CWE-73 文件名或路径的外部可控制类漏洞列表 315

CWE-73 文件名或路径的外部可控制类弱点 315 条 CVE 漏洞汇总，含 AI 中文分析。

CWE-73 属于路径遍历漏洞，指应用程序允许用户输入控制文件系统操作中的文件名或路径。攻击者通常利用此缺陷构造恶意路径，以访问或修改系统关键文件及敏感数据，从而破坏应用完整性。开发者应避免直接拼接用户输入，需通过白名单验证、规范化路径及严格过滤特殊字符，确保最终路径位于预期的安全目录内，从而有效阻断非法访问。

MITRE CWE 官方描述

CWE：CWE-73 外部控制文件名或路径 (External Control of File Name or Path) 英文：产品允许用户输入控制或影响在文件系统操作 (filesystem operations) 中使用的路径或文件名。这可能导致攻击者访问或修改对应用程序至关重要的系统文件或其他文件。路径操纵错误 (Path manipulation errors) 在满足以下两个条件时发生：1. 攻击者可以指定在文件系统操作 (operation on the filesystem) 中使用的路径。2. 通过指定资源，攻击者获得了原本不被允许的能力。例如，程序可能赋予攻击者覆盖指定文件或运行由攻击者控制的配置的能力。

常见影响 (3)

Integrity, ConfidentialityRead Files or Directories, Modify Files or Directories

The application can operate on unexpected files. Confidentiality is violated when the targeted filename is not directly readable by the attacker.

Integrity, Confidentiality, AvailabilityModify Files or Directories, Execute Unauthorized Code or Commands

The application can operate on unexpected files. This may violate integrity if the filename is written to, or if the filename is for a program or other form of executable code.

AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (Other)

The application can operate on unexpected files. Availability can be violated if the attacker specifies an unexpected file that the application modifies. Availability can also be affected if the attacker specifies a filename for a large file, or points to a special device or a file that does not hav…

缓解措施 (5)

Architecture and DesignWhen the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.

Architecture and Design, OperationRun your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the oper…

Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…

Effectiveness: High

ImplementationUse a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59).

代码示例 (2)

The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (CWE-22).

String rName = request.getParameter("reportName"); File rFile = new File("/usr/local/apfr/reports/" + rName); ... rFile.delete();

Bad · Java

The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt.

fis = new FileInputStream(cfg.getProperty("sub")+".txt"); amt = fis.read(arr); out.println(arr);

Bad · Java

CVE ID	标题	CVSS	风险等级	Published
CVE-2026-41693	i18next-fs-backend 路径遍历导致任意文件读写漏洞 — i18next-fs-backend	8.2	High	2026-05-08
CVE-2026-44127	任意文件删除与本地文件包含漏洞 — Secure Email Gateway	-	-	2026-05-08
CVE-2026-7633	Totolink N300RH 任意文件包含漏洞 — N300RH	6.5	Medium	2026-05-02
CVE-2026-42424	OpenClaw 安全漏洞 — OpenClaw	5.7	Medium	2026-04-28
CVE-2026-41177	Squidex 安全漏洞 — squidex	5.5	Medium	2026-04-22
CVE-2026-4132	WordPress plugin HTTP Headers 安全漏洞 — HTTP Headers	7.2	High	2026-04-22
CVE-2026-41389	OpenClaw 安全漏洞 — OpenClaw	5.8	Medium	2026-04-20
CVE-2026-35465	securedrop-client 安全漏洞 — securedrop-client	7.5	High	2026-04-18
CVE-2026-39907	Unisys WebPerfect Image Suite 安全漏洞 — WebPerfect Image Suite	9.8	-	2026-04-14
CVE-2026-5809	WordPress plugin wpForo Forum 安全漏洞 — wpForo Forum	7.1	High	2026-04-11
CVE-2026-5054	NoMachine 安全漏洞 — NoMachine	7.8^AI	High^AI	2026-04-11
CVE-2026-5053	NoMachine 安全漏洞 — NoMachine	7.1^AI	High^AI	2026-04-11
CVE-2025-65115	Hitachi Job Management Partner 安全漏洞 — JP1/IT Desktop Management 2 - Manager	8.8	High	2026-04-07
CVE-2026-23898	Joomla! CMS 安全漏洞 — Joomla! CMS	9.1^AI	Critical^AI	2026-04-01
CVE-2026-5210	SourceCodester Leave Application System 安全漏洞 — Leave Application System	7.3	High	2026-03-31
CVE-2026-0965	libssh 安全漏洞 — Red Hat Enterprise Linux 10	5.5	-	2026-03-26
CVE-2026-33354	WWBN AVideo 安全漏洞 — AVideo	7.6	High	2026-03-23
CVE-2019-25618	Admin Express 安全漏洞 — AdminExpress	6.2	Medium	2026-03-22
CVE-2026-2351	WordPress plugin Task Manager 安全漏洞 — Task Manager	6.5	Medium	2026-03-21
CVE-2026-32749	SiYuan 安全漏洞 — siyuan	7.6	High	2026-03-19
CVE-2019-25472	Intelbras TIP 200 Lite和Intelbras TELEFONE IP TIP200 安全漏洞 — Telefone IP TIP 200	7.5	High	2026-03-11
CVE-2026-30903	Zoom Workplace 安全漏洞 — Zoom Workplace	9.6	Critical	2026-03-11
CVE-2026-24287	Microsoft Windows Kernel 安全漏洞 — Windows 10 Version 1809	7.8	High	2026-03-10
CVE-2026-25605	Siemens SICAM SIAPP SDK 安全漏洞 — SICAM SIAPP SDK	6.7	Medium	2026-03-10
CVE-2026-25573	Siemens SICAM SIAPP SDK 安全漏洞 — SICAM SIAPP SDK	7.4	High	2026-03-10
CVE-2026-29611	OpenClaw 安全漏洞 — OpenClaw	7.5	High	2026-03-05
CVE-2026-28459	OpenClaw 安全漏洞 — OpenClaw	7.1	High	2026-03-05
CVE-2026-28442	ZimaOS 安全漏洞 — ZimaOS	8.6	High	2026-03-05
CVE-2026-28286	ZimaOS 安全漏洞 — ZimaOS	8.6	High	2026-03-02
CVE-2026-27211	Cloud hypervisor 安全漏洞 — cloud-hypervisor	8.4^AI	High^AI	2026-02-21

CWE-73（文件名或路径的外部可控制）是常见的弱点类别，本平台收录该类弱点关联的 315 条 CVE 漏洞。

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

CWE-73 文件名或路径的外部可控制 类漏洞列表 315

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

CWE-73 文件名或路径的外部可控制类漏洞列表 315