Weaknesses of type CWE-22

4,838 results
CVE-2026-42496CRITICALArchive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directoryEPSS 0.4%CVE-2026-28676HIGHOpenSift: Insufficient path containment checks in storage helpers could allow path traversal-style file operationsEPSS 0.4%CVE-2026-7386MEDIUMfatbobman mail-mcp-bridge mail_mcp_server.py path traversalEPSS 0.4%CVE-2025-6589LOWWith MultiBlocks enabled and a user who is suppressed via a MultiBlock, a user without 'hideuser' can see the hidden username in the BlockListEPSS 0.4%CVE-2026-4044MEDIUMprojectsend Delete import-orphans.php realpath path traversalEPSS 0.4%CVE-2026-7205MEDIUMduartium papers-mcp-server main.py search_papers path traversalEPSS 0.4%CVE-2025-47415MEDIUMRECWAVE Filepath TraversalEPSS 0.4%CVE-2024-30417HIGHPath traversal vulnerability in the Bluetooth-based sharing module. Impact: Successful exploitation of this vulnerability may affect serviceEPSS 0.4%CVE-2026-0846HIGHArbitrary File Read via Absolute Path Input in nltk.util.filestring()EPSS 0.4%CVE-2026-33077HIGHRoxy-WI has an arbitrary file read vulnerabilityEPSS 0.4%CVE-2026-7234MEDIUMBrowserOperator browser-operator-core server.js startsWith path traversalEPSS 0.4%CVE-2025-22167HIGHThis High severity Path Traversal (Arbitrary Write) vulnerability was introduced in versions: 9.12.0, 10.3.0 and remain present in 11.0.0 ofEPSS 0.4%CVE-2025-6989HIGHKallyas <= 4.21.0 - Authenticated (Contributor+) Arbitrary Folder DeletionEPSS 0.4%CVE-2025-67819MEDIUMAn issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker EPSS 0.4%CVE-2025-7896MEDIUMharry0703 MoneyPrinterTurbo video.py delete_video path traversalEPSS 0.4%CVE-2025-48130HIGHWordPress Spice Blocks plugin <= 2.0.7.4 - Arbitrary File Download vulnerabilityEPSS 0.4%CVE-2026-28786MEDIUMOpen WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`EPSS 0.4%CVE-2026-35492MEDIUMKedro-Datasets has a path traversal vulnerability in PartitionedDataset allows arbitrary file writeEPSS 0.4%CVE-2025-48273HIGHWordPress WP Job Portal plugin <= 2.3.2 - Arbitrary File Download VulnerabilityEPSS 0.4%CVE-2026-0394MEDIUMWhen dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added EPSS 0.4%