48 matches found
CVE-2026-61457
The Grav API plugin getgrav/grav-plugin-api before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension inspects only the final file extension via pathinfo$filename, PATHINFOEXTENSION, so a user with api.media.write permission can...
CVE-2026-15158
The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the saveattachments function. This is due to the Custom Fonts extension registering a wpcheckfiletypeandext filter that approves any filename containing .woff2 or .tt...
CVE-2026-58480
Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the saveattachments function exposed through the Advanced Reviews feature. Attackers can...
CVE-2026-58480
Blocksy Companion Pro
CVE-2026-48557
Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...
Incomplete List of Disallowed Inputs
Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the defaultSanitizer function in FileAdder.php. An attacker can upload files with double extensions or omitted executable extensions, potentially leading to remote code execution by bypassing fil...
CVE-2026-48557
Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...
CVE-2026-48557 Spatie Laravel Media Library < 11.23.0 File Upload Restriction Bypass via FileAdder.php
Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...
Spatie Laravel Media Library Pro 安全漏洞
Spatie Laravel Media Library Pro is a UI component for Laravel media libraries developed by the Belgian company Spatie. Versions of Spatie Laravel Media Library Pro prior to 11.23.0 contained security vulnerabilities. These vulnerabilities were caused by a bypass of file upload restrictions in...
PT-2026-44994
Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...
📄 PluckCMS 4.7.10 Shell Upload
PluckCMS version 4.7.10 remote shell upload proof of concept exploit. ============================================================================================================================================= | Title : PluckCMS 4.7.10 Unrestricted File Upload RCE | | Author : indoushka | |...
EUVD-2025-201543
The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. Th...
EUVD-2020-16707
Malware in sbrugna...
EUVD-2017-18215
Malware in sbrugna...
EUVD-2024-54930
Malicious code in bioql PyPI...
CVE-2024-13342
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'addfilestoorder' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double...
CVE-2024-13342
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'addfilestoorder' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double...
CVE-2024-13342
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'addfilestoorder' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double...
CVE-2024-13342
The Booster for WooCommerce plugin (WordPress) is vulnerable to arbitrary file uploads due to missing file type validation in the add_files_to_order function, affecting all versions up to and including 7.2.4. This allows unauthenticated attackers to upload arbitrary files with double extensions o...
CVE-2024-13342 Booster for WooCommerce <= 7.2.4 - Unauthenticated Double Extension Arbitrary File Upload
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'addfilestoorder' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double...