CWE-73— External Control of File Name or Path
The product allows user input to control or influence paths or file names that are used in filesystem operations.— MITRE CWE catalog
467 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-73page 9 of 10
- CVE-2026-40370HIGHCVSS 8.8EG 8.82026-05-12
External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
- CVE-2026-40421MEDIUMCVSS 4.3EG 4.32026-05-12
Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
- CVE-2026-40605MEDIUMCVSS 5.7EG 5.72026-06-04
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configu…
- CVE-2026-40893HIGHCVSS 8.2EG 8.22026-05-14
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to…
- CVE-2026-41088HIGHCVSS 7.8EG 7.82026-05-12
Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
- CVE-2026-41107HIGHCVSS 7.4EG 7.42026-05-12
External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
- CVE-2026-41177MEDIUMCVSS 5.5EG 5.52026-04-22
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). The application fails to validate the URI …
- CVE-2026-4132HIGHCVSS 7.2EG 7.22026-04-22
The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1.19.2. This is due to insufficient validation of the file path stored in the…
- CVE-2026-41389MEDIUMCVSS 5.8EG 5.82026-04-20
OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result media references to trigger host-side fi…
- CVE-2026-41412MEDIUMCVSS 4.9EG 4.92026-06-02
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client (`simpleHttpClient`) into every exte…
- CVE-2026-41693HIGHCVSS 8.2EG 8.22026-05-08
i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath /…
- CVE-2026-42424MEDIUMCVSS 5.7EG 5.72026-04-28
OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause anot…
- CVE-2026-42593MEDIUMCVSS 5.3EG 5.32026-05-14
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, and chromium/convert/markdown accept stampSource=pdf + stampE…
- CVE-2026-42597MEDIUMCVSS 5.9EG 5.92026-05-14
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intenti…
- CVE-2026-42845HIGHCVSS 7.7EG 7.72026-05-11
The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload (GHSA-w4rc-p66m-x6qq). Public form uploads now strip path components from the POST-suppl…
- CVE-2026-42866MEDIUMCVSS 6.7EG 6.72026-05-11
Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}.<ext>"), where user comes unsa…
- CVE-2026-42881HIGHCVSS 8.4EG 8.42026-05-14
STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution (LCE) with the privileges of the user running STIGQter. This requires user interaction: the victim …
- CVE-2026-43891HIGHCVSS 7.5EG 7.52026-05-12
changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup resto…
- CVE-2026-43989HIGHCVSS 8.5EG 8.52026-05-12
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and uploaded whatever bytes the path resolved to, with no validation of location, symli…
- CVE-2026-44127HIGHCVSS 8.8EG 8.82026-05-08
SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview that allows remote attackers to read arbitrary local files and trigger …
- CVE-2026-44641HIGHCVSS 7.1EG 7.12026-05-15
Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents…
- CVE-2026-45008MEDIUMCVSS 6.5EG 6.52026-05-15
phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../…
- CVE-2026-45088HIGHCVSS 7.5EG 7.52026-05-27
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tagged and deserialized directly from the a…
- CVE-2026-45089HIGHCVSS 8.2EG 8.22026-05-27
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options are JSON-tagged and deserialized directl…
- CVE-2026-45556CRITICALCVSS 9.9EG 9.92026-06-10
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field that is passed straight through…
- CVE-2026-46383MEDIUMCVSS 5.5EG 5.52026-05-15
Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install <bundle> on s…
- CVE-2026-46397MEDIUMCVSS 6.5EG 6.52026-06-05
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files…
- CVE-2026-46399CRITICALCVSS 9.4EG 9.42026-06-05
HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Gi…
- CVE-2026-46402HIGHCVSS 8.1EG 8.12026-05-27
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing session log paths. An authenticated client…
- CVE-2026-47214HIGHCVSS 7.1EG 7.12026-06-03
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0.
- CVE-2026-47357HIGHCVSS 7.5EG 7.52026-05-19
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unaut…
- CVE-2026-47358HIGHCVSS 7.5EG 7.52026-05-19
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When Terrascan parses uploaded ARM templates or CloudFormation templates, i…
- CVE-2026-47643CRITICALCVSS 9.8EG 9.82026-06-09
External control of file name or path in Azure Stack Edge allows an unauthorized attacker to execute code over a network.
- CVE-2026-48520MEDIUMCVSS 6.1EG 6.12026-06-16
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.10.0, the "Shareable Playground" (or "Public Flows" in code) contains a potential arbitrary file-read vulnerability, depending on the exact flow conf…
- CVE-2026-48720HIGHCVSS 8.8EG 8.82026-06-24
Warp is an agentic development environment. From 0.2025.03.05.08.02.stable_00 until 0.2026.05.06.15.42.stable_01, Warp accepts non-inline `OSC 1337;File` payloads from terminal output and materialize the decoded payload as a local file wit…
- CVE-2026-48920HIGHCVSS 8.8EG 8.82026-05-27
Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able t…
- CVE-2026-49145HIGHCVSS 7.5EG 7.52026-07-08
App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option …
- CVE-2026-49358LOWCVSS 3.0EG 3.02026-06-19
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `AbstractGenerator::$temporaryFiles` is a public array, and `removeTemporaryFiles()` — invoked from `__destruct()` and from a regi…
- CVE-2026-5053HIGHCVSS 7.1EG 7.12026-04-11
NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. This vulnerability allows local attackers to delete arbitrary files on affected installations of NoMachine. An attacker must first obtain the ability to execute…
- CVE-2026-5054HIGHCVSS 7.8EG 7.82026-04-11
NoMachine External Control of File Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute…
- CVE-2026-5210HIGHCVSS 7.3EG 7.32026-03-31
A vulnerability was detected in SourceCodester Leave Application System 1.0. This affects an unknown part. Performing a manipulation of the argument page results in file inclusion. Remote exploitation of the attack is possible. The exploit…
- CVE-2026-53449MEDIUMCVSS 6.0EG 6.02026-07-10
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, the psd print sessions dump CLI command in coturn takes a filename argument and directly passes it to fopen with no path validation. An authenticated adm…
- CVE-2026-53632MEDIUMCVSS 5.5EG 5.52026-06-15
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attemp…
- CVE-2026-53648MEDIUMCVSS 5.1EG 5.12026-07-06
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.1, downloadable product files are stored using a deterministic filename-derived path. When an administrator uploads a file for a downloadable pro…
- CVE-2026-53915HIGHCVSS 8.8EG 7.12026-06-19
In JetBrains GoLand before 2026.1.3 remote code execution was possible via untrusted project configuration
- CVE-2026-55477HIGHCVSS 7.2EG 7.22026-06-25
3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stor…
- CVE-2026-55628MEDIUMCVSS 5.5EG 5.52026-07-01
In versions prior to 7.1.2-26he, the `-concatenate` operation is missing policy checks, potentially resulting in both reading and writing to paths disallowed by the security policy. This issue has been fixed in version 7.1.2-26.
- CVE-2026-55699MEDIUMCVSS 6.5EG 6.52026-06-25
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows…
- CVE-2026-55700HIGHCVSS 7.1EG 7.12026-06-25
pnpm is a package manager. From 11.3.0 until 11.5.3, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite ano…
- CVE-2026-5809HIGHCVSS 7.1EG 7.12026-04-11
The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied dat…
Map vulnerabilities like CWE-73 to your infrastructure
EchelonGraph correlates every CVE — across CWE-73 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →