CWE-73External Control of File Name or Path

Abstraction: Base · CVEs in our corpus: 397

The product allows user input to control or influence paths or file names that are used in filesystem operations.

This could allow an attacker to access or modify system files or other files that are critical to the application. Path manipulation errors occur when the following two conditions are met: For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (1)AI

Control	Title	Family	Why it addresses this CWE
`SI-10`	Information Input Validation	SI	Rejects externally supplied file or resource identifiers that fail validity checks.

Top CVEs of this weakness type, ranked by Risk Priority

CVE	Risk	CVSS	EPSS	Published
`CVE-2024-43451` KEV	8.7	6.5	0.9031	2024-11-12
`CVE-2018-17246`	7.6	9.8	0.9378	2018-12-20
`CVE-2022-39952`	7.6	9.8	0.9378	2023-02-16
`CVE-2024-8517`	7.6	9.8	0.9332	2024-09-06
`CVE-2023-4634`	7.5	9.8	0.9206	2023-09-06
`CVE-2025-33053` KEV	6.8	8.8	0.5028	2025-06-10
`CVE-2022-24900`	6.4	9.9	0.7329	2022-04-29
`CVE-2021-27250`	5.5	6.5	0.7065	2021-04-14
`CVE-2024-5334`	5.3	7.5	0.6275	2024-06-27
`CVE-2025-0851`	4.6	9.8	0.4369	2025-01-29
`CVE-2020-1631` KEV	4.1	8.8	0.0540	2020-05-04
`CVE-2024-46909`	4.1	9.8	0.3488	2024-12-02
`CVE-2023-3643`	3.9	7.3	0.4067	2023-07-12
`CVE-2025-24054` KEV	3.8	6.5	0.0783	2025-03-11
`CVE-2025-0111` KEV	3.5	6.5	0.0369	2025-02-12
`CVE-2023-30943`	2.9	6.5	0.2676	2023-05-02
`CVE-2022-2431`	2.6	8.1	0.1714	2022-09-06
`CVE-2024-26185`	2.4	6.5	0.1889	2024-03-12
`CVE-2024-55372`	2.3	9.8	0.0486	2025-04-16
`CVE-2024-12066`	2.2	8.8	0.0729	2024-12-21
`CVE-2024-0087`	2.1	9.0	0.0462	2024-05-14
`CVE-2025-0105`	2.1	9.1	0.0437	2025-01-11
`CVE-2020-9752`	2.0	9.8	0.0050	2020-03-23
`CVE-2021-38477`	2.0	9.8	0.0021	2021-10-22
`CVE-2023-36019`	2.0	9.6	0.0108	2023-12-12