CWE-73
408 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-73page 5 of 9
- CVE-2025-0105CRITICALCVSS 9.1EG 9.12025-01-11
An arbitrary file deletion vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to delete arbitrary files accessible to the www-data user on the host filesystem.
- CVE-2025-0109MEDIUMCVSS 6.9EG 0.02025-02-12
An unauthenticated file deletion vulnerability in the Palo Alto Networks PAN-OS management web interface enables an unauthenticated attacker with network access to the management web interface to delete certain files as the “nobody” us…
- CVE-2025-0111MEDIUMCVSS 6.5EG 9.0⚠ KEV2025-02-12
An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nob…
- CVE-2025-0124LOWCVSS 3.8EG 3.82025-04-11
An authenticated file deletion vulnerability in the Palo Alto Networks PAN-OS® software enables an authenticated attacker with network access to the management web interface to delete certain files as the “nobody” user; this includes …
- CVE-2025-0202MEDIUMCVSS 5.5EG 5.52025-01-04
A vulnerability was found in TCS BaNCS 10. It has been classified as problematic. This affects an unknown part of the file /REPORTS/REPORTS_SHOW_FILE.jsp. The manipulation of the argument FilePath leads to file inclusion. The real existenc…
- CVE-2025-0211MEDIUMCVSS 6.3EG 6.32025-01-04
A vulnerability was found in Campcodes School Faculty Scheduling System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/index.php. The manipulation of the argument page leads to file …
- CVE-2025-0452HIGHCVSS 8.2EG 8.22025-03-20
eosphoros-ai/DB-GPT version latest is vulnerable to arbitrary file deletion on Windows systems via the '/v1/agent/hub/update' endpoint. The application fails to properly filter the '\' character, which is commonly used as a separator in Wi…
- CVE-2025-0630MEDIUMCVSS 6.5EG 6.52025-02-04
Multiple Western Telematic (WTI) products contain a web interface that is vulnerable to a local file inclusion attack (LFI), where any authenticated user has privileged access to files on the device's filesystem.
- CVE-2025-0851CRITICALCVSS 9.8EG 9.82025-01-29
A path traversal issue in ZipUtils.unzip and TarUtils.untar in Deep Java Library (DJL) on all platforms allows a bad actor to write files to arbitrary locations.
- CVE-2025-0898MEDIUMCVSS 6.5EG 6.52026-05-27
The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 1.4.7 via the Draw SVG widget. This makes it possible for authenticated attackers, with Contributor-level ac…
- CVE-2025-10058HIGHCVSS 8.1EG 8.12025-09-17
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. …
- CVE-2025-10134CRITICALCVSS 9.1EG 9.12025-09-09
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 3.2.2…
- CVE-2025-10306LOWCVSS 3.8EG 3.82025-10-03
The Backup Bolt plugin for WordPress is vulnerable to arbitrary file downloads and backup location writes in all versions up to, and including, 1.4.1 via the process_backup_batch() function. This makes it possible for authenticated attacke…
- CVE-2025-10494HIGHCVSS 8.1EG 8.12025-10-08
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. …
- CVE-2025-1056MEDIUMCVSS 6.1EG 6.12025-04-23
Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has identified an issue with a specific file that the server is using. A non-admin user can modify this file to either create files or change the content of files in an admi…
- CVE-2025-11451HIGHCVSS 7.5EG 7.52025-11-11
The Auto Amazon Links – Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to arbitrary files reads in all versions up to, and including, 5.4.3 via the '/wp-json/wp/v2/aal_ajax_unit_loading' RST API endpoint. This make…
- CVE-2025-11738MEDIUMCVSS 5.3EG 5.32025-10-18
The Media Library Assistant plugin for WordPress is vulnerable to limited file reading in all versions up to, and including, 3.29 via the mla-stream-image.php file. This makes it possible for unauthenticated attackers to read the contents …
- CVE-2025-11973MEDIUMCVSS 4.9EG 4.92025-11-21
The 简数采集器 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.6.3 via the __kds_flag functionality that imports featured images. This makes it possible for authenticated attackers, wi…
- CVE-2025-12137MEDIUMCVSS 4.9EG 4.92025-11-01
The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin's REST API endpoint accepting arbitrary a…
- CVE-2025-12529HIGHCVSS 8.8EG 8.82025-12-02
The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3.6.3. This makes it possible for …
- CVE-2025-12654LOWCVSS 2.7EG 2.72025-12-21
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not …
- CVE-2025-12915MEDIUMCVSS 6.4EG 6.42025-11-08
A vulnerability was found in 70mai X200 up to 20251019. This issue affects some unknown processing of the component Init Script Handler. The manipulation results in file inclusion. The attack requires a local approach. A high complexity le…
- CVE-2025-13320MEDIUMCVSS 6.8EG 6.82025-12-12
The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined…
- CVE-2025-13322HIGHCVSS 8.1EG 8.12025-11-21
The WP AUDIO GALLERY plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.0. This is due to the `wpag_uploadaudio_callback()` AJAX handler not proper…
- CVE-2025-13380MEDIUMCVSS 6.5EG 6.52025-11-25
The AI Engine for WordPress: ChatGPT, GPT Content Generator plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1. This is due to insufficient validation of user-supplied file paths in the 'l…
- CVE-2025-14059MEDIUMCVSS 6.5EG 6.52026-01-07
The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in all versions up to, and including, 1.6.1. This is due to missing path validation in the create_template REST API endpoint where user-controlled in…
- CVE-2025-1686MEDIUMCVSS 6.8EG 6.82025-02-27
Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notifi…
- CVE-2025-1730MEDIUMCVSS 6.5EG 6.52025-03-01
The Simple Download Counter plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.0 via the 'simple_download_counter_download_handler'. This makes it possible for authenticated attackers, with Au…
- CVE-2025-1911LOWCVSS 2.7EG 2.72025-03-26
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, an…
- CVE-2025-1972LOWCVSS 2.7EG 2.72025-03-22
The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it po…
- CVE-2025-2004CRITICALCVSS 9.1EG 9.12025-04-08
The Simple WP Events plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpe_delete_file AJAX action in all versions up to, and including, 1.8.17. This makes it possible for unauthe…
- CVE-2025-20269MEDIUMCVSS 6.5EG 6.52025-08-20
A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, low-privileged, remote attacker to retrieve arbitrary files from the un…
- CVE-2025-20614MEDIUMCVSS 6.7EG 6.72025-11-11
External control of file name or path for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user combined …
- CVE-2025-21377MEDIUMCVSS 6.5EG 6.52025-02-11
NTLM Hash Disclosure Spoofing Vulnerability
- CVE-2025-24054MEDIUMCVSS 6.5EG 9.0⚠ KEV2025-03-11
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
- CVE-2025-2409CRITICALCVSS 9.1EG 9.12025-05-22
File corruption vulnerabilities in ASPECT provide attackers access to overwrite sys-tem files if session administrator credentials become compromised This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MAT…
- CVE-2025-24996MEDIUMCVSS 6.5EG 6.52025-03-11
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
- CVE-2025-25478MEDIUMCVSS 6.5EG 6.52025-02-28
The account file upload functionality in Syspass 3.2.x fails to properly handle special characters in filenames. This mismanagement leads to the disclosure of the web application s source code, exposing sensitive information such as the da…
- CVE-2025-25761HIGHCVSS 7.2EG 7.22025-02-27
HkCms v2.3.2.240702 was discovered to contain an arbitrary file write vulnerability in the component Appcenter.php.
- CVE-2025-26646HIGHCVSS 8.0EG 8.02025-05-13
External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.
- CVE-2025-26684MEDIUMCVSS 6.7EG 6.72025-05-13
External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.
- CVE-2025-27137MEDIUMCVSS 4.4EG 4.42025-02-24
Dependency-Track is a component analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track allows users with the `SYSTEM_CONFIGURATION` permission to customize notification templa…
- CVE-2025-27147HIGHCVSS 8.2EG 8.22025-03-25
The GLPI Inventory Plugin handles various types of tasks for GLPI agents, including network discovery and inventory (SNMP), software deployment, VMWare ESX host remote inventory, and data collection (files, Windows registry, WMI). Versions…
- CVE-2025-29708CRITICALCVSS 9.8EG 9.82025-04-16
SourceCodester Company Website CMS 1.0 contains a file upload vulnerability via the "Create Services" file /dashboard/Services.
- CVE-2025-29709CRITICALCVSS 9.8EG 9.82025-04-16
SourceCodester Company Website CMS 1.0 has a File upload vulnerability via the "Create portfolio" file /dashboard/portfolio.
- CVE-2025-29819MEDIUMCVSS 6.2EG 6.22025-04-08
External control of file name or path in Azure Portal Windows Admin Center allows an unauthorized attacker to disclose information locally.
- CVE-2025-2982MEDIUMCVSS 6.3EG 6.32025-03-31
A vulnerability, which was classified as critical, was found in Legrand SMS PowerView 1.x. Affected is an unknown function. The manipulation of the argument redirect leads to file inclusion. It is possible to launch the attack remotely. Th…
- CVE-2025-29866HIGHCVSS 8.8EG 0.02025-08-07
: External Control of File Name or Path vulnerability in TAGFREE X-Free Uploader XFU allows : Parameter Injection.This issue affects X-Free Uploader: from 1.0.1.0084 before 1.0.1.0085, from 2.0.1.0034 before 2.0.1.0035.
- CVE-2025-29930MEDIUMCVSS 6.9EG 0.02025-03-18
imFAQ is an advanced questions and answers management system for ImpressCMS. Prior to 1.0.1, if the $_GET['seoOp'] parameter is manipulated to include malicious input (e.g., seoOp=php://filter/read=convert.base64-encode/resource=/var/www/h…
- CVE-2025-30201HIGHCVSS 7.7EG 7.72025-11-21
Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to version 4.13.0, a vulnerability in Wazuh Agent allows authenticated attackers to force NTLM authentication through malicious UNC paths i…
Map vulnerabilities like CWE-73 to your infrastructure
EchelonGraph correlates every CVE — across CWE-73 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →