The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with β#exec cmdβ because rejected files remain on the server, with predictable filenames, after a βThis file is not a valid imageβ error message.