VYPR

CWE-641

Improper Restriction of Names for Files and Other Resources

BaseIncompleteLikelihood: Low

Description

The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

This may produce resultant weaknesses. For instance, if the names of these resources contain scripting characters, it is possible that a script may get executed in the client's browser if the application ever displays the name of the resource on a dynamically generated web page. Alternately, if the resources are consumed by some application parser, a specially crafted name can exploit some vulnerability internal to the parser, potentially resulting in execution of arbitrary code on the server machine. The problems will vary based on the context of usage of such malformed resource names and whether vulnerabilities are present in or assumptions are made by the targeted technology that would make code execution possible.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (8)

  • CVE-2025-47953HigJun 10, 2025
    risk 0.55cvss 8.4epss 0.00

    Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

  • CVE-2025-21402HigJan 14, 2025
    risk 0.51cvss 7.8epss 0.01

    Microsoft Office OneNote Remote Code Execution Vulnerability

  • CVE-2025-21361HigJan 14, 2025
    risk 0.51cvss 7.8epss 0.01

    Microsoft Outlook Remote Code Execution Vulnerability

  • CVE-2024-47260MedMar 4, 2025
    risk 0.42cvss 6.5epss 0.00

    51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API mediaclip.cgi did not have a sufficient input validation allowing for uploading more audio clips then designed resulting in the Axis device running out of memory.  Axis has released patched AXIS OS…

  • CVE-2026-50023higJun 16, 2026
    risk 0.39cvss epss 0.01

    ### Summary A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as `.desktop`, `.url`, `.webloc`) to the user's filesystem, bypassing the remediation for `CVE-2024-38519`. ### Details The fix for `CVE-2024-38519` enforced…

  • CVE-2022-23536Dec 19, 2022
    risk 0.00cvss epss 0.01

    Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager…

  • CVE-2021-41146Oct 21, 2021
    risk 0.00cvss epss 0.01

    qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead…

  • CVE-2020-36326Apr 28, 2021
    risk 0.00cvss epss 0.03

    PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by…