Skip to main content

CWE-646

Reliance on File Name or Extension of Externally-Supplied File

7 CVEs Avg CVSS 7.6 MITRE
2
CRITICAL
2
HIGH
3
MEDIUM
0
LOW
1
POC
0
KEV

Monthly

CVE-2026-20172 MEDIUM This Month

Cisco Enterprise Chat and Email (ECE) Lite Agent feature allows authenticated remote attackers with Agent role credentials to upload files containing malicious scripts or HTML, which are then served to other users without adequate content validation. Successful exploitation enables stored cross-site scripting (XSS) attacks in victim browsers. The vulnerability requires valid user credentials and Agent role privileges but no user interaction on the victim side, affecting confidentiality and integrity but not availability.

File Upload Cisco
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-30662 MEDIUM This Month

Symlink following in the installer for the Zoom Workplace VDI Plugin macOS Universal installer before version 6.3.14, 6.4.14, and 6.5.10 in their respective tracks may allow an authenticated user to. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.

Apple Information Disclosure Workplace Virtual Desktop Infrastructure macOS
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-58449 PHP HIGH PATCH This Month

Maho is a free and open source ecommerce platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP RCE
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-1889 PyPI MEDIUM POC PATCH This Month

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Picklescan
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2024-52052 CRITICAL Act Now

Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator to define a custom application property and poison a stream target for high-privilege remote code. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Streaming Engine
NVD
CVSS 4.0
9.4
EPSS
0.5%
CVE-2024-38432 CRITICAL Act Now

Matrix Tafnit v8 - CWE-646: Reliance on File Name or Extension of Externally-Supplied File. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Tafnit
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2021-34639 HIGH This Week

Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP File Upload Download Manager
NVD
CVSS 3.1
8.8
EPSS
0.6%
EPSS 0% CVSS 4.3
MEDIUM This Month

Cisco Enterprise Chat and Email (ECE) Lite Agent feature allows authenticated remote attackers with Agent role credentials to upload files containing malicious scripts or HTML, which are then served to other users without adequate content validation. Successful exploitation enables stored cross-site scripting (XSS) attacks in victim browsers. The vulnerability requires valid user credentials and Agent role privileges but no user interaction on the victim side, affecting confidentiality and integrity but not availability.

File Upload Cisco
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

Symlink following in the installer for the Zoom Workplace VDI Plugin macOS Universal installer before version 6.3.14, 6.4.14, and 6.5.10 in their respective tracks may allow an authenticated user to. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.

Apple Information Disclosure Workplace Virtual Desktop Infrastructure +1
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Month

Maho is a free and open source ecommerce platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP RCE
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Picklescan
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL Act Now

Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator to define a custom application property and poison a stream target for high-privilege remote code. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Streaming Engine
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Matrix Tafnit v8 - CWE-646: Reliance on File Name or Extension of Externally-Supplied File. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Tafnit
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP File Upload +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy