PT-2026-51133

Name of the Vulnerable Software and Affected Versions Simple File List versions prior to 6.3.8 Description The Simple File List plugin for WordPress contains a flaw where a missing authorization check on the frontmanage shortcode attribute allows authenticated attackers with contributor-level...

Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders

Summary modules/documents-files.php gates state-changing modes by checking that the actor has hasUploadRight on the URL parameter folderuuid. The movesave handler then operates on a separate URL parameter fileuuid and calls File::moveToFolder$destFolderUUID. File::moveToFolder checks the upload...

CVE-2026-25161

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal...

CVE-2022-27049

Raidrive before v2021.12.35 allows attackers to arbitrarily move log files by pre-creating a mountpoint and log files before Raidrive is installed...

CVE-2025-12494

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaximportfile function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level...

CVE-2025-12494 Image Gallery – Photo Grid & Video Gallery <= 2.12.28 - Improper Authorization to Authenticated (Author+) Arbitrary Image File Move

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaximportfile function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level...

CVE-2025-10488

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to arbitrary file move due to insufficient file path validation in the addlistingaction AJAX action in all versions up to, and including, 8.4.8. This makes it possible for...

Exploit for CVE-2021-4191

Nuclei POC Duplicate Detection Tool This tool is written in G...

EUVD-2004-1668

Malware in sbrugna...

EUVD-2020-30532

Malware in sbrugna...

EUVD-2018-2593

Malware in sbrugna...

EUVD-2018-10760

Malware in sbrugna...

EUVD-2023-54330

Malicious code in bioql PyPI...

EUVD-2024-48515

Malicious code in bioql PyPI...

EUVD-2022-30036

Malicious code in bioql PyPI...

EUVD-2022-31589

Malicious code in bioql PyPI...

EUVD-2022-28710

Malicious code in bioql PyPI...

Arbitrary File Exfiltration

octoprint is vulnerable to Arbitrary file exfiltration. The vulnerability is due to insufficient restrictions on file movement by users with FILEUPLOAD permission, allowing files readable by OctoPrint to be moved into the upload folder and downloaded...

CVE-2024-51491

notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. The issue was identified during Quarkslab's security audit on the Certificate Revocation List CRL based revocation check feature. After retrieving the CRL, notation-go...

CVE-2023-34865

Directory traversal vulnerability in ujcms 6.0.2 allows attackers to move files via the rename feature...