| CAPEC | Related Weakness |
| Manipulating Web Input to File System Calls |
| CWE-15 | External Control of System or Configuration Setting |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CWE-23 | Relative Path Traversal |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
| CWE-73 | External Control of File Name or Path |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| CWE-264 | Permissions, Privileges, and Access Controls |
| CWE-272 | Least Privilege Violation |
| CWE-285 | Improper Authorization |
| CWE-346 | Origin Validation Error |
| CWE-348 | Use of Less Trusted Source |
| CWE-715 | OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference |
|
| Using Slashes and URL Encoding Combined to Bypass Validation Logic |
| CWE-20 | Improper Input Validation |
| CWE-21 | DEPRECATED: Pathname Traversal and Equivalence Errors |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CWE-73 | External Control of File Name or Path |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-171 | DEPRECATED: Cleansing, Canonicalization, and Comparison Errors |
| CWE-172 | Encoding Error |
| CWE-173 | Improper Handling of Alternate Encoding |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) |
| CWE-697 | Incorrect Comparison |
| CWE-707 | Improper Neutralization |
|
| Using Escaped Slashes in Alternate Encoding |
| CWE-20 | Improper Input Validation |
| CWE-21 | DEPRECATED: Pathname Traversal and Equivalence Errors |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CWE-73 | External Control of File Name or Path |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-171 | DEPRECATED: Cleansing, Canonicalization, and Comparison Errors |
| CWE-172 | Encoding Error |
| CWE-173 | Improper Handling of Alternate Encoding |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter |
| CWE-697 | Incorrect Comparison |
| CWE-707 | Improper Neutralization |
|
| URL Encoding |
| CWE-20 | Improper Input Validation |
| CWE-21 | DEPRECATED: Pathname Traversal and Equivalence Errors |
| CWE-73 | External Control of File Name or Path |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-171 | DEPRECATED: Cleansing, Canonicalization, and Comparison Errors |
| CWE-172 | Encoding Error |
| CWE-173 | Improper Handling of Alternate Encoding |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) |
|
| Using UTF-8 Encoding to Bypass Validation Logic |
| CWE-20 | Improper Input Validation |
| CWE-21 | DEPRECATED: Pathname Traversal and Equivalence Errors |
| CWE-73 | External Control of File Name or Path |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-171 | DEPRECATED: Cleansing, Canonicalization, and Comparison Errors |
| CWE-172 | Encoding Error |
| CWE-173 | Improper Handling of Alternate Encoding |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter |
| CWE-692 | Incomplete Denylist to Cross-Site Scripting |
| CWE-697 | Incorrect Comparison |
|
| Using Slashes in Alternate Encoding |
| CWE-20 | Improper Input Validation |
| CWE-21 | DEPRECATED: Pathname Traversal and Equivalence Errors |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CWE-73 | External Control of File Name or Path |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-171 | DEPRECATED: Cleansing, Canonicalization, and Comparison Errors |
| CWE-173 | Improper Handling of Alternate Encoding |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter |
| CWE-185 | Incorrect Regular Expression |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-697 | Incorrect Comparison |
| CWE-707 | Improper Neutralization |
|
| Subverting Environment Variable Values |
| CWE-15 | External Control of System or Configuration Setting |
| CWE-20 | Improper Input Validation |
| CWE-73 | External Control of File Name or Path |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-285 | Improper Authorization |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data |
| CWE-353 | Missing Support for Integrity Check |
|
| Leverage Alternate Encoding |
| CWE-20 | Improper Input Validation |
| CWE-21 | DEPRECATED: Pathname Traversal and Equivalence Errors |
| CWE-73 | External Control of File Name or Path |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-171 | DEPRECATED: Cleansing, Canonicalization, and Comparison Errors |
| CWE-172 | Encoding Error |
| CWE-173 | Improper Handling of Alternate Encoding |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter |
| CWE-692 | Incomplete Denylist to Cross-Site Scripting |
| CWE-697 | Incorrect Comparison |
|
