CWE-610 · Externally Controlled Reference to a Resource in Another Sphere
233 CVEs classified under CWE-610 (Externally Controlled Reference to a Resource in Another Sphere). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2022-27593 | Critical | 10.0 | 2022-09-08 | An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an at… |
CVE-2019-7290 | Critical | 10.0 | 2019-12-18 | An access issue was addressed with additional sandbox restrictions. This issue is fixed in Shortcuts 2.1.3 for iOS. A sandboxed process may be able to circumve… |
CVE-2017-16088 | Critical | 10.0 | 2018-06-07 | The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard… |
CVE-2022-39206 | Critical | 9.9 | 2022-09-13 | Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on… |
CVE-2026-47643 | Critical | 9.8 | 2026-06-09 | External control of file name or path in Azure Stack Edge allows an unauthorized attacker to execute code over a network. |
CVE-2025-22144 | Critical | 9.8 | 2025-01-13 | NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can vali… |
CVE-2022-20239 | Critical | 9.8 | 2022-08-10 | remap_pfn_range' here may map out of size kernel memory (for example, may map the kernel area), and because the 'vma->vm_page_prot' can also be controlled by u… |
CVE-2021-44041 | Critical | 9.8 | 2021-12-14 | UiPath Assistant 21.4.4 will load and execute attacker controlled data from the file path supplied to the --dev-widget argument of the URI handler for uipath-a… |
CVE-2021-43685 | Critical | 9.8 | 2021-12-01 | libretime hv3.0.0-alpha.10 is affected by a path manipulation vulnerability in /blob/master/legacy/application/modules/rest/controllers/ShowImageController.php… |
CVE-2020-14057 | Critical | 9.8 | 2020-07-01 | Monsta FTP 2.10.1 or below allows external control of paths used in filesystem operations. This allows attackers to read and write arbitrary local files, allow… |
CVE-2020-9752 | Critical | 9.8 | 2020-03-23 | Naver Cloud Explorer before 2.2.2.11 allows the attacker can move a local file in any path on the filesystem as a system privilege through its named pipe. |
CVE-2026-30903 | Critical | 9.6 | 2026-03-11 | External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation… |
CVE-2024-5823 | Critical | 9.1 | 2024-10-29 | A file overwrite vulnerability exists in gaizhenbiao/chuanhuchatgpt versions <= 20240410. This vulnerability allows an attacker to gain unauthorized access to… |
CVE-2024-32980 | Critical | 9.1 | 2024-05-08 | Spin is the developer tool for building and running serverless applications powered by WebAssembly. Prior to 2.4.3, some specifically configured Spin applicati… |
CVE-2021-41244 | Critical | 9.1 | 2021-11-15 | Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and ther… |
CVE-2021-27648 | Critical | 9.0 | 2021-04-28 | Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote aut… |
CVE-2024-42168 | High | 8.9 | 2025-01-11 | HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability. An attacker can deploy a web server that returns malicious content, and then ind… |
CVE-2026-57301 | High | 8.8 | 2026-06-24 | Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Con… |
CVE-2026-40370 | High | 8.8 | 2026-05-12 | External control of file name or path in SQL Server allows an authorized attacker to execute code over a network. |
CVE-2026-0522 | High | 8.8 | 2026-04-01 | A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the… |