Lucene search
K

48 matches found

NVD
NVD
added 11 hours ago6 views

CVE-2026-61457

The Grav API plugin getgrav/grav-plugin-api before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension inspects only the final file extension via pathinfo$filename, PATHINFOEXTENSION, so a user with api.media.write permission can...

8.8CVSS
Exploits0References2
NVD
NVD
added 6 days ago17 views

CVE-2026-15158

The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the saveattachments function. This is due to the Custom Fonts extension registering a wpcheckfiletypeandext filter that approves any filename containing .woff2 or .tt...

9.8CVSS0.00995EPSS
Exploits0References3
NVD
NVD
added 2026/07/08 2:17 p.m.12 views

CVE-2026-58480

Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the saveattachments function exposed through the Advanced Reviews feature. Attackers can...

9.8CVSS0.00605EPSS
Exploits0References4
CVE
CVE
added 2026/07/08 1:5 p.m.14 views

CVE-2026-58480

Blocksy Companion Pro

9.8CVSS6.4AI score0.00605EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:13 p.m.10 views

CVE-2026-48557

Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...

8.8CVSS5.5AI score0.0044EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/29 9:14 p.m.4 views

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the defaultSanitizer function in FileAdder.php. An attacker can upload files with double extensions or omitted executable extensions, potentially leading to remote code execution by bypassing fil...

8.8CVSS6.4AI score0.0044EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/29 7:49 p.m.15 views

CVE-2026-48557

Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...

8.8CVSS5.8AI score0.0044EPSS
Exploits0References5
OSV
OSV
added 2026/05/29 7:49 p.m.5 views

CVE-2026-48557 Spatie Laravel Media Library < 11.23.0 File Upload Restriction Bypass via FileAdder.php

Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...

8.7CVSS5.9AI score0.0044EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.11 views

Spatie Laravel Media Library Pro 安全漏洞

Spatie Laravel Media Library Pro is a UI component for Laravel media libraries developed by the Belgian company Spatie. Versions of Spatie Laravel Media Library Pro prior to 11.23.0 contained security vulnerabilities. These vulnerabilities were caused by a bypass of file upload restrictions in...

8.8CVSS5.8AI score0.0044EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.26 views

PT-2026-44994

Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...

8.8CVSS5.8AI score0.0044EPSS
Exploits0References5
Packet Storm
Packet Storm
added 2026/02/16 12:0 a.m.220 views

📄 PluckCMS 4.7.10 Shell Upload

PluckCMS version 4.7.10 remote shell upload proof of concept exploit. ============================================================================================================================================= | Title : PluckCMS 4.7.10 Unrestricted File Upload RCE | | Author : indoushka | |...

7.2CVSS5.5AI score0.06258EPSS
Exploits4
EUVD
EUVD
added 2025/12/06 12:31 p.m.4 views

EUVD-2025-201543

The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. Th...

8.8CVSS7AI score0.07183EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.8 views

EUVD-2020-16707

Malware in sbrugna...

7.5CVSS7.5AI score0.0154EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2017-18215

Malware in sbrugna...

9CVSS5.8AI score0.00885EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.27 views

EUVD-2024-54930

Malicious code in bioql PyPI...

8.1CVSS6.4AI score0.00686EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/08/31 11:0 a.m.18 views

CVE-2024-13342

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'addfilestoorder' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double...

8.1CVSS7.7AI score0.00686EPSS
Exploits0References1
OSV
OSV
added 2025/08/29 11:15 a.m.4 views

CVE-2024-13342

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'addfilestoorder' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double...

9.8CVSS6.5AI score0.00686EPSS
Exploits0References3
NVD
NVD
added 2025/08/29 11:15 a.m.49 views

CVE-2024-13342

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'addfilestoorder' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double...

9.8CVSS0.00686EPSS
Exploits0References3
CVE
CVE
added 2025/08/29 10:54 a.m.24 views

CVE-2024-13342

The Booster for WooCommerce plugin (WordPress) is vulnerable to arbitrary file uploads due to missing file type validation in the add_files_to_order function, affecting all versions up to and including 7.2.4. This allows unauthenticated attackers to upload arbitrary files with double extensions o...

9.8CVSS7.2AI score0.00686EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2025/08/29 10:54 a.m.48 views

CVE-2024-13342 Booster for WooCommerce <= 7.2.4 - Unauthenticated Double Extension Arbitrary File Upload

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'addfilestoorder' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double...

8.1CVSS0.00686EPSS
Exploits0References3
Rows per page
Query Builder