210 matches found
CVE-2025-62421
DataEase CVE-2025-62421 affects DataEase 2.10.13 and earlier. A stored Cross-Site Scripting vulnerability arises from improper file upload validation and authentication bypass, where the StaticResourceApi route upload/{fileId} allows user-controlled filename/extension. During permission checks, a...
CVE-2025-11630
A vulnerability was found in RainyGao DocSys up to 2.02.36. Affected is the function updateRealDoc of the file /Doc/uploadDoc.do of the component File Upload. Performing manipulation of the argument path results in path traversal. The attack can be initiated remotely. The exploit has been made...
CVE-2025-59835
LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the...
EUVD-2025-7081
Malicious code in bioql PyPI...
EUVD-2024-54394
Malicious code in bioql PyPI...
EUVD-2024-21426
Malicious code in bioql PyPI...
EUVD-2025-24059
Malicious code in bioql PyPI...
EUVD-2025-28822
Malicious code in bioql PyPI...
EUVD-2025-24062
Malicious code in bioql PyPI...
EUVD-2022-39278
Malicious code in bioql PyPI...
CVE-2025-61188
Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server...
CVE-2025-40991
CVE-2025-40991 is a Stored XSS in Creativeitem Ekushey CRM v5.0. Root cause: lack of input validation in the project file upload endpoint at /ekushey/index.php/client/project_file/upload/xxxx, specifically the description parameter via POST. Impact (per sources): an attacker could craft input to ...
PT-2025-40338
Name of the Vulnerable Software and Affected Versions Ekushey CRM version 5.0 Description A stored cross site scripting issue exists in Ekushey CRM version 5.0 due to insufficient validation of user-supplied data. The issue is located in the project file upload functionality via the...
CVE-2025-11136 YiFang CMS Backend File.php webUploader unrestricted upload
A flaw has been found in YiFang CMS up to 2.0.2. The impacted element is the function webUploader of the file app/app/controller/File.php of the component Backend. Executing manipulation of the argument uploadpath can lead to unrestricted upload. The attack can be launched remotely. The exploit h...
Arbitrary File Write
github.com/harness/gitness is vulnerable to Arbitrary file write. The vulnerability is due to improper sanitization of the upload path, which allows an attacker to craft a malicious upload request and write arbitrary files to any location on the file system...
CVE-2025-56815
Datart 1.0.0-rc.3 is vulnerable to Directory Traversal in the POST /viz/image interface, since the server directly uses MultipartFile.transferTo to save the uploaded file to a path controllable by the user, and lacks strict verification of the file name...
PT-2025-39293
Name of the Vulnerable Software and Affected Versions Datart version 1.0.0-rc.3 Description The software is susceptible to a Directory Traversal issue through an unrestricted file upload. The server utilizes MultipartFile.transferTo to save uploaded files to a user-controllable path without...
CVE-2025-58432
ZimaOS (a CasaOS fork for Zima devices and x86-64 with UEFI) contains a local privilege-escalation flaw in the /v2_1/files/file/uploadV2 API. In versions before and including 1.4.1, any user with localhost access can upload files via this endpoint and have them executed with root privileges, enab...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via improper sanitization of the upload path in the upload process. An attacker can write arbitrary files to any location on the file system, potentially compromising the server, by sending a crafted upload request...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via improper sanitization of the upload path in the upload process. An attacker can write arbitrary files to any location on the file system, potentially compromising the server, by sending a crafted upload request...