CWE-36
Absolute Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
We have discovered 6,931 live websites that are affected by CWE-36.
CVEs
- Count - 6
CWE References
Website Distribution by Country
Number of websites using CWE-36 United States | 1,395 websites |
 Germany | 793 websites |
 Netherlands | 437 websites |
 France | 415 websites |
 Brazil | 344 websites |
 Russia | 267 websites |
 GB | 263 websites |
 Spain | 239 websites |
 Italy | 228 websites |
 Bulgaria | 184 websites |
Website Distribution by TLD
Number of websites using CWE-36| .com | 2,389 websites |
| .de | 429 websites |
| .nl | 392 websites |
| .org | 303 websites |
| .com.br | 272 websites |
| .ru | 226 websites |
| .fr | 197 websites |
| .it | 183 websites |
| .co.uk | 143 websites |
| .net | 138 websites |
Newest CVEs
List of the most recent CVEs that are part of CWE-36| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Apr, 2026 | CVE-2026-34515 | AIOHTTP: UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows | 181 |
| Mar, 2026 | CVE-2026-4373 | JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field | 5,414 |
| Oct, 2025 | CVE-2025-7846 | WordPress User Extra Fields <= 16.7 - Authenticated (Subscriber+) Arbitrary File Deletion via save_fields Function | 1 |
| Jun, 2025 | CVE-2025-6381 | BeeTeam368 Extensions <= 2.3.4 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Deletion | 18 |
| Jun, 2025 | CVE-2025-5927 | Everest Forms (Pro) <= 1.9.4 - Unauthenticated Path Traversal to Arbitrary File Deletion | 442 |
| Jun, 2025 | CVE-2025-4799 | WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Deletion | 875 |
The most widespread CVEs
List of the most common CVEs that are part of CWE-36| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Mar, 2026 | CVE-2026-4373 | JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field | 5,414 |
| Jun, 2025 | CVE-2025-4799 | WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Deletion | 875 |
| Jun, 2025 | CVE-2025-5927 | Everest Forms (Pro) <= 1.9.4 - Unauthenticated Path Traversal to Arbitrary File Deletion | 442 |
| Apr, 2026 | CVE-2026-34515 | AIOHTTP: UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows | 181 |
| Jun, 2025 | CVE-2025-6381 | BeeTeam368 Extensions <= 2.3.4 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Deletion | 18 |
| Oct, 2025 | CVE-2025-7846 | WordPress User Extra Fields <= 16.7 - Authenticated (Subscriber+) Arbitrary File Deletion via save_fields Function | 1 |
Websites affected by CWE-36
Top websites that are affected by CWE-36. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ************.org | United States | **,*** | |
| *********.com | United States | **,*** | |
| *********.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| *********.com | Germany | **,*** | |
| *******.com | United States | **,*** | |
| ************.ru | Russia | **,*** | |
| *****.cz |  Czech Republic | **,*** | |
| *****.org | United States | **,*** | |
| ****.********.edu | United States | **,*** |