CWE · MITRE source
CWE-36Absolute Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (0)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
| No NIST controls proposed yet. | |||
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-13159 KEV | 9.6 | 9.8 | 0.9396 | 2025-01-14 |
CVE-2024-13160 KEV | 9.6 | 9.8 | 0.9381 | 2025-01-14 |
CVE-2024-13161 KEV | 9.4 | 9.8 | 0.9132 | 2025-01-14 |
CVE-2024-48248 KEV | 9.4 | 8.6 | 0.9401 | 2025-03-04 |
CVE-2018-20250 KEV | 9.2 | 7.8 | 0.9346 | 2019-02-05 |
CVE-2023-3765 | 7.5 | 10.0 | 0.9145 | 2023-07-19 |
CVE-2025-57790 | 5.0 | 8.8 | 0.5370 | 2025-08-20 |
CVE-2021-21586 | 4.6 | 8.1 | 0.4898 | 2021-07-15 |
CVE-2025-0851 | 4.6 | 9.8 | 0.4369 | 2025-01-29 |
CVE-2024-21323 | 2.4 | 8.8 | 0.1027 | 2024-04-09 |
CVE-2024-20401 | 2.4 | 9.8 | 0.0766 | 2024-07-17 |
CVE-2024-29053 | 2.2 | 8.8 | 0.0663 | 2024-04-09 |
CVE-2024-6250 | 2.2 | 7.5 | 0.1125 | 2024-06-27 |
CVE-2024-10811 | 2.2 | 9.8 | 0.0465 | 2025-01-14 |
CVE-2024-9924 | 2.1 | 9.8 | 0.0162 | 2024-10-14 |
CVE-2022-24877 | 2.0 | 9.9 | 0.0062 | 2022-05-06 |
CVE-2024-47883 | 2.0 | 9.1 | 0.0303 | 2024-10-24 |
CVE-2024-51549 | 2.0 | 10.0 | 0.0030 | 2024-12-05 |
CVE-2025-34392 | 2.0 | 9.8 | 0.0090 | 2025-12-10 |
CVE-2024-2362 | 1.9 | 9.1 | 0.0191 | 2024-06-06 |
CVE-2025-4799 | 1.9 | 7.2 | 0.0728 | 2025-06-11 |
CVE-2022-20958 | 1.8 | 8.3 | 0.0176 | 2022-11-04 |
CVE-2024-10831 | 1.8 | 9.1 | 0.0024 | 2025-03-20 |
CVE-2024-10833 | 1.8 | 9.1 | 0.0024 | 2025-03-20 |
CVE-2024-8501 | 1.8 | 8.8 | 0.0052 | 2025-03-20 |