CWE-73(External Control of File Name or Path)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The product allows user input to control or influence paths or file names that are used in filesystem operations.
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| operating_system | — | Unix | Often | — |
| operating_system | — | Windows | Often | — |
| operating_system | — | macOS | Often | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2025-12656 | 2026-06-06 | The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_sit… |
| CVE-2026-46397 | 2026-06-05 | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-… |
| CVE-2026-46399 | 2026-06-05 | HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this … |
| CVE-2026-40605 | 2026-06-04 | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to… |
| CVE-2026-20175 | 2026-06-03 | A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, possibly leading to br… |
| CVE-2026-35080 | 2026-06-03 | The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. |
| CVE-2026-35079 | 2026-06-03 | The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. |
| CVE-2026-35078 | 2026-06-03 | The ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. |
| CVE-2026-35077 | 2026-06-03 | The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. |
| CVE-2026-35076 | 2026-06-03 | The bac-scanresult method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. |
| CVE-2026-10694 | 2026-06-03 | A vulnerability was detected in SourceCodester Online Food Ordering System 2.0. Affected by this issue is the function include of the file /index.php. The manipulation of the argument page results in … |
| CVE-2026-41412 | 2026-06-02 | alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP clie… |
| CVE-2026-10559 | 2026-06-02 | A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is an unknown function of the file /index.php. Executing a manipulation of the argument page can lead to file… |
| CVE-2026-10558 | 2026-06-02 | A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is an unknown function of the file /admin/index.php. Performing a manipulation of the argument page results in fil… |
| CVE-2026-9559 | 2026-05-29 | A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape… |
| CVE-2026-46402 | 2026-05-27 | Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing ses… |
| CVE-2026-45089 | 2026-05-27 | Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options a… |
| CVE-2026-45088 | 2026-05-27 | Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tagg… |
| CVE-2026-48920 | 2026-05-27 | Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that ca… |
| CVE-2025-0898 | 2026-05-27 | The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 1.4.7 via the Draw SVG widget. This makes it possible for authenticat… |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities |
| 2009-01-12 | CWE Content Team | 1.2 | — | updated Applicable_Platforms, Causal_Nature, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Weakness_Ordinalities |
| 2009-03-10 | CWE Content Team | 1.3 | — | updated Potential_Mitigations, Relationships |
| 2009-07-27 | CWE Content Team | 1.5 | — | updated Demonstrative_Examples |
| 2009-10-29 | CWE Content Team | 1.6 | — | updated Common_Consequences, Description |
| 2009-12-28 | CWE Content Team | 1.7 | — | updated Detection_Factors |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated Potential_Mitigations |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences, Relationships, Taxonomy_Mappings |
| 2011-09-13 | CWE Content Team | 2.1 | — | updated Relationships, Taxonomy_Mappings |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Potential_Mitigations, References, Relationships, Time_of_Introduction, Type |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Potential_Mitigations, Relationships |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Maintenance_Notes, Potential_Mitigations |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description, Detection_Factors, Potential_Mitigations |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Potential_Mitigations, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2023-10-26 | CWE Content Team | 4.13 | — | updated Observed_Examples |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Relationships |