Arbitrary File Upload

Overview @strapi/upload is a Makes it easy to upload images and files to your Strapi Application. Affected versions of this package are vulnerable to Arbitrary File Upload via the Content API uploadFiles and replaceFile handlers, which bypass administrator-configured MIME type restrictions. An...

CVE-2026-44853

Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to upload arbitrary files to the underlying operating system, potentially leading to remote code execution as a...

CVE-2026-44854

Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to upload arbitrary files to the underlying operating system, potentially leading to remote code execution as a...

Valid share tokens allow to access tempory upload files of share owner

None...

HPE Aruba Networking Wireless Operating System 安全漏洞

HPE Aruba Networking Wireless Operating System is a wireless network operating system developed by the American company HPE. There are security vulnerabilities in the HPE Aruba Networking Wireless Operating System. These vulnerabilities stem from command injection, and they could allow...

EUVD-2026-26834

A vulnerability was found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This impacts an unknown function of the file /SubstationWEBV2/main/uploadH5Files. The manipulation of the argument File results in unrestricted upload. The attack may be launched...

PT-2026-32495

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload,...

PT-2026-30905

Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.63.1 Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. When an administrator revokes a user's Share and Downloa...

EUVD-2026-18985

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user has the uploadfiles capability in the processpattern REST API endpoin...

CVE-2026-2826

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user has the uploadfiles capability in the processpattern REST API endpoin...

CVE-2026-2826 Kadence Blocks — Page Builder Toolkit for Gutenberg Editor <= 3.6.3 - Missing Authorization to Authenticated (Contributor+) Media Upload

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user has the uploadfiles capability in the processpattern REST API endpoin...

CVE-2026-2826 Kadence Blocks — Page Builder Toolkit for Gutenberg Editor <= 3.6.3 - Missing Authorization to Authenticated (Contributor+) Media Upload

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user has the uploadfiles capability in the processpattern REST API endpoin...

CVE-2026-3533

The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on importpopuptemplates function as well as insufficient file type validation in the uploadfiles function in all versions up to, and including, 4.14.1. This makes it possible for Authenticat...

CVE-2019-25647

CVE-2019-25647 affects PhreeBooks ERP 5.2.3. A remote code execution vulnerability exists in the image manager that lets an authenticated attacker upload and execute arbitrary PHP files by bypassing file extension controls. Attackers can place malicious PHP files via the image manager endpoint an...

CVE-2026-3533 JupiterX Core <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import

The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on importpopuptemplates function as well as insufficient file type validation in the uploadfiles function in all versions up to, and including, 4.14.1. This makes it possible for Authenticat...

CVE-2026-4265 Guest user can upload files without permission across teams

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to validate team-specific uploadfile permissions which allows a guest user to post files in channels where they lack uploadfile permission via uploading files in a team where they have permission and reusing the file...

CVE-2026-32101

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized function is declared async returns Promise but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in...

PT-2026-22712

Name of the Vulnerable Software and Affected Versions The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin versions prior to 7.0.0.4 Description The plugin is susceptible to Server-Side Request Forgery SSRF. This allows authenticated attackers with...

CVE-2025-69379

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through = 2.8...

CVE-2025-69380

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through = 2.8...