversal: '.../...//' vulnerability in corporatezen222 Contact Page With Google Map contact-page-with-google-map allows Path Traversal.This issue affects Contact Page With Google Map: from n/a through <= 1.6.1.
- CVE-2024-52498HIGHCVSS 7.5EG 7.52024-11-28
Path Traversal: '.../...//' vulnerability in softpulseinfotech SP Blog Designer sp-blog-designer allows PHP Local File Inclusion.This issue affects SP Blog Designer: from n/a through <= 1.0.0.
- CVE-2024-52885MEDIUMCVSS 5.0EG 5.02025-08-06
The Mobile Access Portal's File Share application is vulnerable to a directory traversal attack, allowing an authenticated, malicious end-user (authorized to at least one File Share application) to list the file names of 'nobody'-accessibl…
- CVE-2024-54216HIGHCVSS 7.7EG 7.72024-12-06
Path Traversal: '.../...//' vulnerability in reputeinfosystems ARForms arforms allows Path Traversal.This issue affects ARForms: from n/a through <= 6.4.1.
- CVE-2024-54313MEDIUMCVSS 6.5EG 6.52024-12-13
Path Traversal vulnerability in FULL. FULL Customer allows Path Traversal.This issue affects FULL Customer: from n/a through 3.1.25.
- CVE-2024-54362HIGHCVSS 8.1EG 8.12025-03-28
Path Traversal: '.../...//' vulnerability in boggibill GetShop ecommerce getshop-ecommerce allows Path Traversal.This issue affects GetShop ecommerce: from n/a through <= 1.3.
- CVE-2024-5481MEDIUMCVSS 6.8EG 6.82024-06-07
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.8.23 via the esc_dir function. This makes it possible for authenticated attackers to …
- CVE-2024-56045CRITICALCVSS 9.3EG 9.32024-12-31
Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal.This issue affects WPLMS: from n/a through < 1.9.9.5.
- CVE-2024-56049HIGHCVSS 8.5EG 8.52024-12-18
Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
- CVE-2024-56055HIGHCVSS 8.5EG 8.52024-12-18
Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
- CVE-2024-56213MEDIUMCVSS 6.5EG 6.52024-12-31
Path Traversal: '.../...//' vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.7.
- CVE-2024-56214HIGHCVSS 8.3EG 8.32024-12-31
Path Traversal: '.../...//' vulnerability in DeluxeThemes Userpro userpro allows Path Traversal.This issue affects Userpro: from n/a through <= 5.1.9.
- CVE-2024-7608MEDIUMCVSS 5.9EG 6.42024-08-27
An authenticated user can access the restricted files from NX, EX, FX, AX, IVX and CMS using path traversal.
- CVE-2025-0858MEDIUMCVSS 5.8EG 0.02025-02-05
A vulnerability was discovered in the firmware builds up to 8.2.1.0820 in certain Poly devices. The firmware flaw does not properly prevent path traversal and could lead to information disclosure.
- CVE-2025-20313MEDIUMCVSS 6.7EG 6.72025-09-24
Multiple vulnerabilities in Cisco IOS XE Software of could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to the device to execute persistent code at boot time and break …
- CVE-2025-20320MEDIUMCVSS 6.3EG 6.32025-07-07
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could c…
- CVE-2025-22205HIGHCVSS 7.5EG 7.52025-02-04
Improper handling of input variables lead to multiple path traversal vulnerabilities in the Admiror Gallery extension for Joomla in version branch 4.x.
- CVE-2025-22288MEDIUMCVSS 4.1EG 4.12025-11-06
Path Traversal: '.../...//' vulnerability in WPMU DEV - Your All-in-One WordPress Platform Smush Image Compression and Optimization wp-smushit allows Path Traversal.This issue affects Smush Image Compression and Optimization: from n/a thro…
- CVE-2025-22786HIGHCVSS 7.5EG 7.52025-01-15
Path Traversal: '.../...//' vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows PHP Local File Inclusion.This issue affects ElementInvader Addons for Elementor: from n/a through <…
- CVE-2025-24685HIGHCVSS 8.1EG 8.12025-01-27
Path Traversal: '.../...//' vulnerability in Ihor Kit Morkva UA Shipping morkva-ua-shipping allows PHP Local File Inclusion.This issue affects Morkva UA Shipping: from n/a through <= 1.0.18.
- CVE-2025-24786CRITICALCVSS 10.0EG 10.02025-02-06
WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sql…
- CVE-2025-24907MEDIUMCVSS 6.8EG 6.82025-04-16
Overview The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location th…
- CVE-2025-24908MEDIUMCVSS 6.8EG 6.82025-04-16
Overview The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location th…
- CVE-2025-25122HIGHCVSS 8.1EG 8.12025-03-03
Path Traversal: '.../...//' vulnerability in hashshop WizShop wizshop allows Path Traversal.This issue affects WizShop: from n/a through <= 3.0.2.
- CVE-2025-26351MEDIUMCVSS 4.9EG 4.92025-02-12
A CWE-35 "Path Traversal" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
- CVE-2025-26352MEDIUMCVSS 6.5EG 6.52025-02-12
A CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
- CVE-2025-26353MEDIUMCVSS 4.9EG 4.92025-02-12
A CWE-35 "Path Traversal" in maxtime/api/sql/sql.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
- CVE-2025-26354HIGHCVSS 7.2EG 7.22025-02-12
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
- CVE-2025-26355MEDIUMCVSS 6.5EG 6.52025-02-12
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
- CVE-2025-26356HIGHCVSS 7.2EG 7.22025-02-12
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
- CVE-2025-26357MEDIUMCVSS 4.9EG 4.92025-02-12
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
- CVE-2025-26876MEDIUMCVSS 6.8EG 6.82025-02-25
Path Traversal: '.../...//' vulnerability in CodeManas Search with Typesense search-with-typesense allows Path Traversal.This issue affects Search with Typesense: from n/a through <= 2.0.8.
- CVE-2025-26935HIGHCVSS 7.5EG 7.52025-02-25
Path Traversal: '.../...//' vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.This issue affects WP Job Portal: from n/a through <= 2.2.8.
- CVE-2025-26940MEDIUMCVSS 6.3EG 6.32025-03-15
Path Traversal vulnerability in NotFound Pie Register Premium. This issue affects Pie Register Premium: from n/a through 3.8.3.2.
- CVE-2025-27010HIGHCVSS 8.1EG 8.12025-05-19
Path Traversal: '.../...//' vulnerability in bslthemes Tastyc tastyc allows PHP Local File Inclusion.This issue affects Tastyc: from n/a through < 2.5.2.
- CVE-2025-27222HIGHCVSS 8.6EG 8.62025-10-27
TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/getCobrandingData endpoint to retrieve files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be…
- CVE-2025-27274MEDIUMCVSS 4.9EG 4.92025-03-03
Path Traversal: '.../...//' vulnerability in axelkeller GPX Viewer gpx-viewer allows Path Traversal.This issue affects GPX Viewer: from n/a through <= 2.2.11.
- CVE-2025-27445MEDIUMCVSS 5.4EG 5.42025-06-05
A path traversal vulnerability in RSFirewall component 2.9.7 - 3.1.5 for Joomla was discovered. This vulnerability allows authenticated users to read arbitrary files outside the Joomla root directory. The flaw is caused by insufficient san…
- CVE-2025-28973MEDIUMCVSS 6.5EG 6.52025-12-31
Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress pro-watermark allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through <= 2.0.
- CVE-2025-30014HIGHCVSS 7.7EG 7.72025-04-08
SAP Capital Yield Tax Management has directory traversal vulnerability due to insufficient path validation. This could allow an attacker with low privileges to read files from directory which they don�t have access to, hence causing a hi…
- CVE-2025-30515CRITICALCVSS 9.8EG 9.82025-06-09
CyberData 011209 Intercom could allow an authenticated attacker to upload arbitrary files to multiple locations within the system.
- CVE-2025-30834HIGHCVSS 7.5EG 7.52025-04-01
Path Traversal: '.../...//' vulnerability in Bit Apps Bit Assist bit-assist allows Path Traversal.This issue affects Bit Assist: from n/a through <= 1.5.4.
- CVE-2025-30966MEDIUMCVSS 5.4EG 5.42025-04-15
Path Traversal vulnerability in NotFound WPJobBoard allows Path Traversal. This issue affects WPJobBoard: from n/a through n/a.
- CVE-2025-32585HIGHCVSS 7.5EG 7.52025-04-11
Path Traversal: '.../...//' vulnerability in Trusty Plugins Shop Products Filter trusty-woo-products-filter allows PHP Local File Inclusion.This issue affects Shop Products Filter: from n/a through <= 1.2.
Map vulnerabilities like CWE-35 to your infrastructure
EchelonGraph correlates every CVE — across CWE-35 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →