CWE-23 相对路径遍历 类弱点 361 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-23 相对路径遍历漏洞源于软件未正确过滤外部输入中的“..”序列,导致构造的文件路径突破受限目录边界。攻击者通常利用此缺陷读取或修改系统敏感文件,获取未授权访问权限。开发者应避免直接使用用户输入拼接路径,需通过白名单验证、规范化路径或限制访问范围来彻底中和危险字符,从而防止路径逃逸。
http://example.com/get-files.jsp?file=report.pdf http://example.com/get-page.php?home=aaa.html http://example.com/some-page.asp?page=index.htmlhttp://example.com/get-files?file=../../../../somedir/somefile http://example.com/../../../../etc/shadow http://example.com/get-files?file=../../../../etc/passwdmy $dataPath = "/users/cwe/profiles"; my $username = param("user"); my $profilePath = $dataPath . "/" . $username; open(my $fh, "<", $profilePath) || ExitError("profile read error: $profilePath"); print "<ul>\n"; while (<$fh>) { print "<li>$_</li>\n"; } print "</ul>\n";../../../etc/passwd| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2025-32017 | Umbraco 安全漏洞 — Umbraco-CMS | 8.8 | High | 2025-04-08 |
| CVE-2025-32409 | Ratta SuperNote A6 X2 Nomad 安全漏洞 — SuperNote A6 X2 Nomad | 8.1 | High | 2025-04-07 |
| CVE-2025-32137 | WordPress plugin s2Member 安全漏洞 — s2Member | 4.9 | Medium | 2025-04-04 |
| CVE-2023-40714 | Fortinet FortiSIEM 安全漏洞 — FortiSIEM | 9.7 | Critical | 2025-04-02 |
| CVE-2025-2007 | WordPress plugin Import Export Suite for CSV and XML Datafeed 安全漏洞 — WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress | 8.1 | High | 2025-04-01 |
| CVE-2025-29789 | OpenEMR 安全漏洞 — openemr | 6.5AI | MediumAI | 2025-03-25 |
| CVE-2025-27553 | Apache Commons VFS 安全漏洞 — Apache Commons VFS | - | - | 2025-03-23 |
| CVE-2024-6583 | Quivr 安全漏洞 — stangirard/quivr | 7.5 | - | 2025-03-20 |
| CVE-2024-8551 | AgentScope 安全漏洞 — modelscope/agentscope | 9.8 | - | 2025-03-20 |
| CVE-2024-10513 | AnythingLLM 安全漏洞 — mintplex-labs/anything-llm | 7.2 | - | 2025-03-20 |
| CVE-2024-7058 | Open WebUI 安全漏洞 — parisneo/lollms | 6.5 | - | 2025-03-20 |
| CVE-2024-6483 | Aim 安全漏洞 — aimhubio/aim | 9.1 | - | 2025-03-20 |
| CVE-2024-9363 | polyaxon 安全漏洞 — polyaxon/polyaxon | 7.5 | - | 2025-03-20 |
| CVE-2024-12019 | LogicalDOC 安全漏洞 — LogicalDOC Community | 6.5 | - | 2025-03-14 |
| CVE-2024-54449 | LogicalDOC 安全漏洞 — LogicalDOC Community | 8.8 | - | 2025-03-14 |
| CVE-2025-2056 | WordPress plugin WP Ghost 安全漏洞 — WP Ghost (Hide My WP Ghost) – Security & Firewall | 7.5 | High | 2025-03-14 |
| CVE-2025-23360 | NVIDIA Nemo Framework 安全漏洞 — NeMo Framework | 7.1 | High | 2025-03-11 |
| CVE-2025-26645 | Microsoft Remote Desktop Client 安全漏洞 — Remote Desktop client for Windows Desktop | 8.8 | High | 2025-03-11 |
| CVE-2025-27610 | Rack 安全漏洞 — rack | 7.5 | High | 2025-03-10 |
| CVE-2025-23410 | Apollo 安全漏洞 — Apollo | 9.8 | Critical | 2025-03-04 |
| CVE-2025-25130 | WordPress plugin Delete Comments By Status 安全漏洞 — Delete Comments By Status | 7.5 | High | 2025-03-03 |
| CVE-2025-27410 | PwnDoc 安全漏洞 — pwndoc | 6.5 | Medium | 2025-02-28 |
| CVE-2024-56340 | IBM Cognos Analytics 安全漏洞 — Cognos Analytics | 6.5 | Medium | 2025-02-28 |
| CVE-2024-47051 | Mautic 安全漏洞 — mautic/core | 9.1 | Critical | 2025-02-26 |
| CVE-2025-20059 | Ping Identity PingAM 安全漏洞 — PingAM Java Policy Agent | 8.8 | - | 2025-02-20 |
| CVE-2025-0822 | WordPress plugin Bit Assist 安全漏洞 — Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist | 6.5 | Medium | 2025-02-15 |
| CVE-2024-13791 | WordPress plugin Bit Assist 安全漏洞 — Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist | 4.9 | Medium | 2025-02-14 |
| CVE-2025-26349 | Q-Free MAXTIME Suite 安全漏洞 — MaxTime | 7.2 | High | 2025-02-12 |
| CVE-2024-54462 | image_picker_android 安全漏洞 — image_picker_android | 6.6 | - | 2025-01-29 |
| CVE-2024-54461 | file_selector_android 安全漏洞 — file_selector_android | 6.6 | - | 2025-01-29 |
CWE-23(相对路径遍历) 是常见的弱点类别,本平台收录该类弱点关联的 361 条 CVE 漏洞。