44 matches found
CVE-2026-41269 Flowise: File Upload Validation Bypass in createAttachment
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally...
CVE-2021-35483
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an...
CVE-2021-35483
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an...
CVE-2021-35483
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an...
CVE-2021-35483
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an...
CVE-2021-35483
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an...
PT-2026-22758
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an...
EUVD-2021-22125
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an...
CVE-2021-35483
The Nokia IMPACT Applications component (versions up to 19.11.2.10-20210118042150283) allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter during adding or editing an application. If an authenticated user visits the page where...
CVE-2021-35483
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an...
Nokia IMPACT 安全漏洞
Nokia IMPACT is a set of IoT intelligent management platforms developed by Finnish company Nokia. Versions of Nokia IMPACT such as 19.11.2.10-20210118042150283 and earlier contain security vulnerabilities. These vulnerabilities stem from the Applications component, which allows JavaScript files t...
CVE-2025-66561 SysReptor Vulnerable to an Authenticated Stored Cross-Site Scripting (XSS)
SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting XSS vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This...
CVE-2025-12872 aEnrich|eHRD - Stored Cross-Site Scripting
The a+HRD and a+HCM developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to upload files containing malicious JavaScript code, which will execute on the client side when a user is tricked into visiting a specific URL...
CVE-2025-12682 Easy Upload Files During Checkout <= 2.9.8 - Unauthenticated Arbitrary JavaScript File Upload
The Easy Upload Files During Checkout plugin for WordPress is vulnerable to arbitrary JavaScript file uploads due to missing file type validation in the 'fileduringcheckout' function in all versions up to, and including, 2.9.8. This makes it possible for unauthenticated attackers to upload...
CVE-2025-12682
CVE-2025-12682 concerns the WordPress plugin Easy Upload Files During Checkout. The vulnerability is an unauthenticated arbitrary JavaScript file upload caused by missing file type validation in the file_during_checkout function, affecting all versions up to and including 2.9.8. The issue can ena...
PT-2025-45011
Name of the Vulnerable Software and Affected Versions Easy Upload Files During Checkout plugin for WordPress versions prior to 2.9.9 Description The Easy Upload Files During Checkout plugin for WordPress is susceptible to arbitrary JavaScript file uploads because of a lack of file type validation...
EUVD-2025-32301
Malicious code in bioql PyPI...
EUVD-2022-6962
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2017-17092
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - wp-includes/functions.php in WordPress before 4.9.1 does not require the unfilteredhtml capability for upload of .js files, which might allow remote attackers t...
CVE-2016-15046
A client-side remote code execution vulnerability exists in Hanwha Techwin Smart Security Manager SSM versions 1.32 and 1.4, due to improper restrictions on the PUT method exposed by the bundled Apache ActiveMQ instance running on port 8161. An attacker can exploit this flaw through a Cross-Origi...