GHSA-VHGH-G7X8-4RX8 Mattermost doesn't validate decompressed archive entry sizes during file extraction

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly...

CVE-2026-3114 Zip Bomb Denial of Service via Unrestricted Archive Decompression

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly...

itsourcecode Free Hotel Reservation System 代码问题漏洞

itsourcecode Free Hotel Reservation System is an open-source hotel reservation system developed by itsourcecode. Version 1.0 of the system has code-related vulnerabilities; these vulnerabilities stem from incorrect handling of parameters in the file admin/modamenities/index.php?view=add, which ma...

CVE-2026-23636

Kiteworks is a private data network PDN. In Kiteworks Secure Data Forms prior to version 9.2.1, the manager of a form could potentially exploit an Unrestricted Upload of File with Dangerous Type due to a missing validation. Upgrade Kiteworks to version 9.2.1 or later to receive a patch...

CVE-2026-32536

Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green Downloads halfdata-paypal-green-downloads allows Using Malicious Files.This issue affects Green Downloads: from n/a through = 2.08...

CVE-2026-3215

CVE-2026-3215 affects Drupal Islandora prior to 2.17.5, due to improper input neutralization during web page generation, enabling Cross-Site Scripting (XSS). The root cause involves insufficient sanitization of URI paths used in a custom route for attaching media to nodes. The issue requires the ...

WordPress plugin WPJAM Basic 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress plugin Green Downloads 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

Acrel Environmental Monitoring Cloud Platform 代码问题漏洞

The Acrel Environmental Monitoring Cloud Platform is an IoT data center operated by Acrel Corporation in China. There is a code vulnerability in the Acrel Environmental Monitoring Cloud Platform 1.1.0 version. This vulnerability stems from an unknown processing mechanism that allows unlimited fil...

WordPress plugin Canto 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

CVE-2026-32989

Precurio Intranet Portal 4.4 contains a cross-site request forgery vulnerability that allows attackers to induce authenticated users to submit crafted requests to a profile update endpoint handling file uploads. Attackers can exploit this to upload executable files to web-accessible locations,...

Xerte Online Toolkits 安全漏洞

Xerte Online Toolkits is an online learning content creation platform provided by Xerte Ltd. in the UK. Versions of Xerte Online Toolkits 3.14 and earlier contained a security vulnerability. This vulnerability stemmed from the template import function’s inability to validate arbitrary file upload...

OPEXUS eComplaint 安全漏洞

OPEXUS eComplaint is a complaint and appeal management platform provided by the US company OPEXUS. Versions of OPEXUS eComplaint prior to 10.1.0.0 contained security vulnerabilities. These vulnerabilities allowed unauthenticated attackers to upload arbitrary files, potentially leading to storage...

CVE-2026-32728

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter e.g. ;charset=utf-8 to the Content-Type header...

CVE-2026-32728 Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter e.g. ;charset=utf-8 to the Content-Type header...

CVE-2025-68971

A flaw was found in Forgejo. A remote attacker could exploit this vulnerability in the attachment component by uploading a multi-gigabyte file attachment, such as to an issue or a release. This could lead to a Denial of Service DoS, making the service unavailable to legitimate users...

EUVD-2026-12682

LDAP Account Manager LAM is a webfrontend for managing entries e.g. users, groups, DHCP settings stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type including .php files can be uploaded. With...

Cross-site Scripting (XSS)

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the file upload process. An attacker can execute arbitrary scripts in the user's browser by...

EUVD-2015-9411

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize file uploads, allowing attackers to store malicious scripts through the file POST parameter in admin/tools.php. Attackers can upload files containing JavaScript code that executes in the context of admin/tools.php when accessed by...

CVE-2015-20115

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize file uploads, allowing attackers to store malicious scripts through the file POST parameter in admin/tools.php. Attackers can upload files containing JavaScript code that executes in the context of admin/tools.php when accessed by...