CWE-641
Improper Restriction of Names for Files and Other Resources
Description
The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-47953 | Hig | 0.55 | 8.4 | 0.00 | Jun 10, 2025 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | ||
| CVE-2025-21402 | Hig | 0.51 | 7.8 | 0.01 | Jan 14, 2025 | Microsoft Office OneNote Remote Code Execution Vulnerability | ||
| CVE-2025-21361 | Hig | 0.51 | 7.8 | 0.01 | Jan 14, 2025 | Microsoft Outlook Remote Code Execution Vulnerability | ||
| CVE-2024-47260 | Med | 0.42 | 6.5 | 0.00 | Mar 4, 2025 | 51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API mediaclip.cgi did not have a sufficient input validation allowing for uploading more audio clips then designed resulting in the Axis device running out of memory. Axis has released patched AXIS OS… | ||
| CVE-2026-50023 | hig | 0.39 | — | 0.01 | Jun 16, 2026 | ### Summary A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as `.desktop`, `.url`, `.webloc`) to the user's filesystem, bypassing the remediation for `CVE-2024-38519`. ### Details The fix for `CVE-2024-38519` enforced… | ||
| CVE-2022-23536 | 0.00 | — | 0.01 | Dec 19, 2022 | Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager… | |||
| CVE-2021-41146 | 0.00 | — | 0.01 | Oct 21, 2021 | qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead… | |||
| CVE-2020-36326 | — | 0.00 | — | 0.03 | Apr 28, 2021 | PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by… |
- risk 0.55cvss 8.4epss 0.00
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
- risk 0.51cvss 7.8epss 0.01
Microsoft Office OneNote Remote Code Execution Vulnerability
- risk 0.51cvss 7.8epss 0.01
Microsoft Outlook Remote Code Execution Vulnerability
- risk 0.42cvss 6.5epss 0.00
51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API mediaclip.cgi did not have a sufficient input validation allowing for uploading more audio clips then designed resulting in the Axis device running out of memory. Axis has released patched AXIS OS…
- risk 0.39cvss —epss 0.01
### Summary A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as `.desktop`, `.url`, `.webloc`) to the user's filesystem, bypassing the remediation for `CVE-2024-38519`. ### Details The fix for `CVE-2024-38519` enforced…
- CVE-2022-23536Dec 19, 2022risk 0.00cvss —epss 0.01
Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager…
- CVE-2021-41146Oct 21, 2021risk 0.00cvss —epss 0.01
qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead…
- CVE-2020-36326Apr 28, 2021risk 0.00cvss —epss 0.03
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by…