path traversal

CISA on May 19, 2026, republished ABB’s advisory for CVE-2025-3465, a high-severity path traversal flaw in CoreSense HM and CoreSense M10 that affects worldwide deployments in food and agriculture, commercial facilities, and critical manufacturing when vulnerable local web interfaces are...

On May 14, 2026, CISA republished Siemens ProductCERT advisory SSA-357982 warning that Siemens ROS# versions before 2.2.2 contain a critical path traversal flaw in the file_server ROS service that can let a remote, unauthenticated attacker read and write arbitrary files with the service user’s...

Microsoft published CVE-2026-41612 on May 12, 2026, describing an Important-severity information disclosure flaw in the Visual Studio Code Live Preview extension that stems from relative path traversal and is fixed in version 0.4.19. The bug is not a dramatic remote-code-execution headline, and...

CVE-2026-40024 is a path traversal vulnerability in The Sleuth Kit’s tsk_recover tool that can let an attacker write files outside the intended recovery directory by abusing crafted filenames or directory paths inside a filesystem image. Public vulnerability databases describe the issue as...

Vim’s zip.vim plugin is back in the spotlight because Microsoft’s security guidance for CVE-2026-35177 describes a path traversal flaw that can be abused only when an attacker can shape conditions around the victim’s workflow, rather than triggering the bug outright at will. That distinction...

A newly disclosed Python security issue, tracked as CVE-2026-3479, shows that pkgutil.get_data() did not enforce the path-safety rules its documentation promised. In practice, that meant callers could pass resource names that enabled path traversal instead of being constrained to a...

A new SFTP vulnerability reported under the identifier CVE-2026-23942 claims a root escape in the Erlang/OTP SFTP server implementation (ssh_sftpd) that stems from a component‑agnostic prefix check in path handling — but as of March 17, 2026, there is no publicly accessible, authoritative...

A subtle bug in pip’s wheel extraction logic has produced CVE‑2026‑1703 — a limited path‑traversal flaw that can allow specially crafted wheel (zip) archives to place files outside the intended installation directory during a normal pip install. The defect is narrowly scoped — the traversal is...

A newly disclosed vulnerability in the ubiquitous Node.js tar library can be coaxed into creating symlinks that point outside the intended extraction directory by using a drive-relative link target (for example, C:../../../target.txt), enabling an attacker-supplied archive to overwrite files...

Vitess maintainers have confirmed a serious path traversal vulnerability in the project’s backup restore path that allows anyone with write access to backup storage to cause a restore operation to write files to arbitrary locations on the host where Vitess runs — a risk that can lead to data...

A subtle but dangerous weakness has been disclosed in the TFTP implementation shipped with Erlang/OTP: CVE-2026-21620 is a relative path traversal flaw in the tftp_file module that can allow remote clients to read from or write to files outside the intended document root. The issue arises from...

Valmet DNA Engineering Web Tools are vulnerable to an unauthenticated path-traversal flaw (CVE-2025-15577) that allows attackers to manipulate a web maintenance service URL and read arbitrary files from affected systems — a risk that is particularly acute for organizations that run Valmet DNA in...

The discovery of CVE-2023-49569 exposed a strikingly dangerous gap in a widely used pure-Go Git library: maliciously crafted Git server replies can trigger a path traversal flaw in go-git clients that, in the worst case, enables full remote code execution (RCE) on hosts that consume untrusted...

The Vim editor contains a path‑traversal flaw in its zip.vim plugin (CVE‑2025‑53906) that can let a specially crafted ZIP archive cause Vim to write files outside the intended directory — and while Microsoft has publicly attested that Azure Linux includes the vulnerable component, that...

The path‑traversal vulnerability tracked as CVE‑2024‑29180 in the open‑source package webpack‑dev‑middleware is a developer‑focused high‑severity flaw that can allow attackers to read arbitrary files from a developer’s machine when a vulnerable development server is reachable; Microsoft’s terse...

CVE-2026-21227 — Azure Logic Apps path traversal (Elevation of Privilege): what you need to know, how it works, and how to defend (feature analysis) Summary (TL;DR) Microsoft’s Security Update Guide lists CVE-2026-21227: an Azure Logic Apps vulnerability described as an improper limitation of a...

MariaDB’s widely used mariadb-dump utility contains a path‑traversal flaw that can be abused to write arbitrary files and achieve remote code execution when a user interacts with a malicious export — the issue is tracked as CVE‑2025‑13699 and was disclosed publicly via a Zero Day Initiative...

Late on December 9, 2025 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a WinRAR path‑traversal vulnerability — tracked as CVE‑2025‑6218 — to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence that attackers are actively abusing the bug in the wild; the...

Microsoft has published a vulnerability record for CVE-2025-62552 — a Microsoft Access flaw that vendors and aggregators describe as a relative path traversal leading to local code execution — and defenders should treat it as a high-priority patching candidate while they confirm per-product KB...

A critical path‑traversal flaw in ONNX 1.17.0’s external data handler — specifically in onnx.external_data_helper.save_external_data — allows crafted external_data.location values to escape their intended storage directory and overwrite arbitrary files on disk, producing high‑severity integrity...