Common Weakness Enumeration

CWE-646

Allowed

Reliance on File Name or Extension of Externally-Supplied File

Abstraction: Variant · Status: Incomplete

The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.

23 vulnerabilities reference this CWE, most recent first.

GHSA-RX97-PWC5-6V32

Vulnerability from github – Published: 2026-05-06 18:30 – Updated: 2026-05-06 18:30
VLAI
Details

A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Agent.

This vulnerability is due to inadequate validation of file contents during file upload operations. An attacker could exploit this vulnerability by uploading a file that contains malicious scripts or HTML code, which the application could make available to other users to access. A successful exploit could allow the attacker to execute the contents of that file in the browser of a user and conduct browser-based attacks. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-646"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T17:16:20Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Agent.\n\nThis vulnerability is due to inadequate validation of file contents during file upload operations. An attacker could exploit this vulnerability by uploading a file that contains malicious scripts or HTML code, which the application could make available to other users to access. A successful exploit could allow the attacker to execute the contents of that file in the browser of a user and conduct browser-based attacks.\u0026nbsp;",
  "id": "GHSA-rx97-pwc5-6v32",
  "modified": "2026-05-06T18:30:31Z",
  "published": "2026-05-06T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20172"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-lite-agent-BCgSN8eb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VGMM-27FC-VMGP

Vulnerability from github – Published: 2025-09-09 20:52 – Updated: 2025-09-09 20:52
VLAI
Summary
Maho is Vulnerable to Authenticated Remote Code Execution via File Upload
Details

Summary

In Maho 25.7.0, an authenticated staff user with access to the Dashboard and Catalog\Manage Products permissions can create a custom option on a listing with a file input field. By allowing file uploads with a .php extension, the user can use the filed to upload malicious PHP files, gaining remote code execution

Details

An user with the Dashboard and Catalog\Manage Products permissions can abuse the product custom options feature to bypass the application’s file upload restrictions.

When creating a product custom option of type file upload, the user is allowed to define their own extension whitelist. This bypasses the application’s normal enforced whitelist and permits disallowed extensions, including .php.

The file uploaded by the custom option is then written to a predictable location:

/public/media/custom_options/<first char of filename>/<second char of filename>/<md5 of file contents>.php

Because this path is directly accessible under the application’s webroot, an attacker can then request the uploaded file via HTTP, causing the server to execute the PHP payload.

PoC

  1. Sign in to the /admin dashboard as a staff user. Ensure the user's role has access to the Dashboard and Catalog\Manage Products permissions.
  2. Navigate to a product catalog listing, for example by clicking on a product linked within the Most Viewed Products tab on the dashboard. image

  3. Navigate to the "Custom Options" tab on the product, and create a custom option with a file upload field. Add .php as an allowed extension to the file upload configuration. Save the configuration after making the changes. image

  4. In a private window, navigate to the customer facing page for the product, and upload a reverse shell PHP file through the newly configured option. Then click "Add to cart" to complete the upload. image

  5. Calculate the location of the uploaded file on the web server as

/public/media/custom_options/<first char of filename>/<second char of filename>/<md5 of file contents>.php
  1. Navigate to the above path directly to execute the file contents and trigger the reverse shell. image

Impact

This vulnerability allows remote code execution (RCE) on the server. It requires only the Catalog\Manage Products permission, and does not need full administrative access. By leveraging the custom option upload feature, an attacker can bypass the application’s normal file upload protections and execute arbitrary PHP code within the webroot.

Suggested Remediation

Enforce a whitelist of allowed extensions a user is allowed to configure for file upload fields in Custom Options.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mahocommerce/maho"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "25.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-646"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-09T20:52:24Z",
    "nvd_published_at": "2025-09-08T22:15:34Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nIn Maho 25.7.0, an authenticated staff user with access to the `Dashboard` and `Catalog\\Manage Products` permissions can create a custom option on a listing with a file input field. By allowing file uploads with a `.php` extension, the user can use the filed to upload malicious PHP files, gaining remote code execution\n\n### Details\nAn  user with the `Dashboard` and `Catalog\\Manage Products` permissions can abuse the product custom options feature to bypass the application\u2019s file upload restrictions.\n\nWhen creating a product custom option of type file upload, the user is allowed to define their own extension whitelist. This bypasses the application\u2019s normal enforced whitelist and permits disallowed extensions, including `.php`.\n\nThe file uploaded by the custom option is then written to a predictable location:\n```\n/public/media/custom_options/\u003cfirst char of filename\u003e/\u003csecond char of filename\u003e/\u003cmd5 of file contents\u003e.php\n```\nBecause this path is directly accessible under the application\u2019s webroot, an attacker can then request the uploaded file via HTTP, causing the server to execute the PHP payload.\n\n### PoC\n1. Sign in to the `/admin` dashboard as a staff user. Ensure the user\u0027s role has access to the `Dashboard` and `Catalog\\Manage Products` permissions.\n2. Navigate to a product catalog listing, for example by clicking on a product linked within the `Most Viewed Products` tab on the dashboard.\n\u003cimg width=\"648\" height=\"194\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1ab69182-68ea-48e4-b50b-46ccf70f40bb\" /\u003e\n\n3. Navigate to the \"Custom Options\" tab on the product, and create a custom option with a file upload field. Add `.php` as an allowed extension to the file upload configuration. Save the configuration after making the changes.\n\u003cimg width=\"836\" height=\"391\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5abe7d80-c16d-4b54-9a19-799bda1bcc34\" /\u003e\n\n4. In a private window, navigate to the customer facing page for the product, and upload a reverse shell PHP file through the newly configured option. Then click \"Add to cart\" to complete the upload.\n\u003cimg width=\"473\" height=\"286\" alt=\"image\" src=\"https://github.com/user-attachments/assets/326ce37e-026a-4211-8e95-6f5f310727df\" /\u003e\n\n5. Calculate the location of the uploaded file on the web server as \n```\n/public/media/custom_options/\u003cfirst char of filename\u003e/\u003csecond char of filename\u003e/\u003cmd5 of file contents\u003e.php\n```\n6. Navigate to the above path directly to execute the file contents and trigger the reverse shell.\n\u003cimg width=\"910\" height=\"339\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e0e52607-81d5-4dc2-8550-ef324182f889\" /\u003e\n\n### Impact\nThis vulnerability allows remote code execution (RCE) on the server. It requires only the Catalog\\Manage Products permission, and does not need full administrative access. By leveraging the custom option upload feature, an attacker can bypass the application\u2019s normal file upload protections and execute arbitrary PHP code within the webroot.\n\n### Suggested Remediation\nEnforce a whitelist of allowed extensions a user is allowed to configure for file upload fields in Custom Options.",
  "id": "GHSA-vgmm-27fc-vmgp",
  "modified": "2025-09-09T20:52:24Z",
  "published": "2025-09-09T20:52:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MahoCommerce/maho/security/advisories/GHSA-vgmm-27fc-vmgp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58449"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MahoCommerce/maho/commit/db54a1b44e9b3fd26b27ca4d5ece0af99c4dcb53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MahoCommerce/maho"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Maho is Vulnerable to Authenticated Remote Code Execution via File Upload"
}

GHSA-W5W3-25G6-2M2X

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2025-03-21 18:31
VLAI
Details

Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. "payload.php.png" which is executable in some configurations. This issue affects: WordPress Download Manager version 3.1.24 and prior versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34639"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434",
      "CWE-646"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-05T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Authenticated File Upload in WordPress Download Manager \u003c= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. \"payload.php.png\" which is executable in some configurations. This issue affects: WordPress Download Manager version 3.1.24 and prior versions.",
  "id": "GHSA-w5w3-25g6-2m2x",
  "modified": "2025-03-21T18:31:17Z",
  "published": "2022-05-24T19:10:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34639"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make decisions on the server side based on file content and not on file name or extension.

CAPEC-209: XSS Using MIME Type Mismatch

An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.