Threats Tagged 'cwe-73'
View all threats tagged with 'cwe-73'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'cwe-73'
Click on any threat for detailed analysis and mitigation recommendations
CVE-2025-12656: CWE-73 External Control of File Name or Path in wpvividplugins WPvivid — Backup, Migration & StagingCVE-2025-12656 0 The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_site() function in all versions up to, and including, 0.9.128. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server, which leads to a loss of data. Join the discussion | CVE Database V5 | 06/05/2026, 23:28:25 UTC Added: 06/05/2026, 23:48:36 UTC |
CVE-2026-46397: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in haxtheweb haxcms-phpCVE-2026-46397 0 HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). Version 26.0.0 patches the issue. Join the discussion | CVE Database V5 | 06/05/2026, 19:11:52 UTC Added: 06/05/2026, 19:33:38 UTC |
CVE-2026-46399: CWE-15: External Control of System or Configuration Setting in haxtheweb haxcms-nodejsCVE-2026-46399 0 HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue. Join the discussion | CVE Database V5 | 06/05/2026, 18:13:15 UTC Added: 06/05/2026, 19:03:38 UTC |
CVE-2026-35078: CWE-73 External Control of File Name or Path in MBS Single-ACVE-2026-35078 0 The ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. Join the discussion | CVE Database V5 | 06/03/2026, 10:39:33 UTC Added: 06/03/2026, 15:49:02 UTC |
CVE-2026-35077: CWE-73 External Control of File Name or Path in MBS Single-ACVE-2026-35077 0 The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. Join the discussion | CVE Database V5 | 06/03/2026, 10:39:12 UTC Added: 06/03/2026, 15:49:02 UTC |
CVE-2026-35080: CWE-73 External Control of File Name or Path in MBS Single-ACVE-2026-35080 0 The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. Join the discussion | CVE Database V5 | 06/03/2026, 10:40:25 UTC Added: 06/03/2026, 14:18:58 UTC |
CVE-2026-35079: CWE-73 External Control of File Name or Path in MBS Single-ACVE-2026-35079 0 The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. Join the discussion | CVE Database V5 | 06/03/2026, 10:39:51 UTC Added: 06/03/2026, 14:18:58 UTC |
CVE-2026-35076: CWE-73 External Control of File Name or Path in MBS Single-ACVE-2026-35076 0 The bac-scanresult method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. Join the discussion | CVE Database V5 | 06/03/2026, 10:38:49 UTC Added: 06/03/2026, 14:18:58 UTC |
CVE-2026-41412: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in alfio-event alf.ioCVE-2026-41412 0 alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client (`simpleHttpClient`) into every extension script's scope. The `postFileAndSaveResponse()` method accepts an arbitrary filesystem path as its `file` parameter and reads the file contents using `new FileInputStream(file)` with no path validation, directory restriction, or allowlist. A malicious extension script can read any file accessible to the JVM process user and exfiltrate it to an attacker-controlled server via HTTP POST. Version 2.0-M5-2606 patches the issue. Join the discussion | CVE Database V5 | 06/02/2026, 22:51:36 UTC Added: 06/02/2026, 23:18:36 UTC |
CVE-2026-10621: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Collibra Collibra Platform (SaaS)CVE-2026-10621 0 Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory. Join the discussion | CVE Database V5 | 06/02/2026, 14:03:35 UTC Added: 06/02/2026, 14:18:48 UTC |
Showing 1 to 10 of 191 results