CWE-646 (Reliance on File Name or Extension of Externally-Supplied File) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | Web Server | — | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-45315 | 2026-05-15 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-suppli… |
| CVE-2026-20172 | 2026-05-06 | A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the at… |
| CVE-2025-30662 | 2025-11-13 | Symlink following in the installer for the Zoom Workplace VDI Plugin macOS Universal installer before version 6.3.14, 6.4.14, and 6.5.10 in their respective tracks may allow an authenticated user to c… |
| CVE-2025-41720 | 2025-10-22 | A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified. |
| CVE-2025-58449 | 2025-09-08 | Maho is a free and open source ecommerce platform. In Maho prior to 25.9.0, an authenticated staff user with access to the `Dashboard` and `Catalog\Manage Products` permissions can create a custom opt… |
| CVE-2025-1889 | 2025-03-03 | picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pick… |
| CVE-2024-52052 | 2024-11-21 | Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator to define a custom application property and poison a stream target for high-privilege remote code exe… |
| CVE-2024-38432 | 2024-07-30 | Matrix Tafnit v8 - CWE-646: Reliance on File Name or Extension of Externally-Supplied File |
| CVE-2023-45599 | 2024-03-05 | A CWE-646 “Reliance on File Name or Extension of Externally-Supplied File” vulnerability in the “iec61850” functionality of the web application allows a remote authenticated attacker to upload any arb… |
| CVE-2021-34639 | 2021-08-05 | Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. "payload.php.png" which is executable in some confi… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Common_Consequences, Relationships, Observed_Example |
| 2008-10-13 | CWE Content Team | 1.1 | — | Significant clarification of the weakness description. |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Description, Name, Observed_Examples, Relationships |
| 2009-07-27 | CWE Content Team | 1.5 | — | updated Related_Attack_Patterns |
| 2009-10-29 | CWE Content Team | 1.6 | — | updated Common_Consequences |
| 2010-12-13 | CWE Content Team | 1.11 | — | updated Applicable_Platforms, Common_Consequences |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Common_Consequences, Description |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Enabling_Factors_for_Exploitation |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Applicable_Platforms, Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Description, Mapping_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Relationships, Weakness_Ordinalities |