CVE-2026-49201

The CVE-2026-49201 entry concerns Acer Wave 7 routers (upload.cgi handling device backups) with a hardcoded AES encryption key. The underlying issue is a fixed cryptographic key embedded in the backup processing binary, enabling an attacker to decrypt, modify, and re-encrypt backups, which can fa...

EUVD-2026-31624

A vulnerability was determined in KLiK SocialMediaWebsite 1.0. This vulnerability affects the function uniqid of the file upload.inc.php of the component File Handler. This manipulation causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and m...

CVE-2025-67887

CVE-2025-67887 afecta 1C-Bitrix with the Translate Module up to 25.100.500. The root cause is unvalidated archive contents during extraction/upload, allowing an attacker with SOURCE/WRITE to upload a PHP file and a crafted .htaccess, then execute code on the server. Impact is remote code executio...

EUVD-2025-209544

SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter 'phonenumber' in '/private/continue-upload.php'...

CVE-2025-41029

SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter 'phonenumber' in '/private/continue-upload.php'...

CVE-2026-5670

A vulnerability was found in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This issue affects the function moveuploadedfile of the file /AssignmentSection/submission/upload.php. Performing a manipulation of the argument File results in unrestricted upload. Th...

CVE-2026-5670

Cyber-III Student-Management-System (up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f) contains a vulnerability in move_uploaded_file within /AssignmentSection/submission/upload.php. Manipulating the File argument permits unrestricted file upload, with remote initiation and public exploitati...

Student-Management-System 代码问题漏洞

Student-Management-System is an open-source student information management system developed by Cyber-III. Versions of Student-Management-System with the code ID 1a938fa61e9f735078e9b291d2e6215b4942af3f and earlier versions have code-related vulnerabilities. These vulnerabilities stem from incorre...

CVE-2026-29516 Buffalo TeraStation TS5400R Excessive File Permissions Information Disclosure

Buffalo TeraStation NAS TS5400R firmware version 4.02-0.06 and prior contain an excessive file permissions vulnerability that allows authenticated attackers to read the /etc/shadow file by uploading and executing a PHP file through the webserver. Attackers can exploit world-readable permissions o...

CVE-2026-3070

A vulnerability was detected in SourceCodester Modern Image Gallery App 1.0. Affected by this vulnerability is an unknown functionality of the file upload.php. The manipulation of the argument filename results in cross site scripting. The attack may be launched remotely. The exploit is now public...

EUVD-2025-206331

A Remote Code Execution RCE vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save...

CVE-2025-69992

phpgurukul News Portal Project V4.1 has File Upload Vulnerability via upload.php, which enables the upload of files of any format to the server without identity authentication...

PT-2026-2578

CVE-2025-69992 phpgurukul News Portal Project V4.1 has File Upload Vulnerability via upload.php, which enables the upload of files of any format to the server without identity authe… https://t.co/1WpN7z5IOS...

EUVD-2022-55930

SOUND4 IMPACT/FIRST/PULSE/Eco =2.x contains an unauthenticated remote code execution vulnerability in the firmware upload functionality with path traversal flaw. Attackers can exploit the upload.cgi script to write malicious files to the system with www-data permissions, enabling unauthorized...

CVE-2022-50796

SOUND4 IMPACT/FIRST/PULSE/Eco =2.x contains an unauthenticated remote code execution vulnerability in the firmware upload functionality with path traversal flaw. Attackers can exploit the upload.cgi script to write malicious files to the system with www-data permissions, enabling unauthorized...

CVE-2022-50796 SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Remote Code Execution via upload.cgi

SOUND4 IMPACT/FIRST/PULSE/Eco =2.x contains an unauthenticated remote code execution vulnerability in the firmware upload functionality with path traversal flaw. Attackers can exploit the upload.cgi script to write malicious files to the system with www-data permissions, enabling unauthorized...

CVE-2022-50796

CVE-2022-50796 affects SOUND4 IMPACT/FIRST/PULSE/Eco 2.x and earlier via an unauthenticated remote code execution flaw in the firmware upload function. The vulnerability is a path traversal in upload.cgi that lets an attacker write malicious files to the system with www-data permissions, enabling...

PT-2025-54244

Name of the Vulnerable Software and Affected Versions SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and earlier Description The software contains an unauthenticated remote code execution issue due to a path traversal flaw in the firmware upload functionality. The upload.cgi script allows attackers t...

XCMS 代码问题漏洞

XCMS is a CMS website builder system by JackQ individual developers. A code issue vulnerability exists in XCMS, which stems from an incorrect operation of the file Public/javascripts/admin/plupload-2.1.2/examples/upload.php, which could lead to unlimited uploads...

CVE-2023-53962 SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Unauthenticated Directory Traversal File Write

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated directory traversal vulnerability that allows remote attackers to write arbitrary files through the 'upgfile' parameter in upload.cgi. Attackers can exploit the vulnerability by sending crafted multipart form-data POST requests with...