Cyber Resilience

CWE · MITRE source

CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Abstraction: Base · CVEs in our corpus: 9,279

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the "../" sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as "/usr/local/bin" to access unexpected files. This is referred to as absolute path traversal.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 9 mapping(s) from 5 framework(s): CAPEC 5 (mostly) · ASVS 5.0 1 (full) · OWASP-Web 1 (full) · ATT&CK 1 (mostly) · CSF 2.0 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A01:2025 Broken Access Control.

NIST 800-53 r5 controls that address this weakness (1)AI

Control Title Family Why it addresses this CWE
SI-10Information Input ValidationSIValidates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2010-2861 KEV10.09.80.99722010-08-11
CVE-2014-0780 KEV10.09.80.74552014-04-25
CVE-2014-0130 KEV10.07.50.53702014-05-07
CVE-2013-3993 KEV10.06.50.05242014-07-07
CVE-2015-0016 KEV10.07.80.75942015-01-13
CVE-2015-0666 KEV10.07.50.40612015-04-03
CVE-2015-3035 KEV10.07.50.83772015-04-22
CVE-2015-4068 KEV10.09.10.63642015-05-29
CVE-2016-0752 KEV10.07.50.95542016-02-16
CVE-2016-3976 KEV10.07.50.46612016-04-07
CVE-2017-12637 KEV10.07.50.94562017-08-07
CVE-2018-2380 KEV10.06.60.29232018-03-01
CVE-2018-5430 KEV10.08.80.48752018-04-17
CVE-2018-0296 KEV10.07.50.99902018-06-07
CVE-2018-14847 KEV10.09.10.96092018-08-02
CVE-2018-20250 KEV10.07.80.96272019-02-05
CVE-2018-18809 KEV10.06.50.79062019-03-07
CVE-2019-3396 KEV10.09.80.99912019-03-25
CVE-2019-5418 KEV10.07.50.98512019-03-27
CVE-2019-3398 KEV10.08.80.97152019-04-18
CVE-2019-11510 KEV10.010.01.00002019-05-08
CVE-2018-13379 KEV10.09.11.00002019-06-04
CVE-2019-16278 KEV10.09.80.99062019-10-14
CVE-2019-18187 KEV10.07.50.25122019-10-28
CVE-2019-7194 KEV10.09.80.82972019-12-05