CWE · MITRE source
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the "../" sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as "/usr/local/bin" to access unexpected files. This is referred to as absolute path traversal.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 9 mapping(s) from 5 framework(s): CAPEC 5 (mostly) · ASVS 5.0 1 (full) · OWASP-Web 1 (full) · ATT&CK 1 (mostly) · CSF 2.0 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (1)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-10 | Information Input Validation | SI | Validates pathnames and filenames to prevent traversal outside intended directories. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2010-2861 KEV | 10.0 | 9.8 | 0.9972 | 2010-08-11 |
CVE-2014-0780 KEV | 10.0 | 9.8 | 0.7455 | 2014-04-25 |
CVE-2014-0130 KEV | 10.0 | 7.5 | 0.5370 | 2014-05-07 |
CVE-2013-3993 KEV | 10.0 | 6.5 | 0.0524 | 2014-07-07 |
CVE-2015-0016 KEV | 10.0 | 7.8 | 0.7594 | 2015-01-13 |
CVE-2015-0666 KEV | 10.0 | 7.5 | 0.4061 | 2015-04-03 |
CVE-2015-3035 KEV | 10.0 | 7.5 | 0.8377 | 2015-04-22 |
CVE-2015-4068 KEV | 10.0 | 9.1 | 0.6364 | 2015-05-29 |
CVE-2016-0752 KEV | 10.0 | 7.5 | 0.9554 | 2016-02-16 |
CVE-2016-3976 KEV | 10.0 | 7.5 | 0.4661 | 2016-04-07 |
CVE-2017-12637 KEV | 10.0 | 7.5 | 0.9456 | 2017-08-07 |
CVE-2018-2380 KEV | 10.0 | 6.6 | 0.2923 | 2018-03-01 |
CVE-2018-5430 KEV | 10.0 | 8.8 | 0.4875 | 2018-04-17 |
CVE-2018-0296 KEV | 10.0 | 7.5 | 0.9990 | 2018-06-07 |
CVE-2018-14847 KEV | 10.0 | 9.1 | 0.9609 | 2018-08-02 |
CVE-2018-20250 KEV | 10.0 | 7.8 | 0.9627 | 2019-02-05 |
CVE-2018-18809 KEV | 10.0 | 6.5 | 0.7906 | 2019-03-07 |
CVE-2019-3396 KEV | 10.0 | 9.8 | 0.9991 | 2019-03-25 |
CVE-2019-5418 KEV | 10.0 | 7.5 | 0.9851 | 2019-03-27 |
CVE-2019-3398 KEV | 10.0 | 8.8 | 0.9715 | 2019-04-18 |
CVE-2019-11510 KEV | 10.0 | 10.0 | 1.0000 | 2019-05-08 |
CVE-2018-13379 KEV | 10.0 | 9.1 | 1.0000 | 2019-06-04 |
CVE-2019-16278 KEV | 10.0 | 9.8 | 0.9906 | 2019-10-14 |
CVE-2019-18187 KEV | 10.0 | 7.5 | 0.2512 | 2019-10-28 |
CVE-2019-7194 KEV | 10.0 | 9.8 | 0.8297 | 2019-12-05 |