CWE · MITRE source
CWE-36Absolute Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
Last updated: 04 July 2026 08:17 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 3 mapping(s) from 3 framework(s): OWASP-Web 1 (full) · ATT&CK 1 (mostly) · CAPEC 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (0)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
| No NIST controls proposed yet. | |||
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2018-20250 KEV | 10.0 | 7.8 | 0.9627 | 2019-02-05 |
CVE-2024-13159 KEV | 10.0 | 9.8 | 0.9976 | 2025-01-14 |
CVE-2024-13160 KEV | 10.0 | 9.8 | 0.8974 | 2025-01-14 |
CVE-2024-13161 KEV | 10.0 | 9.8 | 0.8852 | 2025-01-14 |
CVE-2024-48248 KEV | 10.0 | 8.6 | 0.9399 | 2025-03-04 |
CVE-2023-3765 | 8.0 | 10.0 | 0.7074 | 2023-07-19 |
CVE-2022-24877 | 7.0 | 9.9 | 0.0111 | 2022-05-06 |
CVE-2024-2362 | 7.0 | 9.1 | 0.0115 | 2024-06-06 |
CVE-2024-20401 | 7.0 | 9.8 | 0.0228 | 2024-07-17 |
CVE-2024-9924 | 7.0 | 9.8 | 0.0080 | 2024-10-14 |
CVE-2024-47883 | 7.0 | 9.1 | 0.0160 | 2024-10-24 |
CVE-2024-51549 | 7.0 | 10.0 | 0.0054 | 2024-12-05 |
CVE-2024-10811 | 7.0 | 9.8 | 0.0319 | 2025-01-14 |
CVE-2025-0851 | 7.0 | 9.8 | 0.2308 | 2025-01-29 |
CVE-2024-10831 | 7.0 | 9.1 | 0.0077 | 2025-03-20 |
CVE-2024-10833 | 7.0 | 9.1 | 0.0077 | 2025-03-20 |
CVE-2025-34392 | 7.0 | 9.8 | 0.2201 | 2025-12-10 |
CVE-2025-57790 UPD | 6.0 | 8.8 | 0.1611 | 2025-08-20 |
CVE-2025-68472 | 6.0 | 8.1 | 0.1921 | 2026-01-12 |
CVE-2017-7929 | 5.5 | 7.1 | 0.0154 | 2017-05-06 |
CVE-2021-1296 | 5.5 | 7.5 | 0.0369 | 2021-02-04 |
CVE-2021-1297 | 5.5 | 7.5 | 0.0369 | 2021-02-04 |
CVE-2021-21586 | 5.5 | 8.1 | 0.0404 | 2021-07-15 |
CVE-2022-1554 | 5.5 | 7.5 | 0.0130 | 2022-05-03 |
CVE-2022-20958 | 5.5 | 8.3 | 0.0095 | 2022-11-04 |