CWE-646— Reliance on File Name or Extension of Externally-Supplied File
12 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-646page 1 of 1
- CVE-2021-34639HIGHCVSS 7.5EG 8.82021-08-05
Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. "payload.php.png" which is executable in some configurations. This issue affects: WordPres…
- CVE-2023-0350MEDIUMCVSS 6.5EG 6.52023-03-13
Akuvox E11 does not ensure that a file extension is associated with the file provided. This could allow an attacker to upload a file to the device by changing the extension of a malicious file to an accepted file type.
- CVE-2023-45599MEDIUMCVSS 5.5EG 5.52024-03-05
A CWE-646 “Reliance on File Name or Extension of Externally-Supplied File” vulnerability in the “iec61850” functionality of the web application allows a remote authenticated attacker to upload any arbitrary type of file into the de…
- CVE-2024-38432MEDIUMCVSS 5.5EG 5.52024-07-30
Matrix Tafnit v8 - CWE-646: Reliance on File Name or Extension of Externally-Supplied File
- CVE-2024-52052HIGHCVSS 7.2EG 7.22024-11-21
Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator to define a custom application property and poison a stream target for high-privilege remote code execution.
- CVE-2024-8517CRITICALCVSS 9.8EG 9.82024-09-06
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
- CVE-2025-1889CRITICALCVSS 9.8EG 9.82025-03-03
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extens…
- CVE-2025-30662MEDIUMCVSS 6.6EG 6.62025-11-13
Symlink following in the installer for the Zoom Workplace VDI Plugin macOS Universal installer before version 6.3.14, 6.4.14, and 6.5.10 in their respective tracks may allow an authenticated user to conduct a disclosure of information via …
- CVE-2025-41720MEDIUMCVSS 4.3EG 4.32025-10-22
A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified.
- CVE-2025-58449HIGHCVSS 8.7EG 0.02025-09-08
Maho is a free and open source ecommerce platform. In Maho prior to 25.9.0, an authenticated staff user with access to the `Dashboard` and `Catalog\Manage Products` permissions can create a custom option on a listing with a file input fiel…
- CVE-2026-20172MEDIUMCVSS 4.3EG 4.32026-05-06
A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the attacker must have valid credentials for …
- CVE-2026-45315HIGHCVSS 8.7EG 8.72026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CA…
Map vulnerabilities like CWE-646 to your infrastructure
EchelonGraph correlates every CVE — across CWE-646 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →