CVE-2023-1479

A vulnerability classified as critical has been found in SourceCodester Simple Music Player 1.0. Affected is an unknown function of the file savemusic.php. The manipulation of the argument filename leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been...

CVE-2025-4868

A vulnerability was found in merikbest ecommerce-spring-reactjs up to 464e610bb11cc2619cf6ce8212ccc2d1fd4277fd. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/v1/admin/ of the component File Upload Endpoint. The manipulation of the argument...

CVE-2025-4868

A vulnerability was found in merikbest ecommerce-spring-reactjs up to 464e610bb11cc2619cf6ce8212ccc2d1fd4277fd. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/v1/admin/ of the component File Upload Endpoint. The manipulation of the argument...

CVE-2025-4851

A vulnerability classified as critical was found in TOTOLINK N300RH 6.1c.1390B20191101. This vulnerability affects the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument FileName leads to command injection. The attack can be initiated remotely. The explo...

CVE-2025-4086 Specially crafted filename could be used to obscure download type

A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. This bug only affects Thunderbird for Android. Other versions of Thunderbird are unaffected.. This vulnerability was fixed in Firefox 138...

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation through the Admission Controller feature, by manipulating the filename to include attacker-controlled data. Remediation Upgrade github.com/kubernetes/ingress-nginx/internal/ingress/annotations/auth to version...

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation through the Admission Controller feature, by manipulating the filename to include attacker-controlled data. Remediation Upgrade k8s.io/ingress-nginx/internal/ingress/annotations/auth to version 1.11.5, 1.12.1,...

CVE-2020-4041

In Bolt CMS before version 3.7.1, the filename of uploaded files was vulnerable to stored XSS. It is not possible to inject javascript code in the file name when creating/uploading the file. But, once created/uploaded, it can be renamed to inject the payload in it. Additionally, the measures to...

CVE-2024-45259

An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. By intercepting an HTTP request and changing the filename property in the download interface, any file on the device can be deleted...

Malicious File Download

scoutbrowser is vulnerable to Malicious File Download. The vulnerability is due to insufficient input validation for filenames, which does not properly sanitize the file extensions before serving the files to users, allowing attackers to manipulate file extensions and deliver malicious content...

CVE-2024-2820

A vulnerability classified as problematic was found in DedeCMS 5.7. Affected by this vulnerability is an unknown functionality of the file /src/dede/baidunews.php. The manipulation of the argument filename leads to cross-site request forgery. The attack can be launched remotely. The exploit has...

CVE-2023-6887

A vulnerability classified as critical has been found in saysky ForestBlog up to 20220630. This affects an unknown part of the file /admin/upload/img of the component Image Upload Handler. The manipulation of the argument filename leads to unrestricted upload. It is possible to initiate the attac...

PT-2023-32798 · Saysky · Sayski Forestblog

Name of the Vulnerable Software and Affected Versions: saysky ForestBlog up to 20220630 Description: A critical issue has been found in the Image Upload Handler component, affecting the /admin/upload/img file. The manipulation of the filename argument leads to unrestricted upload. This issue can ...

OpenRapid RapidCMS Code Issue Vulnerability

OpenRapid RapidCMS is OpenRapid open source a fast and easy to use CMS system. A code issue vulnerability exists in OpenRapid RapidCMS version 1.3.1, which stems from an incorrect manipulation of the parameter fileName that can lead to unrestricted uploads...

CVE-2023-29401 Improper handling of filenames in Content-Disposition HTTP header in github.com/gin-gonic/gin

The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of...

SUSE CVE-2014-8990

default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via manipulation of the argument filename in the placeholder function. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise...

CVE-2022-34482

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from...

CVE-2022-34483

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from...

Security Vulnerabilities fixed in Firefox 108 — Mozilla

An out of date library libusrsctp contained vulnerabilities that could potentially be exploited. An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.This bug only affects Firefox for Linux. Other operati...