CWE-22

The insert-or-embed-articulate-content-into-wordpress plugin before 4.29991 for WordPress has insufficient restrictions on deleting or renaming by a Subscriber.

A path traversal in statics-server exists in all version that allows an attacker to perform a path traversal when a symlink is used within the working directory.

A Path traversal exists in http_server which allows an attacker to read arbitrary system files.

Cuberite before 2019-06-11 allows webadmin directory traversal via ….// because the protection mechanism simply removes one ../ substring.

jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory traversal.

Swoole before 4.2.13 allows directory traversal in swPort_http_static_handler.