PT-2026-33506

Name of the Vulnerable Software and Affected Versions Stirling-PDF versions prior to 2.0.0 Description File upload endpoints render user-supplied filenames directly into HTML using unsafe methods such as innerHTML without sanitization. This allows an attacker to craft a file with a malicious...

CVE-2026-33653 Uploady Vulnerable to Stored Cross-Site Scripting (XSS)

Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting XSS vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScri...

CVE-2015-20116 RealtyScript 4.0.2 Stored Cross-Site Scripting via CSV File Upload Filename

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users'...

EUVD-2025-27483

Malicious code in bioql PyPI...

CVE-2017-10975

Cross-site scripting XSS vulnerability in Lutim before 0.8 might allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in an upload notification and in the myfiles component, if the attacker can convince the victim to proceed with an upload despit...

CVE-2025-2208 aitangbao springboot-manager Filename upload cross site scripting

A vulnerability, which was classified as problematic, has been found in aitangbao springboot-manager 3.0. This issue affects some unknown processing of the file /sysFiles/upload of the component Filename Handler. The manipulation of the argument name leads to cross site scripting. The attack may ...

CVE-2024-25801

SKINsoft S-Museum 7.02.3 allows XSS via the filename of an uploaded file. Unlike in CVE-2024-25802, the attack payload is in the name not the content of a file...

ILIAS Security Vulnerabilities

ILIAS is an open source learning management system. A security vulnerability exists in ILIAS version 7.23 and version 8 prior to 8.3, which stems from a vulnerability that could allow a remote attacker to run arbitrary system commands on the server by uploading a file with a malicious filename...

Cross site scripting

WEPA Print Away is vulnerable to a stored XSS. It does not properly sanitize uploaded filenames, allowing an attacker to deceive a user into uploading a document with a malicious filename, which will be included in subsequent HTTP responses, allowing a stored XSS to occur. This attack is persiste...

CVE-2018-17288

Kofax Front Office Server version 4.1.1.11.0.5212 both Thin Client and Administration Console suffers from multiple authenticated stored XSS vulnerabilities via the 1 "Filename" field in /Kofax/KFS/ThinClient/document/upload/ - Thin Client or 2 "DeviceName" field in...

CVE-2018-12995

onefilecms.php in OneFileCMS through 2012-04-14 might allow attackers to execute arbitrary PHP code via a .php filename on the Upload screen...

CVE-2014-2044

Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream ADS syntax in the filename...

Apache mod_negotiation Multi-Line Filename Upload Vulnerabilities

According to its banner, the version of Apache running on the remote host does not properly escape filenames in 406 responses. A remote attacker can exploit this to inject arbitrary HTTP headers or conduct cross-site scripting attacks by uploading a file with a specially crafted name. Note that t...

PYSEC-2011-31

Cross-site scripting XSS vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload...

CVE-2008-2833

admin/upload.php in le.cms 1.4 and earlier allows remote attackers to bypass administrative authentication, and upload and execute arbitrary files in images/, via a nonzero value for the submit0 parameter in conjunction with filenames in the filename and upload parameters...