path traversal

A newly disclosed Python security issue, tracked as CVE-2026-3479, shows that pkgutil.get_data() did not enforce the path-safety rules its documentation promised. In practice, that meant callers could pass resource names that enabled path traversal instead of being constrained to a...

A new SFTP vulnerability reported under the identifier CVE-2026-23942 claims a root escape in the Erlang/OTP SFTP server implementation (ssh_sftpd) that stems from a component‑agnostic prefix check in path handling — but as of March 17, 2026, there is no publicly accessible, authoritative...

A subtle bug in pip’s wheel extraction logic has produced CVE‑2026‑1703 — a limited path‑traversal flaw that can allow specially crafted wheel (zip) archives to place files outside the intended installation directory during a normal pip install. The defect is narrowly scoped — the traversal is...

A newly disclosed vulnerability in the ubiquitous Node.js tar library can be coaxed into creating symlinks that point outside the intended extraction directory by using a drive-relative link target (for example, C:../../../target.txt), enabling an attacker-supplied archive to overwrite files...

Vitess maintainers have confirmed a serious path traversal vulnerability in the project’s backup restore path that allows anyone with write access to backup storage to cause a restore operation to write files to arbitrary locations on the host where Vitess runs — a risk that can lead to data...

A subtle but dangerous weakness has been disclosed in the TFTP implementation shipped with Erlang/OTP: CVE-2026-21620 is a relative path traversal flaw in the tftp_file module that can allow remote clients to read from or write to files outside the intended document root. The issue arises from...

Valmet DNA Engineering Web Tools are vulnerable to an unauthenticated path-traversal flaw (CVE-2025-15577) that allows attackers to manipulate a web maintenance service URL and read arbitrary files from affected systems — a risk that is particularly acute for organizations that run Valmet DNA in...

The discovery of CVE-2023-49569 exposed a strikingly dangerous gap in a widely used pure-Go Git library: maliciously crafted Git server replies can trigger a path traversal flaw in go-git clients that, in the worst case, enables full remote code execution (RCE) on hosts that consume untrusted...

The Vim editor contains a path‑traversal flaw in its zip.vim plugin (CVE‑2025‑53906) that can let a specially crafted ZIP archive cause Vim to write files outside the intended directory — and while Microsoft has publicly attested that Azure Linux includes the vulnerable component, that...

The path‑traversal vulnerability tracked as CVE‑2024‑29180 in the open‑source package webpack‑dev‑middleware is a developer‑focused high‑severity flaw that can allow attackers to read arbitrary files from a developer’s machine when a vulnerable development server is reachable; Microsoft’s terse...

CVE-2026-21227 — Azure Logic Apps path traversal (Elevation of Privilege): what you need to know, how it works, and how to defend (feature analysis) Summary (TL;DR) Microsoft’s Security Update Guide lists CVE-2026-21227: an Azure Logic Apps vulnerability described as an improper limitation of a...

MariaDB’s widely used mariadb-dump utility contains a path‑traversal flaw that can be abused to write arbitrary files and achieve remote code execution when a user interacts with a malicious export — the issue is tracked as CVE‑2025‑13699 and was disclosed publicly via a Zero Day Initiative...

Late on December 9, 2025 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a WinRAR path‑traversal vulnerability — tracked as CVE‑2025‑6218 — to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence that attackers are actively abusing the bug in the wild; the...

Microsoft has published a vulnerability record for CVE-2025-62552 — a Microsoft Access flaw that vendors and aggregators describe as a relative path traversal leading to local code execution — and defenders should treat it as a high-priority patching candidate while they confirm per-product KB...

A critical path‑traversal flaw in ONNX 1.17.0’s external data handler — specifically in onnx.external_data_helper.save_external_data — allows crafted external_data.location values to escape their intended storage directory and overwrite arbitrary files on disk, producing high‑severity integrity...

Keras’s popular helper function for downloading and unpacking model assets, keras.utils.get_file, contains a dangerous extraction shortcut: when asked to extract tar archives it relied on Python’s tarfile.extractall without the stronger filters introduced in recent Python releases. That omission...

Fortinet has published an advisory for a critical relative path traversal vulnerability in FortiWeb that is being actively exploited in the wild, and U.S. federal guidance (CISA) has moved the issue into its Known Exploited Vulnerabilities (KEV) catalog—making immediate remediation essential for...

Microsoft has assigned CVE‑2025‑62449 to a path‑traversal / security‑feature bypass in the Visual Studio Code GitHub Copilot Chat extension — a locally exploitable weakness rated CVSS 3.1 = 6.8 (Medium) that Microsoft published on November 11, 2025 and which the vendor marked as addressed in the...

Delta Electronics’ DIALink — a widely used industrial automation server — is the subject of a coordinated vulnerability disclosure that identifies two directory‑traversal / authentication‑bypass flaws (CVE‑2025‑58320 and CVE‑2025‑58321) affecting DIALink versions V1.6.0.0 and earlier, and urges...

Siemens has disclosed a broad, high-severity set of vulnerabilities affecting the SINEC family—spanning SINEC NMS, SINEC INS and devices running SINEC OS—and vendors and operators must treat these as urgent operational risks: multiple advisories published by Siemens ProductCERT show...