Vulnerabilities > External Control of File Name or Path

DATE	CVE	VULNERABILITY TITLE	RISK
2025-05-13	CVE-2025-26646	External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network. network low complexity CWE-73	8.0
2025-05-13	CVE-2025-26684	External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally. local low complexity CWE-73	6.7
2025-05-08	CVE-2025-3419	The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. network low complexity CWE-73	7.5
2025-05-06	CVE-2025-46762	External Control of File Name or Path vulnerability in Apache Parquet Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. network low complexity apache CWE-73 critical	9.8
2025-04-19	CVE-2025-3103	The CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon plugin for WordPress is vulnerable to arbitrary file read due to insufficient file path validation in the 'history.php' file in all versions up to, and including, 2.4. network low complexity CWE-73	7.5
2025-04-08	CVE-2025-29819	External control of file name or path in Azure Portal Windows Admin Center allows an unauthorized attacker to disclose information locally. local low complexity CWE-73	6.2
2025-04-08	CVE-2025-3431	The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_download' action. network low complexity CWE-73	7.5
2025-04-08	CVE-2025-2004	The Simple WP Events plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpe_delete_file AJAX action in all versions up to, and including, 1.8.17. network low complexity CWE-73 critical	9.1
2025-03-31	CVE-2025-2982	A vulnerability, which was classified as critical, was found in Legrand SMS PowerView 1.x. network low complexity CWE-73	6.3
2025-03-26	CVE-2025-1911	The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.5.0. network low complexity CWE-73	2.7