CWE-73

External Control of File Name or Path

MITRE

No catalog description on file. The MITRE CWE site has the canonical reference.

CVEs (total)

Critical

High

Medium

Low

Severity distribution

Recent CVEs

showing 16 of 16

CVE-2025-24054Medium· 6.5KEVEXPLOITEPSS 8%20 h ago
Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability
CVE-2024-43451Medium· 6.5KEVEPSS 90%20 h ago
Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability
CVE-2025-33053High· 8.8KEVEXPLOITEPSS 50%20 h ago
Microsoft Windows External Control of File Name or Path Vulnerability
CVE-2020-1631High· 8.8KEVEPSS 5%20 h ago
Juniper Junos OS Path Traversal Vulnerability
CVE-2025-0111Medium· 6.5KEVEPSS 4%20 h ago
Palo Alto Networks PAN-OS File Read Vulnerability
CVE-2026-45556Critical· 9.9EPSS 0%2 d ago
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field that is passed straight through
CVE-2026-47643Critical· 9.8EPSS 0%3 d ago
External control of file name or path in Azure Stack Edge allows an unauthorized attacker to execute code over a network.
CVE-2026-35076High· 8.1EPSS 0%4 d ago
The bac-scanresult method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
CVE-2026-35077High· 8.1EPSS 0%4 d ago
The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
CVE-2026-35078High· 8.1EPSS 0%4 d ago
The ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
CVE-2026-35079High· 8.1EPSS 0%4 d ago
The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
CVE-2026-35080High· 8.1EPSS 0%4 d ago
The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
CVE-2026-46399—EPSS 0%4 d ago
HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git
CVE-2026-46397Medium· 6.5EPSS 0%4 d ago
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files
CVE-2025-12656Low· 3.8EPSS 0%4 d ago
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_site() function in all versions up to, and
CVE-2023-38546Low· 3.7EPSS 0%2026-04-25
curl/libcurl: cookie injection with none file
curl

CWE catalog data sourced from MITRE. CVE associations come from NVD weakness mappings; some CVEs carry multiple CWEs.