CVE-2026-29061

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permission...

GHSA-J8G8-J7FC-43V6 Flowise has Arbitrary File Upload via MIME Spoofing

Vulnerability Description --- Vulnerability Overview - The /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELISTURLS, allowing unauthenticated access to the file upload API. - While the server validates uploads based on the MIME types defined in...

CVE-2026-27605 Chartbrew: Stored Cross-Site Scripting (XSS) via File Upload API

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files project logos without validating the file type or content. It trusts the extension provided by the user...

CVE-2026-27605 Chartbrew: Stored Cross-Site Scripting (XSS) via File Upload API

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files project logos without validating the file type or content. It trusts the extension provided by the user...

Alive Parish 跨站请求伪造漏洞

Alive Parish is a church management system developed by Terence Monteiro. Version 2.0.4 of Alive Parish contains a cross-site request forgeing vulnerability. This vulnerability stems from SQL injection in the key parameter of the search endpoint. Additionally, the images/uploaded directory allows...

2-Plan Team 代码问题漏洞

2-Plan Team is a project planning software developed by the German company 2-Plan. Version 1.0.4 of 2-Plan Team contains a code vulnerability. This vulnerability stems from the userfile1 parameter in the managefile.php file, which allows arbitrary file uploads. This could lead to the execution of...

chartbrew 代码问题漏洞

Chartbrew is an open-source data visualization and dashboard-building tool developed by Chartbrew. Versions of Chartbrew prior to 4.8.4 contained code vulnerabilities. These vulnerabilities stemmed from allowing the upload of files without verifying their types or content. This could lead to the...

EUVD-2026-9865

The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnduploadcf7upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to...

CVE-2025-55208 Chamilo LMS has Stored Cross Site Scripting on Social Networks Uploaded Files

Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in Social Networks. Through it, a low-privilege user can execute arbitrary code in the admin user inbox, allowing takeover of the admin account. Version 1.11.34 fixes the issue...

CVE-2025-55208 Chamilo LMS has Stored Cross Site Scripting on Social Networks Uploaded Files

Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in Social Networks. Through it, a low-privilege user can execute arbitrary code in the admin user inbox, allowing takeover of the admin account. Version 1.11.34 fixes the issue...

CVE-2026-21628

A improperly secured file management feature allows uploads of dangerous data types for unauthenticated users, leading to remote code execution...

EUVD-2025-208303

Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Nutrie nutrie allows Upload a Web Shell to a Web Server.This issue affects Nutrie: from n/a through 2.0.1...

WordPress plugin Filr 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress plugin WooCommerce License Manager 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

Chamilo 跨站脚本漏洞

Chamilo is an open-source learning management system developed by Chamilo. Versions of Chamilo prior to 1.11.34 contained a cross-site scripting vulnerability. This vulnerability stemmed from insecure file uploads in the social networking functionality, leading to storage-based cross-site scripti...

CVE-2025-14532

DobryCMS's upload file functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can result in Remote Code Execution. This issue was fixed in versions above 5.0...

CVE-2026-2269

CVE-2026-2269 The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in all versions up to and including 7.0.0.3, via the download_url() function. This allows an authenticated attacker with Adminis...

CVE-2026-28270

Kiteworks is a private data network PDN. Prior to version 9.2.0, a vulnerability in Kiteworks configuration allows uploading of arbitrary files without proper validation. Malicious administrators could exploit this to upload unauthorized file types to the system. Version 9.2.0 contains a patch fo...

CVE-2026-28270

Kiteworks is a private data network PDN. Prior to version 9.2.0, a vulnerability in Kiteworks configuration allows uploading of arbitrary files without proper validation. Malicious administrators could exploit this to upload unauthorized file types to the system. Version 9.2.0 contains a patch fo...

CVE-2026-2359

Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service DoS by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to...