Lucene search
K

450 matches found

Snyk
Snyk
added 2026/04/20 4:11 a.m.5 views

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the createuploadfile function. An attacker can upload arbitrary files by sending crafted requests to the affected API endpoint. Remediation Upgrade langflow-base to version 0.8.0 or higher. References - GitHub...

9.4CVSS7.2AI score0.00284EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/20 3:34 a.m.7 views

Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API

A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function createuploadfile of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack...

7.5CVSS7AI score0.00284EPSS
Exploits0References8Affected Software1
NVD
NVD
added 2026/04/20 3:16 a.m.12 views

CVE-2026-6596

A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function createuploadfile of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack...

7.5CVSS0.00284EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/20 2:15 a.m.4 views

CVE-2026-6596 langflow-ai langflow API Endpoint endpoints.py create_upload_file unrestricted upload

A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function createuploadfile of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack...

7.5CVSS6.7AI score0.00284EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/20 2:15 a.m.4 views

CVE-2026-6596

A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function createuploadfile of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack...

7.5CVSS6.7AI score0.00284EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/04/20 2:15 a.m.15 views

CVE-2026-6596

LangFlow (langflow-ai) up to version 1.1.0 has a vulnerability in the API endpoint, specifically in create_upload_file (src/backend/base/Langflow/api/v1/endpoints.py). The flaw allows unrestricted file uploads and can be exploited remotely. Exploitation is supported by public disclosures; multipl...

7.5CVSS6.7AI score0.00284EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/19 12:45 p.m.6 views

CVE-2026-6573 PHPEMS Instant Exam Creation exams.master.php temppage server-side request forgery

A vulnerability was detected in PHPEMS 11.0. This affects the function temppage of the file /app/exam/controller/exams.master.php of the component Instant Exam Creation Handler. The manipulation of the argument uploadfile results in server-side request forgery. The attack can be executed remotely...

6.5CVSS5.5AI score0.00258EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/10 8:0 p.m.7 views

goshs has a file-based ACL authorization bypass in goshs state-changing routes

Summary goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload,...

9.8CVSS6AI score0.00651EPSS
Exploits1References5Affected Software1
Patchstack
Patchstack
added 2026/04/10 9:50 a.m.6 views

WordPress MW WP Form plugin <= 5.1.1 - Unauthenticated Arbitrary File Move via regenerate_upload_file_keys vulnerability

Unauthenticated Arbitrary File Move via regenerateuploadfilekeys vulnerability discovered by Sander Horsman - Conda Security in WordPress Plugin MW WP Form versions = 5.1.1...

8.1CVSS5.8AI score0.01069EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/04/10 3:31 a.m.4 views

EUVD-2026-21266

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the uploadfileremove AJAX handler whe...

4.3CVSS5.9AI score0.00297EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/04/10 1:25 a.m.3 views

CVE-2026-4977

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the uploadfileremove AJAX handler whe...

4.3CVSS5.9AI score0.00297EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2026/04/10 1:25 a.m.4 views

CVE-2026-4977 UsersWP <= 1.2.58 - Authenticated (Subscriber+) Restricted Usermeta Modification via 'htmlvar' Parameter

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the uploadfileremove AJAX handler whe...

4.3CVSS5.8AI score0.00297EPSS
Exploits0References8
Snyk
Snyk
added 2026/04/09 5:36 p.m.5 views

Incorrect Permission Assignment for Critical Resource

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the uploadfile or uploadimage process. An attacker can access files outside the intended workspace directory by uploading special...

6.5CVSS5.8AI score0.00326EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/06 4:45 p.m.20 views

CVE-2026-5670 Cyber-III Student-Management-System upload.php move_uploaded_file unrestricted upload

A vulnerability was found in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This issue affects the function moveuploadedfile of the file /AssignmentSection/submission/upload.php. Performing a manipulation of the argument File results in unrestricted upload. Th...

6.5CVSS0.00206EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/04/06 5:0 a.m.2 views

CVE-2026-5624 ProjectSend upload.php cross-site request forgery

A security flaw has been discovered in ProjectSend r2002. This vulnerability affects unknown code of the file upload.php. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks...

5.3CVSS5.5AI score0.00162EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.4 views

ProjectSend 安全漏洞

ProjectSend cFTP is an open-source hosted application based on PHP and MySQL by ProjectSend. The ProjectSend r2002 version has a security vulnerability, which stems from improper handling of the file upload.php file, potentially leading to cross-site request forgery attacks...

5.3CVSS5.7AI score0.00162EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.10 views

PT-2026-29483

A vulnerability was identified in Shandong Hoteam InforCenter PLM up to 8.3.8. The impacted element is the function uploadFileToIIS of the file /Base/BaseHandler.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit i...

7.5CVSS5.6AI score0.00385EPSS
Exploits0References5
EUVD
EUVD
added 2026/03/31 9:31 p.m.6 views

EUVD-2026-17662

A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This issue affects the function...

9CVSS7.7AI score0.00737EPSS
Exploits1References7
ATTACKERKB
ATTACKERKB
added 2026/03/31 8:15 p.m.2 views

CVE-2026-5212

A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This issue affects the function...

9CVSS6.3AI score0.00737EPSS
Exploits1References6Affected Software20
Cvelist
Cvelist
added 2026/03/31 8:15 p.m.26 views

CVE-2026-5212 D-Link DNS-1550-04 webdav_mgr.cgi Webdav_Upload_File stack-based overflow

A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This issue affects the function...

9CVSS0.00737EPSS
Exploits1References6
Rows per page
Query Builder