CVE-2025-59711

An issue was discovered in Biztalk360 before 11.5. Because of mishandling of user-provided input in an upload mechanism, an authenticated attacker is able to write files outside of the destination directory and/or coerce an authentication from the service, aka Directory Traversal...

PT-2026-30047

Name of the Vulnerable Software and Affected Versions Biztalk360 versions prior to 11.5 Description A flaw exists in Biztalk360 that allows an authenticated attacker to write files outside the intended destination directory and potentially bypass authentication. This is due to improper handling o...

EUVD-2025-4161

Malicious code in bioql PyPI...

EUVD-2024-45564

Malicious code in bioql PyPI...

CVE-2025-34104 Piwik Authenticated RCE via Custom Plugin Upload

An authenticated remote code execution vulnerability exists in Piwik now Matomo versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin ZIP archive, leading to arbitrary PHP code...

CVE-2024-22418

Group-Office is an enterprise CRM and groupware tool. Affected versions are subject to a vulnerability which is present in the file upload mechanism of Group Office. It allows an attacker to execute arbitrary JavaScript code by embedding it within a file's name. For instance, using a filename suc...

CVE-2024-51208

File Upload vulnerability in change-image.php in Anuj Kumar's Boat Booking System version 1.0 allows local attackers to upload a malicious PHP script via the Image Upload Mechanism parameter...

CVE-2025-26349

A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests...

CVE-2025-26349

A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests...

CVE-2025-26349

CVE-2025-26349 affects Q-Free MaxTime 2.11.0 and earlier. A CWE-23 Relative Path Traversal flaw in the file upload mechanism allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests. Documents indicate the vulnerability directly impacts the MaxTime software w...

CVE-2024-51208

File Upload vulnerability in change-image.php in Anuj Kumar's Boat Booking System version 1.0 allows local attackers to upload a malicious PHP script via the Image Upload Mechanism parameter...

CVE-2024-51208

The CVE concerns Anuj Kumar's Boat Booking System v1.0 where the vulnerable component is change-image.php’s Image Upload Mechanism parameter. The issue is a File Upload vulnerability that lets local attackers upload a malicious PHP script, enabling potential code execution on the system. Exploita...

CVE-2024-51208

File Upload vulnerability in change-image.php in Anuj Kumar's Boat Booking System version 1.0 allows local attackers to upload a malicious PHP script via the Image Upload Mechanism parameter...

Meinberg LANTIME Arbitrary File Read (CVE-2018-10835)

Admin users were able to exchange web interface data through the data upload mechanism to which only root users have access. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information. %NASLMINLEVEL 80900 C Tenable, Inc...

CVE-2024-30721

CVE-2024-30721 is rejected; this candidate withdrawn and not an active vulnerability entry.

CVE-2024-30688

CVE-2024-30688 is rejected/not used and does not represent an active vulnerability entry.

Avada < 7.11.7 - Unauthenticated Sensitive Information Exposure via Form Uploads Directory Listing

Description The Avada theme for WordPress is vulnerable to Sensitive Information Exposure via the '/wp-content/uploads/fusion-forms/' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada created form with a file upload mechanism. PoC Acce...

Denial Of Service (DoS)

parse-server is vulnerable to Denial of Service. The vulnerability is due to improper validation on the file upload mechanism. The attacker can exploit this issue by uploading a file without any extension resulting in an application crash...

Jedox 2022.4.2 - Remote Code Execution via Directory Traversal Vulnerability

Exploit Title: Jedox 2022.4.2 - Remote Code Execution via Directory Traversal Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL Vendor Homepage: https://jedox.com Version: Jedox 2022.4 22.4.2 and older CVE : CVE-2022-47875 Introduction ===============...

Remote Code Execution (RCE)

d8s-urls is vulnerable to remote code execution. The vulnerability exists because the library does not properly handle the package upload mechanism, allowing an attacker to inject and execute malicious packages...