CWE-226 advisories

Path Traversal

What it is

A filename built from user input escapes the intended directory (../), exposing or overwriting arbitrary files.

How to fix it

Upgrade, then resolve and validate paths against an allow-listed base directory.

How to avoid it

Canonicalize paths and reject any that resolve outside the intended root; never trust user-supplied filenames.

Known Path Traversal vulnerabilities

GHSA-g7r4-m6w7-qqqr — low · npm/esbuild
CVE-2024-37032 — high · Ollama/ollama · exploited
CVE-2024-27198 — critical · CI/CD · TeamCity/JetBrains TeamCity On-Premises · exploited
CVE-2024-23897 — critical · Maven/org.jenkins-ci.main:jenkins-core · exploited
CVE-2022-24348 — high · CI/CD · Argo CD/Argo CD · exploited
CVE-2021-41773 — critical · Web app/Path Traversal / LFI · exploited

Stateward flags Path Traversal in your own code and dependencies on every pull request.

Scan my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.