CWE-646
10 CVEs classified under CWE-646. Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-45315 | High | 8.7 | 2026-05-15 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint take… |
CVE-2021-34639 | High | 7.5 | 2021-08-05 | Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. "payload.p… |
CVE-2025-30662 | Medium | 6.6 | 2025-11-13 | Symlink following in the installer for the Zoom Workplace VDI Plugin macOS Universal installer before version 6.3.14, 6.4.14, and 6.5.10 in their respective tr… |
CVE-2024-38432 | Medium | 5.5 | 2024-07-30 | Matrix Tafnit v8 - CWE-646: Reliance on File Name or Extension of Externally-Supplied File |
CVE-2023-45599 | Medium | 5.5 | 2024-03-05 | A CWE-646 “Reliance on File Name or Extension of Externally-Supplied File” vulnerability in the “iec61850” functionality of the web application allows a remote… |
CVE-2026-20172 | Medium | 4.3 | 2026-05-06 | A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attac… |
CVE-2025-41720 | Medium | 4.3 | 2025-10-22 | A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension… |
CVE-2025-58449 | | 2025-09-08 | Maho is a free and open source ecommerce platform. In Maho prior to 25.9.0, an authenticated staff user with access to the `Dashboard` and `Catalog\Manage Prod… | |
CVE-2025-1889 | | 2025-03-03 | picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that… | |
CVE-2024-52052 | | 2024-11-21 | Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator to define a custom application property and poison a stream… |