CWE-641— Improper Restriction of Names for Files and Other Resources
The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.— MITRE CWE catalog
14 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-641page 1 of 1
- CVE-2021-41146HIGHCVSS 8.8EG 8.82021-10-21
qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially cr…
- CVE-2022-23536MEDIUMCVSS 6.5EG 6.52022-12-19
Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing malici…
- CVE-2022-36302HIGHCVSS 8.8EG 5.42022-08-01
File path manipulation vulnerability in BF-OS version 3.00 up to and including 3.83 allows an attacker to modify the file path to access different resources, which may contain sensitive information.
- CVE-2023-0046HIGHCVSS 7.2EG 7.22023-01-04
Improper Restriction of Names for Files and Other Resources in GitHub repository lirantal/daloradius prior to master-branch.
- CVE-2024-30063MEDIUMCVSS 6.7EG 6.72024-06-11
Windows Distributed File System (DFS) Remote Code Execution Vulnerability
- CVE-2024-45312MEDIUMCVSS 5.3EG 5.32024-09-02
Overleaf is a web-based collaborative LaTeX editor. Overleaf Community Edition and Server Pro prior to version 5.0.7 (or 4.2.7 for the 4.x series) contain a vulnerability that allows an arbitrary language parameter in client spelling reque…
- CVE-2024-47260MEDIUMCVSS 6.5EG 6.52025-03-04
51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API mediaclip.cgi did not have a sufficient input validation allowing for uploading more audio clips then designed resulting in the Axis device running out of memo…
- CVE-2025-21361HIGHCVSS 7.8EG 7.82025-01-14
Microsoft Outlook Remote Code Execution Vulnerability
- CVE-2025-21402HIGHCVSS 7.8EG 7.82025-01-14
Microsoft Office OneNote Remote Code Execution Vulnerability
- CVE-2025-47173HIGHCVSS 7.8EG 7.82025-06-10
Improper input validation in Microsoft Office allows an unauthorized attacker to execute code locally.
- CVE-2025-47953HIGHCVSS 8.4EG 8.42025-06-10
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
- CVE-2026-25177HIGHCVSS 8.8EG 8.82026-03-10
Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.
- CVE-2026-27140HIGHCVSS 8.8EG 8.82026-04-08
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
- CVE-2026-50023CRITICALCVSS 9.6EG 9.62026-06-16
yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing…
Map vulnerabilities like CWE-641 to your infrastructure
EchelonGraph correlates every CVE — across CWE-641 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →