EUVD-2009-0485

Malware in sbrugna...

EUVD-2020-13476

Malware in sbrugna...

CVE-2025-44593

Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specifically, .html files can trigger stored XSS vulnerabilities. This vulnerability is fixed in 2.20.13...

CVE-2025-44593

Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specifically, .html files can trigger stored XSS vulnerabilities. This vulnerability is fixed in 2.20.13...

CVE-2025-50848

A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious...

Open WebUI 跨站脚本漏洞

Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI open source. A cross-site scripting vulnerability exists in versions of Open WebUI prior to 0.6.6, which stems from a low-privileged user being able to upload HTML files containing JavaScript code, which...

CVE-2022-42449

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications...

CVE-2022-27562

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications...

Cross-site Scripting (XSS)

Overview gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Cross-site Scripting XSS due to inadequate file type restrictions or server-side validation for the upload of HTML, JS, or SVG files. An attacker can...

CVE-2023-47314

Headwind MDM Web panel 5.22.1 is vulnerable to cross-site scripting XSS. The file upload function allows APK and arbitrary files to be uploaded. By exploiting this issue, attackers may upload HTML files and share the download URL pointing to these files with the victims. As the file download...

Statamic Cross-Site Scripting Vulnerability

Statamic is a powerful flat file Cms built on Laravel by Statamic, Inc. for storing all content, templates, assets, and settings in files instead of a database. A cross-site scripting vulnerability exists in Statamic prior to 3.4.15 and versions prior to 4.36.0, which can be exploited to upload...

CVE-2023-45280

Yamcs 5.8.6 allows XSS issue 2 of 2. It comes with a Bucket as its primary storage mechanism. Buckets allow for the upload of any file. There's a way to upload an HTML file containing arbitrary JavaScript and then navigate to it. Once the user opens the file, the browser will execute the arbitrar...

CVE-2023-32689 Parse Server vulnerable to phishing attack vulnerability that involves uploading malicious HTML file

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server vi...

PT-2023-23272 · Unknown · Startsharp +1

Name of the Vulnerable Software and Affected Versions: Serenity Serene versions prior to 6.7.0 StartSharp versions prior to 6.7.0 Description: A security issue was discovered where users can upload temporary files with certain file endings, such as .html or .htm, that contain a malicious payload...

Serenity Serene 跨站脚本漏洞

Serenity Serene is serenity open source is an ASP.NET Core / TypeScript application platform . A security vulnerability exists in Serenity Serene StartSharp versions prior to 6.7.0, which stems from the fact that when a user uploads a temporary file, certain specific file extensions are not...

CVE-2022-1777

The Filr WordPress plugin before 1.2.2.1 does not have authorisation check in two of its AJAX actions, allowing them to be called by any authenticated users, such as subscriber. They are are protected with a nonce, however the nonce is leaked on the dashboard. This could allow them to upload...

Microweber 跨站脚本漏洞

Microweber is a drag-and-drop website builder and CMS based on the PHP Laravel framework. Microweber suffers from a cross-site scripting vulnerability, which can be exploited by attackers to upload . azhtml file e.g. ahtml, bhtml, chtml, ddhtml, as long as it ends in html. After uploading,...

Directus 跨站脚本漏洞

Directus is a real-time Api and application dashboard. Used to manage Sql database content. A cross-site scripting vulnerability exists in Directus that allows unlimited uploads of .html files in the media upload feature and can be exploited by a low-privileged attacker to execute JavaScript code...

PT-2021-16899 · Publify · Publify

Name of the Vulnerable Software and Affected Versions: publify versions v8.0 through v9.2.4 Description: The issue is related to stored XSS due to an unrestricted file upload. This allows a user with the publisher role to inject malicious JavaScript via an uploaded html file. Recommendations: For...

CVE-2021-24563

The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly...