CWE-22


Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

We have discovered 3,534,416 live websites that are affected by CWE-22.

Contact us to get more info







CVEs

  • Count - 336



Website Distribution by Country

Number of websites using CWE-22
United States914,541 websites


Germany346,180 websites
Italy219,787 websites
France186,291 websites
GB154,027 websites
Russia134,458 websites
Poland107,584 websites
Spain104,732 websites
Netherlands104,345 websites
Brazil88,443 websites

Website Distribution by TLD

Number of websites using CWE-22
.com1,396,904 websites
.de193,616 websites
.it153,378 websites
.org148,856 websites
.ru109,057 websites
.nl91,593 websites
.co.uk89,574 websites
.com.br82,298 websites
.pl80,965 websites
.net80,200 websites

Newest CVEs

List of the most recent CVEs that are part of CWE-22
DiscoveredCVEDescriptionWebsites
Apr, 2026CVE-2026-4351 Perfmatters <= 2.5.9 - Authenticated (Subscriber+) Arbitrary File Overwrite via 'snippets' Parameter17,092
Apr, 2026CVE-2026-31939 Path Traversal (Arbitrary File Delete) in Chamilo LMS9
Apr, 2026CVE-2026-5436 MW WP Form <= 5.1.1 - Unauthenticated Arbitrary File Move via regenerate_upload_file_keys390
Apr, 2026CVE-2026-39844 NiceGUI has a Path Traversal in NiceGUI Upload Filename on Windows via Backslash Bypass of PurePosixPath Sanitization18
Apr, 2026CVE-2026-39345 OrangeHRM Affected by Arbitrary File Read via Path Traversal in Email Template Loader9
Apr, 2026CVE-2026-39365 Vite has a Path Traversal in Optimized Deps `.map` Handling3
Apr, 2026CVE-2026-4350 Perfmatters <= 2.5.9.1 - Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' Parameter17,092
Apr, 2026CVE-2026-4347 MW WP Form <= 5.1.0 - Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir387
Apr, 2026CVE-2026-34728 phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController195
Mar, 2026CVE-2025-15433 Shared Files < 1.7.58 - Contributor+ Arbitrary File Download578

The most widespread CVEs

List of the most common CVEs that are part of CWE-22
DiscoveredCVEDescriptionWebsites
Aug, 2025CVE-2025-9217 Slider Revolution <= 6.7.36 - Authenticated (Contributor+) Arbitrary File Read via 'used_svg' and 'used_images'1,174,043
Aug, 2025CVE-2025-8081 Elementor <= 3.30.2 - Authenticated (Administrator+) Arbitrary File Read via Image Import992,311
Aug, 2024CVE-2024-5709 WPBakery <= 7.7 - Authenticated (Author+) Local File Inclusion843,102
May, 2023CVE-2023-2745 WordPress Core < 6.2.1 - Directory Traversal703,872
Jun, 2024CVE-2024-32111 WordPress core < 6.5.5 - Auth. Arbitrary .html File Read (Windows Only) vulnerability569,182
May, 2024CVE-2024-24934 WordPress Elementor plugin <= 3.19.0 - Arbitrary File Deletion and Phar Deserialization vulnerability449,984
Mar, 2026CVE-2026-2448 Page Builder by SiteOrigin <= 2.33.5 - Authenticated (Contributor+) Local File Inclusion110,196
Mar, 2026CVE-2026-3585 The Events Calendar <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import83,734
May, 2024CVE-2023-46205 WordPress Ultimate Addons for WPBakery Page Builder plugin <= 3.19.14 - Local File Inclusion vulnerability66,899
Apr, 2022CVE-2022-24785 Path Traversal in Moment.js63,038

Websites affected by CWE-22

Top websites that are affected by CWE-22. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
****.io France***
*****.net Canada***
**************.de Germany***
***.********.com United States***
***************.org United States***
**********.com United States***
******.com United States***
****.com United States***
****************.de Germany***
**********.com United States***
See full domain list