path traversal

Vitess maintainers have confirmed a serious path traversal vulnerability in the project’s backup restore path that allows anyone with write access to backup storage to cause a restore operation to write files to arbitrary locations on the host where Vitess runs — a risk that can lead to data...

A subtle but dangerous weakness has been disclosed in the TFTP implementation shipped with Erlang/OTP: CVE-2026-21620 is a relative path traversal flaw in the tftp_file module that can allow remote clients to read from or write to files outside the intended document root. The issue arises from...

Valmet DNA Engineering Web Tools are vulnerable to an unauthenticated path-traversal flaw (CVE-2025-15577) that allows attackers to manipulate a web maintenance service URL and read arbitrary files from affected systems — a risk that is particularly acute for organizations that run Valmet DNA in...

The discovery of CVE-2023-49569 exposed a strikingly dangerous gap in a widely used pure-Go Git library: maliciously crafted Git server replies can trigger a path traversal flaw in go-git clients that, in the worst case, enables full remote code execution (RCE) on hosts that consume untrusted...

The Vim editor contains a path‑traversal flaw in its zip.vim plugin (CVE‑2025‑53906) that can let a specially crafted ZIP archive cause Vim to write files outside the intended directory — and while Microsoft has publicly attested that Azure Linux includes the vulnerable component, that...

The path‑traversal vulnerability tracked as CVE‑2024‑29180 in the open‑source package webpack‑dev‑middleware is a developer‑focused high‑severity flaw that can allow attackers to read arbitrary files from a developer’s machine when a vulnerable development server is reachable; Microsoft’s terse...

CVE-2026-21227 — Azure Logic Apps path traversal (Elevation of Privilege): what you need to know, how it works, and how to defend (feature analysis) Summary (TL;DR) Microsoft’s Security Update Guide lists CVE-2026-21227: an Azure Logic Apps vulnerability described as an improper limitation of a...

MariaDB’s widely used mariadb-dump utility contains a path‑traversal flaw that can be abused to write arbitrary files and achieve remote code execution when a user interacts with a malicious export — the issue is tracked as CVE‑2025‑13699 and was disclosed publicly via a Zero Day Initiative...

Late on December 9, 2025 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a WinRAR path‑traversal vulnerability — tracked as CVE‑2025‑6218 — to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence that attackers are actively abusing the bug in the wild; the...

Microsoft has published a vulnerability record for CVE-2025-62552 — a Microsoft Access flaw that vendors and aggregators describe as a relative path traversal leading to local code execution — and defenders should treat it as a high-priority patching candidate while they confirm per-product KB...

A critical path‑traversal flaw in ONNX 1.17.0’s external data handler — specifically in onnx.external_data_helper.save_external_data — allows crafted external_data.location values to escape their intended storage directory and overwrite arbitrary files on disk, producing high‑severity integrity...

Keras’s popular helper function for downloading and unpacking model assets, keras.utils.get_file, contains a dangerous extraction shortcut: when asked to extract tar archives it relied on Python’s tarfile.extractall without the stronger filters introduced in recent Python releases. That omission...

Fortinet has published an advisory for a critical relative path traversal vulnerability in FortiWeb that is being actively exploited in the wild, and U.S. federal guidance (CISA) has moved the issue into its Known Exploited Vulnerabilities (KEV) catalog—making immediate remediation essential for...

Microsoft has assigned CVE‑2025‑62449 to a path‑traversal / security‑feature bypass in the Visual Studio Code GitHub Copilot Chat extension — a locally exploitable weakness rated CVSS 3.1 = 6.8 (Medium) that Microsoft published on November 11, 2025 and which the vendor marked as addressed in the...

Delta Electronics’ DIALink — a widely used industrial automation server — is the subject of a coordinated vulnerability disclosure that identifies two directory‑traversal / authentication‑bypass flaws (CVE‑2025‑58320 and CVE‑2025‑58321) affecting DIALink versions V1.6.0.0 and earlier, and urges...

Siemens has disclosed a broad, high-severity set of vulnerabilities affecting the SINEC family—spanning SINEC NMS, SINEC INS and devices running SINEC OS—and vendors and operators must treat these as urgent operational risks: multiple advisories published by Siemens ProductCERT show...

CISA’s latest update places three long‑standing and newly discovered flaws squarely in the crosshairs of enterprise defenders, adding CVE‑2013‑3893 (Internet Explorer), CVE‑2007‑0671 (Microsoft Excel), and CVE‑2025‑8088 (WinRAR) to the agency’s Known Exploited Vulnerabilities (KEV) Catalog on...

Microsoft’s security advisory confirms a new Kerberos vulnerability — CVE-2025-53779 — described as a relative path traversal flaw in Windows Kerberos that can be abused by an authorized attacker over a network to elevate privileges, and organizations that rely on Kerberos-based authentication...

Schneider Electric’s EcoStruxure Power Monitoring Expert (PME) has been flagged in a coordinated advisory for a cluster of high‑impact vulnerabilities that, together, create multiple realistic attack paths into industrial monitoring infrastructure—issues that matter to Windows administrators...

Santesoft’s Sante PACS Server has been the subject of a coordinated advisory cluster this week after multiple remote‑exploitable flaws were disclosed that affect versions prior to 4.2.3, and at least one authoritative vulnerability bulletin places the combined impact at near‑critical severity...