CWE · MITRE source
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the "../" sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as "/usr/local/bin" to access unexpected files. This is referred to as absolute path traversal.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (1)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-10 | Information Input Validation | SI | Validates pathnames and filenames to prevent traversal outside intended directories. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2019-11510 KEV | 9.7 | 10.0 | 0.9446 | 2019-05-08 |
CVE-2021-41277 KEV | 9.7 | 10.0 | 0.9435 | 2021-11-17 |
CVE-2010-2861 KEV | 9.6 | 9.8 | 0.9415 | 2010-08-11 |
CVE-2019-3396 KEV | 9.6 | 9.8 | 0.9447 | 2019-03-25 |
CVE-2019-16278 KEV | 9.6 | 9.8 | 0.9439 | 2019-10-14 |
CVE-2019-7194 KEV | 9.6 | 9.8 | 0.9394 | 2019-12-05 |
CVE-2019-7195 KEV | 9.6 | 9.8 | 0.9411 | 2019-12-05 |
CVE-2019-19781 KEV | 9.6 | 9.8 | 0.9444 | 2019-12-27 |
CVE-2020-5902 KEV | 9.6 | 9.8 | 0.9443 | 2020-07-01 |
CVE-2021-21972 KEV | 9.6 | 9.8 | 0.9382 | 2021-02-24 |
CVE-2021-20090 KEV | 9.6 | 9.8 | 0.9437 | 2021-04-29 |
CVE-2021-22005 KEV | 9.6 | 9.8 | 0.9446 | 2021-09-23 |
CVE-2021-41773 KEV | 9.6 | 9.8 | 0.9439 | 2021-10-05 |
CVE-2021-42013 KEV | 9.6 | 9.8 | 0.9441 | 2021-10-07 |
CVE-2022-29464 KEV | 9.6 | 9.8 | 0.9443 | 2022-04-18 |
CVE-2022-37042 KEV | 9.6 | 9.8 | 0.9433 | 2022-08-12 |
CVE-2022-41352 KEV | 9.6 | 9.8 | 0.9407 | 2022-09-26 |
CVE-2023-47246 KEV | 9.6 | 9.8 | 0.9438 | 2023-11-10 |
CVE-2024-23897 KEV | 9.6 | 9.8 | 0.9447 | 2024-01-24 |
CVE-2024-32113 KEV | 9.6 | 9.8 | 0.9396 | 2024-05-08 |
CVE-2024-4885 KEV | 9.6 | 9.8 | 0.9426 | 2024-06-25 |
CVE-2018-13379 KEV | 9.5 | 9.1 | 0.9447 | 2019-06-04 |
CVE-2024-8963 KEV | 9.5 | 9.4 | 0.9416 | 2024-09-19 |
CVE-2024-41713 KEV | 9.5 | 9.1 | 0.9414 | 2024-10-21 |
CVE-2018-14847 KEV | 9.4 | 9.1 | 0.9365 | 2018-08-02 |