CWE-73
407 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-73page 3 of 9
- CVE-2023-49738HIGHCVSS 7.5EG 7.52024-01-10
An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.
- CVE-2023-49862MEDIUMCVSS 6.5EG 6.52024-01-10
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerab…
- CVE-2023-49863MEDIUMCVSS 6.5EG 6.52024-01-10
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerab…
- CVE-2023-49864MEDIUMCVSS 6.5EG 6.52024-01-10
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerab…
- CVE-2023-5247HIGHCVSS 7.8EG 7.82023-11-30
Malicious Code Execution Vulnerability due to External Control of File Name or Path in multiple Mitsubishi Electric FA Engineering Software Products allows a malicious attacker to execute a malicious code by having legitimate users open a …
- CVE-2023-5816MEDIUMCVSS 4.9EG 4.92024-10-30
The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing files to those outside of the WordPres…
- CVE-2023-6569HIGHCVSS 8.2EG 8.22023-12-14
External Control of File Name or Path in h2oai/h2o-3
- CVE-2023-6618MEDIUMCVSS 5.5EG 5.52023-12-08
A vulnerability was found in SourceCodester Simple Student Attendance System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file index.php. The manipulation of the argument page …
- CVE-2024-0087CRITICALCVSS 9.0EG 9.02024-05-14
NVIDIA Triton Inference Server for Linux contains a vulnerability where a user can set the logging location to an arbitrary file. If this file exists, logs are appended to the file. A successful exploit of this vulnerability might lead to …
- CVE-2024-0100MEDIUMCVSS 6.5EG 6.52024-05-14
NVIDIA Triton Inference Server for Linux contains a vulnerability in the tracing API, where a user can corrupt system files. A successful exploit of this vulnerability might lead to denial of service and data tampering.
- CVE-2024-0265MEDIUMCVSS 6.3EG 6.32024-01-07
A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /index.php of the component GET Parameter Handler. The manipulation of the argumen…
- CVE-2024-0728MEDIUMCVSS 4.7EG 4.72024-01-19
A vulnerability classified as problematic was found in ForU CMS up to 2020-06-23. Affected by this vulnerability is an unknown functionality of the file channel.php. The manipulation of the argument c_cmodel leads to file inclusion. The at…
- CVE-2024-10210HIGHCVSS 8.4EG 0.02025-03-25
An External Control of File Name or Path vulnerability in the APROL Web Portal used in B&R APROL <4.4-005P may allow an authenticated network-based attacker to access data from the file system.
- CVE-2024-10361CRITICALCVSS 9.1EG 8.12025-03-20
An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /api/files endpoint. This vulnerability arises from improper input validation, allowing path traversal techniques to delet…
- CVE-2024-10492LOWCVSS 2.7EG 2.72024-11-25
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to …
- CVE-2024-10672LOWCVSS 2.7EG 2.72024-11-12
The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2…
- CVE-2024-10834CRITICALCVSS 9.1EG 9.12025-03-20
eosphoros-ai/db-gpt version 0.6.0 contains a vulnerability in the RAG-knowledge endpoint that allows for arbitrary file write. The issue arises from the ability to pass an absolute path to a call to `os.path.join`, enabling an attacker to …
- CVE-2024-10902CRITICALCVSS 9.8EG 9.12025-03-20
In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /v1/personal/agent/upload` is vulnerable to Arbitrary File Upload with Path Traversal. This vulnerability allows unauthorized attackers to upload arbitrary files to the victim's file…
- CVE-2024-11042CRITICALCVSS 9.1EG 9.12025-03-20
In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critic…
- CVE-2024-11838CRITICALCVSS 9.8EG 9.82024-12-13
External Control of File Name or Path vulnerability in PlexTrac allows Local Code Inclusion through use of an undocumented API endpoint.This issue affects PlexTrac: from 1.61.3 before 2.8.1.
- CVE-2024-12036HIGHCVSS 7.5EG 7.52025-03-07
The CS Framework plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.9 via the get_widget_settings_json() function. This makes it possible for authenticated attackers, with subscriber-level acc…
- CVE-2024-12058MEDIUMCVSS 6.8EG 6.82025-02-11
External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files.
- CVE-2024-12066HIGHCVSS 8.8EG 8.82024-12-21
The SMSA Shipping(official) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the smsa_delete_label() function in all versions up to, and including, 2.3. This makes it possible for au…
- CVE-2024-12267MEDIUMCVSS 5.3EG 5.32025-01-31
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, a…
- CVE-2024-12357MEDIUMCVSS 4.3EG 4.32024-12-09
A vulnerability was found in SourceCodester Best House Rental Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument page leads to …
- CVE-2024-1243HIGHCVSS 7.2EG 7.22025-06-11
Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of th…
- CVE-2024-1244CRITICALCVSS 9.5EG 0.02025-06-11
Improper input validation in the OSSEC HIDS agent for Windows prior to version 3.8.0 allows an attacker in with control over the OSSEC server or in possession of the agent's key to configure the agent to connect to a malicious UNC path. Th…
- CVE-2024-12861MEDIUMCVSS 6.5EG 6.52025-01-30
The W2S – Migrate WooCommerce to Shopify plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.2.1 via the 'viw2s_view_log' AJAX action. This makes it possible for authenticated attackers, with…
- CVE-2024-12875MEDIUMCVSS 4.9EG 4.92024-12-21
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.2 via the file download functionality. This makes it possible…
- CVE-2024-13922LOWCVSS 2.7EG 2.72025-03-20
The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.0. This makes…
- CVE-2024-13984CRITICALCVSS 10.0EG 0.02025-08-27
QiAnXin TianQing Management Center versions up to and including 6.7.0.4130 contain a path traversal vulnerability in the rptsvr component that allows unauthenticated attackers to upload files to arbitrary locations on the server. The /rpts…
- CVE-2024-1603HIGHCVSS 7.5EG 7.52024-03-23
paddlepaddle/paddle 2.6.0 allows arbitrary file read via paddle.vision.ops.read_file.
- CVE-2024-20366HIGHCVSS 7.8EG 7.82024-05-15
A vulnerability in the Tail-f High Availability Cluster Communications (HCC) function pack of Cisco Crosswork Network Services Orchestrator (NSO) could allow an authenticated, local attacker to elevate privileges to root on an affected dev…
- CVE-2024-20652HIGHCVSS 8.1EG 7.52024-01-09
Windows HTML Platforms Security Feature Bypass Vulnerability
- CVE-2024-2150MEDIUMCVSS 5.3EG 5.32024-03-03
A vulnerability, which was classified as critical, has been found in SourceCodester Insurance Management System 1.0. This issue affects some unknown processing. The manipulation of the argument page leads to file inclusion. The attack may …
- CVE-2024-21545HIGHCVSS 8.2EG 8.22024-09-25
Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges…
- CVE-2024-2155MEDIUMCVSS 4.3EG 4.32024-03-04
A vulnerability was found in SourceCodester Best POS Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file index.php. The manipulation of the argument page leads to file inclusion. The …
- CVE-2024-21870MEDIUMCVSS 4.9EG 4.92024-04-03
A file write vulnerability exists in the OAS Engine Tags Configuration functionality of Open Automation Software OAS Platform V19.00.0057. A specially crafted series of network requests can lead to arbitrary file creation or overwrite. An …
- CVE-2024-22178MEDIUMCVSS 4.9EG 4.92024-04-03
A file write vulnerability exists in the OAS Engine Save Security Configuration functionality of Open Automation Software OAS Platform V19.00.0057. A specially crafted series of network requests can lead to arbitrary file creation or overw…
- CVE-2024-22341MEDIUMCVSS 5.3EG 5.32025-02-22
IBM Watson Query on Cloud Pak for Data 4.0.0 through 4.0.9, 4.5.0 through 4.5.3, 4.6.0 through 4.6.6, 4.7.0 through 4.7.4, and 4.8.0 through 4.8.7 could allow unauthorized data access from a remote data source object due to improper privil…
- CVE-2024-23317MEDIUMCVSS 6.3EG 6.32024-07-11
External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. This issue affects: 9.10 prior to vCR9.10.240520a (dis…
- CVE-2024-23634MEDIUMCVSS 6.0EG 6.02024-03-20
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administr…
- CVE-2024-25117MEDIUMCVSS 6.8EG 6.82024-02-21
php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate …
- CVE-2024-25965MEDIUMCVSS 6.1EG 6.12024-05-14
Dell PowerScale OneFS versions 8.2.x through 9.7.0.2 contains an external control of file name or path vulnerability. A local high privilege attacker could potentially exploit this vulnerability, leading to denial of service.
- CVE-2024-25975MEDIUMCVSS 6.5EG 6.52024-05-29
The application implements an up- and downvote function which alters a value within a JSON file. The POST parameters are not filtered properly and therefore an arbitrary file can be overwritten. The file can be controlled by an authenticat…
- CVE-2024-26185MEDIUMCVSS 6.5EG 6.52024-03-12
Windows Compressed Folder Tampering Vulnerability
- CVE-2024-27175MEDIUMCVSS 4.4EG 4.42024-06-14
Remote Command program allows an attacker to read any file using a Local File Inclusion vulnerability. An attacker can read any file on the printer. As for the affected products/models/versions, see the reference URL.
- CVE-2024-27943HIGHCVSS 7.2EG 7.22024-05-14
A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow a privileged user to upload generic files to the root installation directory of the system. By replacing specific files, an attacke…
- CVE-2024-27944HIGHCVSS 7.2EG 7.22024-05-14
A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow a privileged user to upload firmware files to the root installation directory of the system. By replacing specific files, an attack…
- CVE-2024-27945HIGHCVSS 7.2EG 7.22024-05-14
A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The bulk import feature of the affected systems allow a privileged user to upload files to the root installation directory of the system. By replacing specifi…
Map vulnerabilities like CWE-73 to your infrastructure
EchelonGraph correlates every CVE — across CWE-73 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →