Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the updatedAttachments process. An attacker can upload arbitrary files by submitting crafted files through the upload interface, which may result in the execution of malicious scripts, phishing page hosting, or...

PT-2026-34454

Name of the Vulnerable Software and Affected Versions Ollama affected versions not specified Description An out-of-bounds heap read/write issue exists in the GGUF model quantization engine. An attacker can exploit this by uploading a specially crafted GPT-Generated Unified Format GGUF file to the...

CVE-2026-34213 Docmost has cross-page attachment overwrite via flawed attachmentId overwrite validation

Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated user to overwrite another page's attachment within the same workspace by supplying a victim...

CVE-2026-32622 SQLBot: Remote Code Execution via Terminology Poisoning

SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any authenticated user to upload malicious terminology,...

CVE-2026-25895 FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API

FUXA is a web-based Process Visualization SCADA/HMI/Dashboard software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched ...

CVE-2026-25895

CVE-2026-25895 affects FUXA (web-based Process Visualization) up to version 1.2.9. It describes a path traversal vulnerability that allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. The issue is patched in version 1.2.10. In pract...

CVE-2026-25895 FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API

FUXA is a web-based Process Visualization SCADA/HMI/Dashboard software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched ...

WeKan 安全漏洞

WeKan is an open-source dashboard application developed by WeKan. Versions of WeKan prior to 8.19 contained security vulnerabilities. These vulnerabilities stemmed from the insufficient validation of the consistency and relevance of the provided identifiers by the attachment upload API, which cou...

CVE-2025-69981

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files such as the SQLite user...

EUVD-2026-3657

NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite system files by...

CVE-2013-6688

Directory traversal vulnerability in the license-upload interface in the Enterprise License Manager ELM component in Cisco Unified Communications Manager 9.11 and earlier allows remote authenticated users to create arbitrary files via a crafted path, aka Bug ID CSCui58222...

CVE-2023-53918

PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the episode title field accessible through the episodes upload interface episodesupload.php. Malicious JavaScript payloads injected into episode titles execute when administrators view the episodes list page...

CVE-2023-53918 PodcastGenerator Stored Cross-Site Scripting via Episode Title Field

PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the episode title field accessible through the episodes upload interface episodesupload.php. Malicious JavaScript payloads injected into episode titles execute when administrators view the episodes list page...

PT-2025-51956

Name of the Vulnerable Software and Affected Versions PodcastGenerator version 3.2.9 Description PodcastGenerator version 3.2.9 has a stored cross-site scripting issue. A malicious JavaScript payload can be injected into the episode title field through the episodes upload interface, specifically...

EUVD-2013-6490

Malware in sbrugna...

EUVD-2019-8991

Malware in sbrugna...

EUVD-2025-8005

Malicious code in bioql PyPI...

EUVD-2025-8067

Malicious code in bioql PyPI...

EUVD-2025-8066

Malicious code in bioql PyPI...

dify 安全漏洞

dify is an open source LLM application development platform from LangGenius Open Source. A security vulnerability exists in version 1.6.0 of dify, which stems from a server-side request forgery in the controllers.console.remotefiles.RemoteFileUploadApi component, which could lead to a server-side...