CWE-610
DiscouragedExternally Controlled Reference to a Resource in Another Sphere
Abstraction: Class · Status: Draft
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
278 vulnerabilities reference this CWE, most recent first.
GHSA-3Q5H-R4QP-QQCG
Vulnerability from github – Published: 2023-11-30 06:33 – Updated: 2023-11-30 06:33Malicious Code Execution Vulnerability due to External Control of File Name or Path in multiple Mitsubishi Electric FA Engineering Software Products allows a malicious attacker to execute a malicious code by having legitimate users open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service (DoS) condition.
{
"affected": [],
"aliases": [
"CVE-2023-5247"
],
"database_specific": {
"cwe_ids": [
"CWE-610",
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-30T04:15:07Z",
"severity": "HIGH"
},
"details": "Malicious Code Execution Vulnerability due to External Control of File Name or Path in multiple Mitsubishi Electric FA Engineering Software Products allows a malicious attacker to execute a malicious code by having legitimate users open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service (DoS) condition.",
"id": "GHSA-3q5h-r4qp-qqcg",
"modified": "2023-11-30T06:33:24Z",
"published": "2023-11-30T06:33:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5247"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU93383160"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-016_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3Q5R-87HX-PV77
Vulnerability from github – Published: 2023-10-04 21:30 – Updated: 2023-10-04 21:30Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 29051.
{
"affected": [],
"aliases": [
"CVE-2023-44209"
],
"database_specific": {
"cwe_ids": [
"CWE-610"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-04T20:15:10Z",
"severity": "MODERATE"
},
"details": "Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 29051.",
"id": "GHSA-3q5r-87hx-pv77",
"modified": "2023-10-04T21:30:22Z",
"published": "2023-10-04T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44209"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-2119"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-3X6X-HP89-VCMQ
Vulnerability from github – Published: 2026-03-06 00:31 – Updated: 2026-03-06 00:31Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186.
{
"affected": [],
"aliases": [
"CVE-2026-28721"
],
"database_specific": {
"cwe_ids": [
"CWE-610"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-06T00:16:13Z",
"severity": "HIGH"
},
"details": "Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186.",
"id": "GHSA-3x6x-hp89-vcmq",
"modified": "2026-03-06T00:31:35Z",
"published": "2026-03-06T00:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28721"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-8445"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4377-HQ3V-HGQH
Vulnerability from github – Published: 2022-12-20 21:30 – Updated: 2022-12-20 21:30In onPreferenceClick of AccountTypePreferenceLoader.java, there is a possible way to retrieve protected files from the Settings app due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-220733496
{
"affected": [],
"aliases": [
"CVE-2022-20515"
],
"database_specific": {
"cwe_ids": [
"CWE-610"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "MODERATE"
},
"details": "In onPreferenceClick of AccountTypePreferenceLoader.java, there is a possible way to retrieve protected files from the Settings app due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-220733496",
"id": "GHSA-4377-hq3v-hgqh",
"modified": "2022-12-20T21:30:18Z",
"published": "2022-12-20T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20515"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-448F-WW7H-5M58
Vulnerability from github – Published: 2022-08-29 20:06 – Updated: 2022-09-02 00:01The Export All URLs WordPress plugin before 4.4 does not validate the path of the file to be removed on the system which is supposed to be the CSV file. This could allow high privilege users to delete arbitrary file from the server
{
"affected": [],
"aliases": [
"CVE-2022-2638"
],
"database_specific": {
"cwe_ids": [
"CWE-610",
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-29T18:15:00Z",
"severity": "MODERATE"
},
"details": "The Export All URLs WordPress plugin before 4.4 does not validate the path of the file to be removed on the system which is supposed to be the CSV file. This could allow high privilege users to delete arbitrary file from the server",
"id": "GHSA-448f-ww7h-5m58",
"modified": "2022-09-02T00:01:02Z",
"published": "2022-08-29T20:06:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2638"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/70840a72-ccdc-4eee-9ad2-874809e5de11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-45CG-2683-GFMQ
Vulnerability from github – Published: 2026-03-03 21:37 – Updated: 2026-03-19 22:19Impact
assertBrowserNavigationAllowed() validated only http:/https: network targets but implicitly allowed other schemes. An authenticated gateway user could navigate browser sessions to file:// URLs and read local files via browser snapshot/extraction flows.
Affected Component
src/browser/navigation-guard.ts
Technical Reproduction
- Authenticate to a gateway that has browser tooling enabled.
- Invoke browser navigation with a
file://URL (for examplefile:///etc/passwd). - Read page content through browser snapshot/extract actions.
Demonstrated Impact
An attacker with valid gateway credentials and browser-tool access can exfiltrate local files readable by the OpenClaw process user (for example config/secrets in that user context).
Environment
- OpenClaw browser tool enabled
- Attacker has authenticated access capable of invoking browser actions
Remediation Advice
Reject unsupported navigation schemes and allow only explicitly safe non-network URLs. OpenClaw now blocks non-network schemes (such as file:, data:, and javascript:) while preserving about:blank.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.19-2 - Patched in planned next release:
2026.2.21
Fix Commit(s)
220bd95eff6838234e8b4b711f86d4565e16e401
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.21) so once npm 2026.2.21 is published, the advisory can be published directly.
OpenClaw thanks @q1uf3ng for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32008"
],
"database_specific": {
"cwe_ids": [
"CWE-610"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:37:59Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Impact\n\n`assertBrowserNavigationAllowed()` validated only `http:`/`https:` network targets but implicitly allowed other schemes. An authenticated gateway user could navigate browser sessions to `file://` URLs and read local files via browser snapshot/extraction flows.\n\n## Affected Component\n\n- `src/browser/navigation-guard.ts`\n\n## Technical Reproduction\n\n1. Authenticate to a gateway that has browser tooling enabled.\n2. Invoke browser navigation with a `file://` URL (for example `file:///etc/passwd`).\n3. Read page content through browser snapshot/extract actions.\n\n## Demonstrated Impact\n\nAn attacker with valid gateway credentials and browser-tool access can exfiltrate local files readable by the OpenClaw process user (for example config/secrets in that user context).\n\n## Environment\n\n- OpenClaw browser tool enabled\n- Attacker has authenticated access capable of invoking browser actions\n\n## Remediation Advice\n\nReject unsupported navigation schemes and allow only explicitly safe non-network URLs. OpenClaw now blocks non-network schemes (such as `file:`, `data:`, and `javascript:`) while preserving `about:blank`.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.19-2`\n- Patched in planned next release: `2026.2.21`\n\n## Fix Commit(s)\n\n- `220bd95eff6838234e8b4b711f86d4565e16e401`\n\n## Release Process Note\n\n`patched_versions` is pre-set to the planned next release (`2026.2.21`) so once npm `2026.2.21` is published, the advisory can be published directly.\n\nOpenClaw thanks @q1uf3ng for reporting.",
"id": "GHSA-45cg-2683-gfmq",
"modified": "2026-03-19T22:19:19Z",
"published": "2026-03-03T21:37:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-45cg-2683-gfmq"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/220bd95eff6838234e8b4b711f86d4565e16e401"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw browser navigation guard allowed non-network URL schemes, enabling authenticated browser-tool users to access file:// local files"
}
GHSA-4662-9QVH-XXM7
Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2023-08-08 15:31A unintended proxy or intermediary ('confused deputy') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to access protected hosts via crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2021-36190"
],
"database_specific": {
"cwe_ids": [
"CWE-610"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-08T14:15:00Z",
"severity": "MODERATE"
},
"details": "A unintended proxy or intermediary (\u0027confused deputy\u0027) in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to access protected hosts via crafted HTTP requests.",
"id": "GHSA-4662-9qvh-xxm7",
"modified": "2023-08-08T15:31:24Z",
"published": "2021-12-09T00:00:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36190"
},
{
"type": "WEB",
"url": "https://fortiguard.com/advisory/FG-IR-21-123"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-4883-9GWJ-77MJ
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30An exploitable code execution vulnerability exists in the multiple devices functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause Information overwrite resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-6105"
],
"database_specific": {
"cwe_ids": [
"CWE-610"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-15T15:15:00Z",
"severity": "HIGH"
},
"details": "An exploitable code execution vulnerability exists in the multiple devices functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause Information overwrite resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.",
"id": "GHSA-4883-9gwj-77mj",
"modified": "2022-05-24T17:30:45Z",
"published": "2022-05-24T17:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6105"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202101-26"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1047"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-49JR-333R-MQW3
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:30A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that could allow files to be retrieved from any folder accessible to the account assigned to the website’s application pool.
{
"affected": [],
"aliases": [
"CVE-2022-42733"
],
"database_specific": {
"cwe_ids": [
"CWE-610",
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-17T17:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in syngo Dynamics (All versions \u003c VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that could allow files to be retrieved from any folder accessible to the account assigned to the website\u2019s application pool.",
"id": "GHSA-49jr-333r-mqw3",
"modified": "2024-04-04T05:30:21Z",
"published": "2023-07-06T19:24:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42733"
},
{
"type": "WEB",
"url": "https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/shsa-741697"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4CJP-GF5V-8843
Vulnerability from github – Published: 2025-07-09 06:30 – Updated: 2025-07-11 21:31The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
{
"affected": [],
"aliases": [
"CVE-2025-6691"
],
"database_specific": {
"cwe_ids": [
"CWE-610",
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-09T06:15:23Z",
"severity": "HIGH"
},
"details": "The SureForms \u2013 Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",
"id": "GHSA-4cjp-gf5v-8843",
"modified": "2025-07-11T21:31:03Z",
"published": "2025-07-09T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6691"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/sureforms/trunk/admin/views/entries-list-table.php#L661"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3319753%40sureforms\u0026new=3319753%40sureforms\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/sureforms"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4658546-bf57-414b-a3c9-bf7a5692c5fe?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-219: XML Routing Detour Attacks
An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.