Skip to main content

CWE-641

Improper Restriction of Names for Files and Other Resources

12 CVEs Avg CVSS 7.5 MITRE
1
CRITICAL
7
HIGH
4
MEDIUM
0
LOW
2
POC
0
KEV

Monthly

CVE-2026-50510 HIGH PATCH This Week

Local code execution in the GitHub Copilot plugin for JetBrains IDEs allows an unauthorized attacker to run arbitrary code on a developer's machine by leveraging improper restriction of file/resource names (CWE-641), with exploitation requiring the victim to perform an action (UI:R). Rated CVSS 7.8 (high) with full confidentiality, integrity, and availability impact, this is a local-vector flaw affecting developers running the Copilot extension; no public exploit identified at time of analysis and it is not listed in CISA KEV. Microsoft has published a fix advisory (MSRC CVE-2026-50510).

Authentication Bypass Github Copilot Plugin For Jetbrains Ides
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-50023 PyPI CRITICAL PATCH GHSA Act Now

Arbitrary OS-shortcut file write in yt-dlp before 2026.06.09 lets a remote attacker plant malicious `.desktop`, `.url`, or `.webloc` files on a victim's machine, reviving the attack surface that CVE-2024-38519 was meant to close. Because numerous extractors derive output file extensions from attacker-controlled sources (e.g. an m3u8 `EXT-X-MEDIA:TYPE=SUBTITLES` URI), a user who downloads from a malicious URL with options like `--write-subs` will silently receive a shortcut file containing attacker-chosen shell commands or remote-executable links. A vendor proof-of-concept demonstrating code execution via a planted `.desktop` file is publicly available; it is not listed in CISA KEV, and EPSS is low at 0.54% (41st percentile).

Microsoft RCE
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.5%
CVE-2019-25623 MEDIUM POC This Month

Luminance Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Luminance Studio
NVD Exploit-DB VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-25177 HIGH PATCH This Week

Privilege escalation in Windows Active Directory Domain Services (AD DS) across Windows 11, Windows 10, and Windows Server platforms allows authenticated network attackers to gain elevated privileges by exploiting improper validation of resource naming restrictions. An attacker with valid domain credentials can leverage this vulnerability to escalate their access level without user interaction. Currently, no patch is available, leaving all affected Windows versions vulnerable.

Information Disclosure Windows 11 23h2 Windows 11 26h1 Windows Server 2025 Windows 10 22h2 +11
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-47953 HIGH PATCH This Week

A security vulnerability in Use after free in Microsoft Office (CVSS 8.4) that allows an unauthorized attacker. High severity vulnerability requiring prompt remediation.

Microsoft Denial Of Service
NVD VulDB
CVSS 3.1
8.4
EPSS
0.4%
CVE-2025-47173 HIGH PATCH This Week

CVE-2025-47173 is an improper input validation vulnerability in Microsoft Office that allows local code execution without requiring user privileges, though user interaction is needed. An attacker with local access can craft a malicious Office document that, when opened by a user, executes arbitrary code with the privileges of the affected Office application. This vulnerability affects Microsoft Office products across multiple versions and poses a moderate-to-high risk given its local attack vector and high impact on confidentiality, integrity, and availability.

Microsoft RCE Windows Office Long Term Servicing Channel Office +1
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-47260 MEDIUM This Month

51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API mediaclip.cgi did not have a sufficient input validation allowing for uploading more audio clips then designed. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-21402 HIGH PATCH This Week

Microsoft Office OneNote Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Microsoft RCE
NVD VulDB
CVSS 3.1
7.8
EPSS
0.5%
CVE-2025-21361 HIGH PATCH This Week

Microsoft Outlook Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Microsoft RCE
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2024-30063 MEDIUM PATCH This Month

Windows Distributed File System (DFS) Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity.

RCE Microsoft Windows 10 1507 Windows 10 1607 Windows 10 1809 +11
NVD
CVSS 3.1
6.7
EPSS
1.0%
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution in the GitHub Copilot plugin for JetBrains IDEs allows an unauthorized attacker to run arbitrary code on a developer's machine by leveraging improper restriction of file/resource names (CWE-641), with exploitation requiring the victim to perform an action (UI:R). Rated CVSS 7.8 (high) with full confidentiality, integrity, and availability impact, this is a local-vector flaw affecting developers running the Copilot extension; no public exploit identified at time of analysis and it is not listed in CISA KEV. Microsoft has published a fix advisory (MSRC CVE-2026-50510).

Authentication Bypass Github Copilot Plugin For Jetbrains Ides
NVD
EPSS 1% CVSS 9.6
CRITICAL PATCH Act Now

Arbitrary OS-shortcut file write in yt-dlp before 2026.06.09 lets a remote attacker plant malicious `.desktop`, `.url`, or `.webloc` files on a victim's machine, reviving the attack surface that CVE-2024-38519 was meant to close. Because numerous extractors derive output file extensions from attacker-controlled sources (e.g. an m3u8 `EXT-X-MEDIA:TYPE=SUBTITLES` URI), a user who downloads from a malicious URL with options like `--write-subs` will silently receive a shortcut file containing attacker-chosen shell commands or remote-executable links. A vendor proof-of-concept demonstrating code execution via a planted `.desktop` file is publicly available; it is not listed in CISA KEV, and EPSS is low at 0.54% (41st percentile).

Microsoft RCE
NVD GitHub VulDB
EPSS 0% CVSS 6.2
MEDIUM POC This Month

Luminance Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Luminance Studio
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Windows Active Directory Domain Services (AD DS) across Windows 11, Windows 10, and Windows Server platforms allows authenticated network attackers to gain elevated privileges by exploiting improper validation of resource naming restrictions. An attacker with valid domain credentials can leverage this vulnerability to escalate their access level without user interaction. Currently, no patch is available, leaving all affected Windows versions vulnerable.

Information Disclosure Windows 11 23h2 Windows 11 26h1 +13
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

A security vulnerability in Use after free in Microsoft Office (CVSS 8.4) that allows an unauthorized attacker. High severity vulnerability requiring prompt remediation.

Microsoft Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

CVE-2025-47173 is an improper input validation vulnerability in Microsoft Office that allows local code execution without requiring user privileges, though user interaction is needed. An attacker with local access can craft a malicious Office document that, when opened by a user, executes arbitrary code with the privileges of the affected Office application. This vulnerability affects Microsoft Office products across multiple versions and poses a moderate-to-high risk given its local attack vector and high impact on confidentiality, integrity, and availability.

Microsoft RCE Windows +3
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API mediaclip.cgi did not have a sufficient input validation allowing for uploading more audio clips then designed. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Microsoft Office OneNote Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Microsoft RCE
NVD VulDB
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Microsoft Outlook Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Microsoft RCE
NVD
EPSS 1% CVSS 6.7
MEDIUM PATCH This Month

Windows Distributed File System (DFS) Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity.

RCE Microsoft Windows 10 1507 +13
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy