CWE-552(Files or Directories Accessible to External Parties)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The product makes files or directories accessible to unauthorized actors, even though they should not be.
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Not Technology-Specific | Undetermined | — |
| technology | — | Cloud Computing | Often | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2025-14771 | 2026-06-03 | Files or directories accessible to external parties vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24. |
| CVE-2026-45543 | 2026-06-01 | Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the aff… |
| CVE-2026-40425 | 2026-05-29 | The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password. |
| CVE-2026-45088 | 2026-05-27 | Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tagg… |
| CVE-2024-56462 | 2026-05-27 | IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 could allow a privileged user to upload a malicious backup archive that could be restored and used to gain access to the underlying operating system… |
| CVE-2024-11399 | 2026-05-27 | Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks … |
| CVE-2026-45721 | 2026-05-26 | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent … |
| CVE-2026-40564 | 2026-05-26 | Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so tha… |
| CVE-2026-8704 | 2026-05-15 | Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified. |
| CVE-2026-33380 | 2026-05-13 | A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vuln… |
| CVE-2026-42063 | 2026-05-13 | A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. Note: Software versions which have reached … |
| CVE-2026-40631 | 2026-05-13 | An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which… |
| CVE-2026-35440 | 2026-05-12 | Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally. |
| CVE-2026-32185 | 2026-05-12 | Files or directories accessible to external parties in Microsoft Teams allows an unauthorized attacker to perform spoofing locally. |
| CVE-2026-31216 | 2026-05-12 | The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authenticat… |
| CVE-2026-31215 | 2026-05-12 | The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper auth… |
| CVE-2026-39871 | 2026-05-11 | A path handling issue was addressed with improved logic. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to observe unprotected user data. |
| CVE-2026-7817 | 2026-05-11 | Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied api_key_file and api_url preferences were passed to the L… |
| CVE-2026-6418 | 2026-05-05 | An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchro… |
| CVE-2026-5335 | 2026-05-04 | The Magic Export & Import WordPress plugin before 1.2.0 stores exported CSV files at a publicly accessible location, making it possible for any visitors to leak sensitive user information. |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-08-15 | — | 1.0 | — | Suggested OWASP Top Ten 2004 mapping |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Taxonomy_Mappings |
| 2008-11-24 | CWE Content Team | 1.1 | — | updated Relationships, Taxonomy_Mappings |
| 2009-07-27 | CWE Content Team | 1.5 | — | updated Relationships |
| 2010-09-09 | — | 1.10 | — | Suggested OWASP Top Ten mapping |
| 2010-09-27 | CWE Content Team | 1.10 | — | updated Relationships |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2011-09-13 | CWE Content Team | 2.1 | — | updated Relationships, Taxonomy_Mappings |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships |
| 2015-12-07 | CWE Content Team | 2.9 | — | updated Relationships |
| 2017-01-19 | CWE Content Team | 2.10 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Affected_Resources, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Related_Attack_Patterns |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Related_Attack_Patterns |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Description, Relationships |
| 2020-08-20 | CWE Content Team | 4.2 | — | updated Related_Attack_Patterns |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, References, Relationships, Time_of_Introduction |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2023-10-26 | CWE Content Team | 4.13 | — | updated Observed_Examples |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Relationships, Weakness_Ordinalities |