PT-2025-15701 · Verydows · Verydows

Name of the Vulnerable Software and Affected Versions: verydows version 2.0 Description: The issue is related to insecure permissions, allowing a remote attacker to execute arbitrary code by uploading a specific file type. This can be achieved through the action of loading a particular type of...

PT-2025-15720 · Squeeze · Squeeze

Name of the Vulnerable Software and Affected Versions: Bogdan Bendziukov Squeeze versions n/a through 1.6 Description: The issue allows for the unrestricted upload of files with dangerous types, enabling the use of malicious files. Recommendations: For versions n/a through 1.6, consider restricti...

PT-2025-15671 · WordPress · Wp Project Manager

Name of the Vulnerable Software and Affected Versions: The WP Project Manager plugin versions up to, and including, 2.6.22 Description: The issue is related to Stored Cross-Site Scripting via SVG File uploads due to insufficient input sanitization and output escaping in tasks discussion. This...

Reliance on File Name or Extension of Externally-Supplied File

Overview DotNetNuke.Core is a references provider to the DotNetNuke.dll to develop extensions for the DNN Platform. Affected versions of this package are vulnerable to Reliance on File Name or Extension of Externally-Supplied File when handling uploaded files in FileSystem/FileManager.cs and...

CVE-2025-2525

The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'stAuthenticationController::editprofile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above...

CVE-2025-2525

The CVE-2025-2525 entry concerns the WordPress Streamit theme. Public detail confirms an Arbitrary File Upload flaw caused by missing file-type validation in st_Authentication_Controller::edit_profile, affecting all versions up to 4.0.1. The vulnerability requires authentication at Subscriber lev...

DNN 安全漏洞

DNN aka DotNetNuke is a Microsoft-supported, open-source content management system CMS based on the ASP.NET platform from the U.S. company DNN. The system is easy to install, scalable and feature-rich. A security vulnerability exists in DNN versions prior to 9.13.2, which stems from the fact that...

WordPress plugin Streamit 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue...

Elastic Kibana 安全漏洞

Elastic Kibana is a usable data visualization dashboard software from Elastic. A security vulnerability exists in Elastic Kibana versions 8.16.1 and earlier and 8.17.1, which stems from prototype contamination combined with unrestricted file uploads and path traversal, which could lead to code...

PT-2025-15465 · Hax Cms · Hax Cms

Name of the Vulnerable Software and Affected Versions: HAX CMS PHP versions prior to 10.0.3 Description: The issue is related to the save function in HAXCMSFile.php, which allows for unrestricted file uploads due to a non-exhaustive denylist. This list only blocks files with .php, .sh, .js, and...

PT-2025-15470

Name of the Vulnerable Software and Affected Versions: AOS-10 GW affected versions not specified AOS-8 Controller/Mobility Conductor affected versions not specified Description: Arbitrary File Write vulnerabilities exist in the web-based management interface of both the AOS-10 GW and AOS-8...

tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

A flaw was found in Apache Tomcat. In certain conditions and configurations, this vulnerability allows a remote attacker to exploit a path equivalence flaw to view file system contents and add malicious content via a write-enabled Default Servlet in Apache Tomcat. For the vulnerability to be...

CVE-2025-2544

The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...

CVE-2025-2780

The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2024-13708

The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in versions 4.0.1 to 7.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages...

CVE-2025-32369

Kentico Xperience before 13.0.181 allows authenticated users to distribute malicious content for stored XSS via certain interactions with the media library file upload feature...

CVE-2025-32370

Kentico Xperience suffers from cross-site scripting vulnerabilities related to file uploads and content handling. The primary CVE entry (CVE-2025-32370) notes that Kentico Xperience before 13.0.178 restricts some ContentUploader extensions for unauthenticated uploads, but .zip processing via TryZ...

CVE-2025-2544 AI Content Pipelines <= 1.6 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...

CVE-2025-2544

AI Content Pipelines (WordPress) shows a Stored Cross-Site Scripting vulnerability via SVG file uploads in versions ≤ 1.6, caused by insufficient input sanitization and output escaping. The issue can be triggered by an authenticated user with Author-level access and above, potentially affecting p...

PT-2025-15050 · WordPress · Ai Content Pipelines

Name of the Vulnerable Software and Affected Versions: AI Content Pipelines plugin for WordPress versions up to, and including, 1.6 Description: The issue is related to Stored Cross-Site Scripting via SVG File uploads due to insufficient input sanitization and output escaping. This allows...