CVEbaza.plSłownik CWECWE-641
Common Weakness Enumeration

CWE-641

Improper Restriction of Names for Files and Other Resources

Kategoria: BaseCVE: 15
Opis

Produkt konstruuje nazwę pliku lub innego zasobu, wykorzystując dane wejściowe z komponentu nadrzędnego, ale nie ogranicza lub nieprawidłowo ogranicza wynikową nazwę. Może to prowadzić do dostępu do niezamierzonych zasobów lub obejścia kontroli bezpieczeństwa.

Description (EN)

The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

Podatności CVE z CWE-641 (15)
8.8
CVSS
HIGH
CVE-2026-27140

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

pub. 2026-04-08
8.8
CVSS
HIGH
CVE-2026-25177

Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.

pub. 2026-03-10
8.8
CVSS
HIGH
CVE-2022-36302

File path manipulation vulnerability in BF-OS version 3.00 up to and including 3.83 allows an attacker to modify the file path to access different resources, which may contain sensitive information.

pub. 2022-08-01
8.8
CVSS
HIGH
CVE-2021-41146

qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead to execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as `:spawn` or `:debug-pyeval`. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known.

pub. 2021-10-21
8.4
CVSS
HIGH
CVE-2025-47953

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

pub. 2025-06-10
8.3
CVSS
HIGH
CVE-2026-50023

yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing the remediation for CVE-2024-38519. The allowlist explicitly included the unsafe extensions .desktop, .url, and .webloc so that the functionality of the --write-link option (and its variants) could be preserved. These allowlist inclusions can be exploited by an attacker to write malicious OS-shortcut files in the context of a media or subtitles download. This vulnerability is fixed in 2026.06.09.

pub. 2026-06-23
7.8
CVSS
HIGH
CVE-2025-47173

Improper input validation in Microsoft Office allows an unauthorized attacker to execute code locally.

pub. 2025-06-10
7.8
CVSS
HIGH
CVE-2025-21361

Microsoft Outlook Remote Code Execution Vulnerability

pub. 2025-01-14
7.8
CVSS
HIGH
CVE-2025-21402

Microsoft Office OneNote Remote Code Execution Vulnerability

pub. 2025-01-14
7.2
CVSS
HIGH
CVE-2023-0046

Improper Restriction of Names for Files and Other Resources in GitHub repository lirantal/daloradius prior to master-branch.

pub. 2023-01-04
6.9
CVSS
MEDIUM
CVE-2019-25623

Luminance Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can create a text file with arbitrary character sequences and trigger the application to process the input, causing the application to become unresponsive or terminate abnormally.

pub. 2026-03-23
6.7
CVSS
MEDIUM
CVE-2024-30063

Windows Distributed File System (DFS) Remote Code Execution Vulnerability

pub. 2024-06-11
6.5
CVSS
MEDIUM
CVE-2024-47260

51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API mediaclip.cgi did not have a sufficient input validation allowing for uploading more audio clips then designed resulting in the Axis device running out of memory.  Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

pub. 2025-03-04
6.5
CVSS
MEDIUM
CVE-2022-23536

Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API.

pub. 2022-12-19
5.3
CVSS
MEDIUM
CVE-2024-45312

Overleaf is a web-based collaborative LaTeX editor. Overleaf Community Edition and Server Pro prior to version 5.0.7 (or 4.2.7 for the 4.x series) contain a vulnerability that allows an arbitrary language parameter in client spelling requests to be passed to the `aspell` executable running on the server. This causes `aspell` to attempt to load a dictionary file with an arbitrary filename. File access is limited to the scope of the overleaf server. The problem is patched in versions 5.0.7 and 4.2.7. Previous versions can be upgraded using the Overleaf toolkit `bin/upgrade` command. Users unable to upgrade may block POST requests to `/spelling/check` via a Web Application Firewall will prevent access to the vulnerable spell check feature. However, upgrading is advised.

pub. 2024-09-02
Informacje
ID: CWE-641
Typ: Base
Podatności: 15
MITRE CWE ↗
← Słownik CWE