CWE-73
External Control of File Name or Path
Description
The product allows user input to control or influence paths or file names that are used in filesystem operations.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-13 · CAPEC-267 · CAPEC-64 · CAPEC-72 · CAPEC-76 · CAPEC-78 · CAPEC-79 · CAPEC-80
CVEs mapped to this weakness (245)
page 8 of 13| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-9275 | Med | 0.41 | 6.3 | 0.00 | Sep 27, 2024 | A vulnerability was found in jeanmarc77 123solar up to 1.8.4.5. It has been rated as critical. This issue affects some unknown processing of the file /admin/admin_invt2.php. The manipulation of the argument PROTOCOLx leads to file inclusion. The attack may be initiated remotely.… | ||
| CVE-2024-23317 | Med | 0.41 | 6.3 | 0.00 | Jul 11, 2024 | External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. This issue affects: 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior… | ||
| CVE-2026-20175 | Med | 0.40 | 6.1 | 0.00 | Jun 3, 2026 | A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, possibly leading to browser-based attacks. This vulnerability is due to insufficient validation of… | ||
| CVE-2026-23898 | Hig | 0.40 | 7.2 | 0.00 | Apr 1, 2026 | Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism. | ||
| CVE-2026-30940 | Hig | 0.40 | 7.2 | 0.01 | Mar 31, 2026 | baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../… | ||
| CVE-2019-25618 | Med | 0.40 | 6.2 | 0.00 | Mar 22, 2026 | AdminExpress 1.2.5 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input through the System Compare feature. Attackers can paste a large buffer of characters into the Folder Path field and trigger the… | ||
| CVE-2025-32802 | Med | 0.40 | 6.1 | 0.00 | May 28, 2025 | Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue… | ||
| CVE-2024-37295 | Hig | 0.40 | 7.2 | 0.01 | Jun 11, 2024 | Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web… | ||
| CVE-2025-52465 | hig | 0.39 | — | 0.00 | Jun 12, 2026 | ### Summary A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be… | ||
| CVE-2026-46345 | hig | 0.39 | — | 0.00 | May 28, 2026 | **Relevant Products/Components:** * `trestle/core/commands/author/jinja.py` * `trestle author jinja` --- ## Detailed Description: The `-o/--output` argument in `trestle author jinja` allows writing files outside the intended workspace. The application does not properly… | ||
| CVE-2026-45725 | hig | 0.39 | — | 0.00 | May 27, 2026 | ## Summary The compliance-trestle library's remote fetching cache mechanism (HTTPSFetcher and SFTPFetcher) constructs the local cache file path from the URL path component without sanitizing path traversal sequences (`../`). When a remote OSCAL profile references a URL with… | ||
| CVE-2026-44641 | Hig | 0.39 | 7.1 | 0.00 | May 15, 2026 | Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are… | ||
| CVE-2026-5809 | Hig | 0.39 | 7.1 | 0.01 | Apr 11, 2026 | The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store… | ||
| CVE-2026-44019 | hig | 0.38 | — | 0.00 | Jun 3, 2026 | ### Impact In versions `>= 2.5.0, < 2.74.1`, `docling-core` could allow local `file://` image references and accepted inline `data:` content without a decoded-size limit. In applications that accept untrusted image references, this may allow access to local files readable by… | ||
| CVE-2026-47214 | hig | 0.38 | — | 0.00 | Jun 3, 2026 | ### Impact The HTML backend did not perform sufficient validation during resource handling: - Accepted `file://` URIs enabling local file system access when `enable_local_fetch=True` - Path resolution allowed traversal outside intended directories via `../` sequences and… | ||
| CVE-2025-29930 | Med | 0.38 | — | 0.00 | Mar 18, 2025 | imFAQ is an advanced questions and answers management system for ImpressCMS. Prior to 1.0.1, if the $_GET['seoOp'] parameter is manipulated to include malicious input (e.g., seoOp=php://filter/read=convert.base64-encode/resource=/var/www/html/config.php), the application could… | ||
| CVE-2026-35593 | Med | 0.37 | 6.8 | 0.01 | May 20, 2026 | Trilium Notes is an open-source, cross-platform hierarchical note taking application for building large personal knowledge bases. Versions 0.102.1 and prior are vulnerable to Local File Inclusion, allowing an authenticated attacker to read sensitive arbitrary files from the… | ||
| CVE-2026-42866 | Med | 0.37 | — | 0.00 | May 11, 2026 | Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}."), where user comes unsanitized from the -u CLI flag or any line… | ||
| CVE-2025-13320 | Med | 0.37 | 6.8 | 0.01 | Dec 12, 2025 | The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs… | ||
| CVE-2025-1686 | Med | 0.37 | 6.8 | 0.01 | Feb 27, 2025 | Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag… |
- risk 0.41cvss 6.3epss 0.00
A vulnerability was found in jeanmarc77 123solar up to 1.8.4.5. It has been rated as critical. This issue affects some unknown processing of the file /admin/admin_invt2.php. The manipulation of the argument PROTOCOLx leads to file inclusion. The attack may be initiated remotely.…
- risk 0.41cvss 6.3epss 0.00
External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. This issue affects: 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior…
- risk 0.40cvss 6.1epss 0.00
A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, possibly leading to browser-based attacks. This vulnerability is due to insufficient validation of…
- risk 0.40cvss 7.2epss 0.00
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.
- risk 0.40cvss 7.2epss 0.01
baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../…
- risk 0.40cvss 6.2epss 0.00
AdminExpress 1.2.5 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input through the System Compare feature. Attackers can paste a large buffer of characters into the Folder Path field and trigger the…
- risk 0.40cvss 6.1epss 0.00
Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue…
- risk 0.40cvss 7.2epss 0.01
Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web…
- risk 0.39cvss —epss 0.00
### Summary A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be…
- risk 0.39cvss —epss 0.00
**Relevant Products/Components:** * `trestle/core/commands/author/jinja.py` * `trestle author jinja` --- ## Detailed Description: The `-o/--output` argument in `trestle author jinja` allows writing files outside the intended workspace. The application does not properly…
- risk 0.39cvss —epss 0.00
## Summary The compliance-trestle library's remote fetching cache mechanism (HTTPSFetcher and SFTPFetcher) constructs the local cache file path from the URL path component without sanitizing path traversal sequences (`../`). When a remote OSCAL profile references a URL with…
- risk 0.39cvss 7.1epss 0.00
Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are…
- risk 0.39cvss 7.1epss 0.01
The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store…
- risk 0.38cvss —epss 0.00
### Impact In versions `>= 2.5.0, < 2.74.1`, `docling-core` could allow local `file://` image references and accepted inline `data:` content without a decoded-size limit. In applications that accept untrusted image references, this may allow access to local files readable by…
- risk 0.38cvss —epss 0.00
### Impact The HTML backend did not perform sufficient validation during resource handling: - Accepted `file://` URIs enabling local file system access when `enable_local_fetch=True` - Path resolution allowed traversal outside intended directories via `../` sequences and…
- risk 0.38cvss —epss 0.00
imFAQ is an advanced questions and answers management system for ImpressCMS. Prior to 1.0.1, if the $_GET['seoOp'] parameter is manipulated to include malicious input (e.g., seoOp=php://filter/read=convert.base64-encode/resource=/var/www/html/config.php), the application could…
- risk 0.37cvss 6.8epss 0.01
Trilium Notes is an open-source, cross-platform hierarchical note taking application for building large personal knowledge bases. Versions 0.102.1 and prior are vulnerable to Local File Inclusion, allowing an authenticated attacker to read sensitive arbitrary files from the…
- risk 0.37cvss —epss 0.00
Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}."), where user comes unsanitized from the -u CLI flag or any line…
- risk 0.37cvss 6.8epss 0.01
The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs…
- risk 0.37cvss 6.8epss 0.01
Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag…