SOPlanning code-related vulnerabilities

SOPlanning is a set of online project management software developed by SOPlanning Company. Versions of SOPlanning 1.55 and earlier had code vulnerabilities. These vulnerabilities stemmed from an unvalidated validation of file extensions during upload. This allowed authenticated attackers to uploa...

Medium: mod_security_crs

Issue Overview: Whitespace padding in filenames bypasses file upload extension checks NOTE: https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w CVE-2026-33691 Affected Packages: modsecuritycrs Issue Correction: Run dnf update modsecuritycrs --releasever...

CVE-2026-33647

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the ImageGallery::saveFile method validates uploaded file content using finfo MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An...

CVE-2025-34335

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an authenticated command injection vulnerability in the license activation workflow handled by AudioCodesfiles/ActivateLicense.php. When a license file is uploaded, the application derives a new...

CVE-2023-5673

The WP Mail Log WordPress plugin before 1.1.3 does not properly validate file extensions uploading files to attach to emails, allowing attackers to upload PHP files, leading to remote code execution...

Alteryx Server Cross-Site Scripting Vulnerability

Alteryx Server is a cloud-hosted or self-hosted application from Alteryx, Inc. for publishing, sharing, and executing workflows. A cross-site scripting vulnerability exists in Alteryx Server version 2022.1.1.42590, which stems from not performing type validation on uploaded files, allowing an...

PT-2023-3530 · Mediawiki · Mediawiki Pandocupload Extension

Name of the Vulnerable Software and Affected Versions: MediaWiki PandocUpload Extension affected versions not specified Description: The issue is related to insufficient input validation when processing shell arguments in the MediaWiki PandocUpload extension. This can be exploited by a remote...

CVE-2023-22937

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gzl...

Upload 跨站脚本漏洞

Upload is a file upload extension by the individual developers of FriendsOfFlarum. A cross-site scripting vulnerability exists in Upload versions 0.1.0 through 1.2.2, which stems from insufficient cleaning of user-supplied data in SVG files in fof/upload. A remote attacker can exploit this...

GHSA-6CWV-WJ7V-73XP Magento executes code via the API File Option Upload Extension

Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier and 2.3.7 and earlier are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code...

Magento executes code via the API File Option Upload Extension

Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier and 2.3.7 and earlier are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code...

Arbitrary File Upload

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Arbitrary File Upload via the API File Option Upload Extension. An attacker with admin privileges can execute arbitrary code by uploading malicious files through the API...

CVE-2021-36042

Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier and 2.3.7 and earlier are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code...

CVE-2016-9493

The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to stored cross-site scripting. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which m...