CVE-2026-8912

The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the 'forminput' parameter in versions up to, and including, 28.1.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query inside the unauthenticat...

GHSA-VP2F-CQQP-478J AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload

Summary The currentDirectory request parameter in the Flow.js media upload endpoint POST /api/station/stationid/files/upload is not sanitized for path traversal sequences. When combined with a local filesystem storage backend the default, an authenticated user with media management permissions ca...

CVE-2026-20902

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters route...

CVE-2026-20902

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters route...

CVE-2026-20902 Copeland XWEB and XWEB Pro OS Command Injection

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters route...

CVE-2026-20902

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters route...

PT-2026-22250

Name of the Vulnerable Software and Affected Versions XWEB Pro versions prior to 1.12.1 Description An operating system command injection issue exists that allows an authenticated attacker to execute code remotely. This is achieved by injecting malicious input into the map filename field during t...

CVE-2026-26329

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's upload action. The server passed these paths to Playwright's setInputFiles APIs...

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the upload action in the browser tool when user-supplied file paths are not properly validated. An authenticated attacker can access arbitrary files on the server ...

CVE-2025-11363

The CVE-2025-11363 entry concerns the WordPress plugin Royal Addons for Elementor (Royal Elementor Addons and Templates). Multiple connected sources confirm a vulnerability where the plugin versions up to 1.7.1036 lack proper authorization, allowing unauthenticated users to upload media files via...

CVE-2025-62429 ClipBucket v5 executes arbitrary PHP code

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 147, ClipBucket v5 is vulnerable to arbitrary PHP code execution. In /upload/adminarea/actions/updatelaunch.php, the "type" parameter from a POST request is embedded into PHP tags and executed. Proper sanitization is n...

EUVD-2025-34909

A security flaw has been discovered in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The affected element is the function uploadFile of the file /FileDir.do?Action=Upload. Performing manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out...

EUVD-2018-4974

Malware in sbrugna...

EUVD-2025-32315

Malicious code in bioql PyPI...

CVE-2025-34226 OpenPLC Runtime v3 Persistent DoS

OpenPLC Runtime v3 contains an input validation flaw in the /upload-program-action endpoint: the epochtime field supplied during program uploads is not validated and can be crafted to induce corruption of the programs database. After a successful malformed upload the runtime continues to operate...

PT-2025-33895 · WordPress +1 · Redirection For Contact Form 7 +2

Name of the Vulnerable Software and Affected Versions: Redirection for Contact Form 7 plugin for WordPress versions prior to 3.2.5 Description: The Redirection for Contact Form 7 plugin for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input within the delet...

CVE-2025-2105

The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.8.11 via deserialization of untrusted input from the 'file' parameter of the 'ravendownloadfile' function. This makes it possible for attackers to inject a PHP Object through a PH...

CVE-2025-2485

CVE-2025-2485 affects WordPress plugin Drag and Drop Multiple File Upload for Contact Form 7 (versions

CVE-2025-1890

A vulnerability has been found in shishuocms 1.1 and classified as critical. This vulnerability affects the function handleRequest of the file src/main/java/com/shishuo/cms/action/manage/ManageUpLoadAction.java. The manipulation of the argument file leads to unrestricted upload. The attack can be...

shishuocms 代码问题漏洞

shishuocms Shishuocms CMS is a learning content management system by gaofeng4623 individual developer. A code issue vulnerability exists in shishuocms version 1.1, which stems from the existence of unlimited uploads in the ManageUpLoadAction.java file, which could lead to remote attacks...