CVE-2022-45415

When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox 107...

CVE-2019-19576

class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions...

UBUNTU-CVE-2025-4086

A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. This bug only affects Firefox for Android. Other versions of Firefox are unaffected. This vulnerability affects Firefox 138 and Thunderbir...

Kentico Xperience cross-site scripting vulnerability (CNVD-2026-05133)

Kentico Xperience is a digital experience platform from Kentico. Kentico Xperience suffers from a cross-site scripting vulnerability due to .zip files being processed through TryZipProviderSafe, which can be exploited by an attacker to cause the creation of files with other extensions...

GHSA-Q62R-8PPJ-XVF4 Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users

Impact Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. Patches The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1. Workarounds Umbraco supports the...

CVE-2025-32370

Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not...

CVE-2025-32370

Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not...

CVE-2025-32370

Kentico Xperience suffers from cross-site scripting vulnerabilities related to file uploads and content handling. The primary CVE entry (CVE-2025-32370) notes that Kentico Xperience before 13.0.178 restricts some ContentUploader extensions for unauthenticated uploads, but .zip processing via TryZ...

BIT-DOLIBARR-2020-13240

The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS...

CVE-2025-22213

Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions...

CVE-2025-22213

Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions...

Improper Input Validation

picklescan is vulnerable to Improper Input Validation. The vulnerability is due to improper validation of file extensions, allowing an attacker to include a malicious pickle file with a non-standard extension that bypasses security checks...

CVE-2025-1889 picklescan - Security scanning bypass via non-standard file extensions

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not...

CVE-2022-31041

Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users e.g. only PDF / Excel / .... The input validation of uploaded fil...

The vulnerability of the “Allow All File Extensions” module in Drupal CMS systems stems from insufficient validation of input data, allowing attackers to execute arbitrary code.

The vulnerability of the “Allow All File Extensions” module for file fields in Drupal CMS systems is related to insufficient validation of input data. Exploiting this vulnerability allows a malicious actor to execute arbitrary code remotely...

CVE-2024-13311

CVE-2024-13311 describes a vulnerability in Drupal related to the Allow All File Extensions for file fields feature. The consolidated records indicate Drupal’s file field extension filtering can be bypassed, enabling potential impact to file handling. The available metrics from the CVE entry show...

Drupal 安全漏洞

Drupal is an open source content management system developed in the PHP language by the Drupal community. A security vulnerability exists in Drupal Allow All File Extensions for file fields, which stems from the presence of an issue...

CVE-2023-6601 Ffmpeg: hls unsafe file extension bypass in ffmpeg

A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions...

CVE-2023-6601

CVE-2023-6601 is a vulnerability in FFmpeg’s HLS demuxer that enables bypassing unsafe file extension checks and triggering arbitrary demuxers via base64 data URIs with specific extensions. Public details in the provided connected advisories attribute the issue to FFmpeg and acknowledge fixes in ...

CVE-2023-6601 Ffmpeg: hls unsafe file extension bypass in ffmpeg

A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions...