This page collects WhisperX intelligence signals tagged #CWE-22. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical path traversal vulnerability in the `creative-ad-agent-server` allows unauthenticated attackers to read arbitrary files from the host system. The flaw, discovered by independent researcher BruceJin, resides in the `/api/generated-image` endpoint, where user-supplied input is improperly sanitized before being...
A static application security testing (SAST) scan of the Apache Superset codebase has identified a medium-severity vulnerability related to improper URL scheme validation. The scanner, Bandit, flagged five distinct locations where the `urlopen` function is used without restricting permitted URL schemes, potentially all...
A static application security testing (SAST) scan of the Apache Superset codebase has identified a medium-severity vulnerability related to improper URL scheme validation. The scanner, Bandit, flagged five distinct locations where the code opens URLs without restricting permitted schemes, potentially allowing the use o...
A high-severity path traversal vulnerability has been identified in a web application's log viewer, allowing attackers to read arbitrary files on the server. The flaw resides in the `show_logs` route within the `app.py` file, where user-supplied input is used directly to open files without any sanitization. By manipula...
A high-severity Local File Inclusion (LFI) and Path Traversal vulnerability has been identified in a critical administrative endpoint. The flaw, located in the `show_logs` function of `app.py`, allows an authenticated admin user to read sensitive system files far beyond the intended logs directory. By manipulating the ...
A high-severity security vulnerability in a Python application's `app.py` file allows attackers to overwrite critical system files. The flaw, a classic path traversal (CWE-22), resides in the `upload_file` function at line 220, where user-supplied filenames are used directly without sanitization. By submitting a malici...
A critical scope vulnerability has been identified in the `deleteViaEphemeral` utility function, classified under F1085 and mapped to CWE-78 and CWE-22. The flaw causes the function to delete the entire `/configs` volume mount rather than scoped individual files, representing a severe data destruction risk for any syst...
A critical path traversal vulnerability has been remediated in the file upload endpoint at `packages/lib/services/rest/routes/resources.ts`. The flaw, designated CWE-22, enabled attackers to access or modify arbitrary filesystem locations on the server by exploiting insufficient input validation on file paths during mu...
A documented path traversal vulnerability, tracked as CVE-2026-4307 and classified under CWE-22, has been disclosed in Agent Zero, an AI agent framework. The flaw affects versions 0.9.7 through 0.9.10, exposing systems to potential file system access beyond intended boundaries. The vulnerability was identified and repo...
A security audit has identified a significant gap in path traversal defenses within `backend/server.js`. The file operations module at lines 176-218 currently implements only basic pattern matching for parent directory traversal sequences (`../` and `..\`), leaving the system potentially vulnerable to Unicode and URL e...