CVE-2026-40400
Relative path traversal in Windows PowerShell allows an authorized attacker to execute code over a network.
CVSS
8.0
Alto
EPSS
0.6%
p44
KEV
—
Exploit Today
13
0-100
Publicado: 14 jul 2026 · Última mod.: 16 jul 2026 · CWE-23
0.6%EPSS · 30 días0.6%
2026-07-152026-07-17
Relative path traversal in Windows PowerShell allows an authorized attacker to execute code over a network.
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-149037.7 ALT60.1%
——18Path traversal in Ivanti Xtraction before version 2026.2.1 allows a remote authenticated attacker to read arbitrary files outside the web root.2dCVE-2026-561968.8 ALT57.4%
——17Relative path traversal in Windows Admin Center allows an authorized attacker to execute code over a network.3dCVE-2026-80237.5 ALT56.0%
——17Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Before this fix, both the HTTP/1 and HTTP/2 front-ends placed the raw, attacker-controlled request path into client->url_buffer (assembled in on_url() for HTTP/1 and copied verbatim from the :path pseudo-header for HTTP/2) without resolving ./.. segments. The static-FS handler then built the on-disk filename by directly concatenating the configured root with that raw URL (snprintk(fname, ..., "%s%s", static_fs_detail->fs_path, client->url_buffer) at http_server_http1.c:603 and http_server_http2.c:490) and opened it with fs_open(fname, FS_O_READ). Because the handler is reached via wildcard/leading-dir (fnmatch FNM_LEADING_DIR) or fallback resource matching, a request such as GET /<prefix>/../../<file> is dispatched to the handler and, after the underlying filesystem (e.g. LittleFS/FAT) resolves the .. segments, escapes the configured web root, letting an unauthenticated remote client read arbitrary readable files on the mounted volume (information disclosure). The HTTP server requires no TLS or authentication to reach this path. The fix adds http_server_remove_dot_segments(), which canonicalizes the path portion of the URL before resource lookup in both protocol handlers, neutralizing the traversal. Affects releases v4.0.0 through v4.4.0 for deployments that register a static-filesystem resource.11hCVE-2026-613437.2 ALT53.8%
——16LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0.8dCVE-2026-506638.8 ALT47.0%
——14Relative path traversal in Age of Empires II: Definitive Edition Game allows an unauthorized attacker to execute code over a network.3dCVE-2025-667374.3 MED45.1%
——14Yealink T21P_E2 Phone 52.84.0.15 is vulnerable to Directory Traversal. A remote normal privileged attacker can read arbitrary files via a crafted request result read function of the diagnostic component.13d