CVE-2026-6957

Mattermost Plugins versions =1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server's filestore via...

Arbitrary Command Injection

Overview org.webjars.npm:launch-editor is a launch editor from node.js Affected versions of this package are vulnerable to Arbitrary Command Injection due to improper sanitization of the file argument on Windows systems. An attacker can execute arbitrary commands by supplying a specially crafted...

CVE-2026-43943

The CVE applies to electerm prior to version 3.7.9, where the SFTP open with system editor or Edit with custom editor feature passes the filename directly into a shell command without sanitization. A malicious SSH server or compromised OS can craft a filename containing shell metacharacters; when...

Exploit for OS Command Injection in Devcode Openstamanager

CVE-2025-69212: OpenSTAManager has an OS Command Injection in...

CVE-2026-35585

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook system in File Browser — which executes administrator-defined shell commands on file events such as upload, rename, and dele...

CVE-2026-33653

Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting XSS vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScri...

Information Exposure

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Information Exposure via the POST /api/v1/audio/transcriptions endpoint. An attacker can obtain sensitive server filesystem path information by submitting a crafted multipart request with a malicious filename...

CVE-2026-33653 Uploady Vulnerable to Stored Cross-Site Scripting (XSS)

Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting XSS vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScri...

GHSA-9PCJ-M5RR-P28G textract is vulnerable to OS Command Injection

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

PT-2026-27800

Name of the Vulnerable Software and Affected Versions textract versions through 2.5.0 Description The software is susceptible to an OS Command Injection issue through the file path parameter in multiple extractors. Processing files with malicious filenames allows the filePath to be directly passe...

CVE-2025-50186 Chamilo: Stored XSS via Malicious CSV Filename in user_import.php

Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting XSS vulnerability exists due to insufficient sanitization of CSV filenames. An attacker can upload a maliciously named CSV file e.g., .csv that leads to JavaScript execution when viewed by...

PT-2026-20385

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the file name parameter which is stored in the database during file upload and later used in raw SQL...

Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

Summary Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the javascript: scheme e.g. javascript:alert1, the generated index includes an anchor whose href attribute is exactly...

PT-2026-20325

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.22 Rack versions prior to 3.1.20 Rack versions prior to 3.2.5 Description Rack’s Rack::Directory component generates HTML directory indexes with clickable links for each file entry. If a file exists with a basename...

CVE-2025-67728 Fireshare Public Uploads feature is vulnerable to OS Command Injection (RCE)

Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, to craft a malicious filename when uploading a video file. The malicious filename is then concatenated directly into a...

CVE-2025-67728

Fireshare is affected by an OS command injection in versions 1.2.30 and earlier. The vulnerability arises when a malicious filename, supplied during video uploads (authenticated user or public uploads enabled), is concatenated directly into a shell command, enabling path traversal to arbitrary di...

curl: Terminal Output Not Great

Summary: No AI here, I just came across this: python import random import string from http.server import BaseHTTPRequestHandler, HTTPServer class MaliciousHandlerBaseHTTPRequestHandler: def doGETself: self.sendresponse200 self.sendheader'Content-Type', 'text/plain' randid =...

CVE-2025-12848

Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting XSS vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code e.g., "" to a Webform node with a...

CVE-2025-12848 XSS vulnerability when rendering filename in Webform Multiform

Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting XSS vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code e.g., "" to a Webform node with a...

PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users

Summary Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session self-XSS. This allows an attacker who can entice a victim to drag or...