Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion

Summary A privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been...

GHSA-Q658-HFPG-35QC Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion

Summary A privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been...

EUVD-2024-46448

Malicious code in bioql PyPI...

CVE-2025-22859

A Relative Path Traversal vulnerability CWE-23 in FortiClientEMS 7.4.0 through 7.4.1 and FortiClientEMS Cloud 7.4.0 through 7.4.1 may allow a remote unauthenticated attacker to perform a limited arbitrary file write on the system via upload requests...

PT-2025-20902 · Fortinet · Forticlientems Cloud +1

Name of the Vulnerable Software and Affected Versions: FortiClientEMS versions 7.4.0 through 7.4.1 FortiClientEMS Cloud versions 7.4.0 through 7.4.1 Description: A Relative Path Traversal issue may allow a remote unauthenticated attacker to perform a limited arbitrary file write on the system via...

Remote Code Execution (RCE)

org.springframework.cloud: spring-cloud-skipper-server is vulnerable to Remote Code Execution RCE. The vulnerability is caused due to improper validation of upload requests, allowing a malicious user with access to the Skipper server API to write an arbitrary file to any location on the file...

GHSA-9W99-78RJ-HMXQ Cross-site scripting (XSS) in the dynamic file uploads

Impact The dynamic file upload feature is subject to potential XSS attach in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to chang...

rubygem-rack: Denial of service in Multipart MIME parsing

A flaw was found in rubygem-rack. This issue occurs in the Multipart MIME parsing code in Rack, which limits the number of file parts but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than...

CVE-2021-43934

Elcomplus SmartPTT is vulnerable as the backup and restore system does not adequately validate upload requests, enabling a malicious user to potentially upload arbitrary files...

Design/Logic Flaw

Elcomplus SmartPTT is vulnerable as the backup and restore system does not adequately validate upload requests, enabling a malicious user to potentially upload arbitrary files...

Virtuozzo Hybrid Infrastructure 4.6 Hotfix 2 (4.6.0-213)

This update provides stability fixes for the storage, Backup Gateway and object storage services. Vulnerability id: VSTOR-44694 A stability fix for the storage service. Vulnerability id: VSTOR-44859 A stability fix for the Backup Gateway service. Vulnerability id: VSTOR-44677 Complete multipart...

Netgear ReadyNAS Remote Command Execution

A remote command execution vulnerability exists within Netgear ReadyNAS devices. This vulnerability is due to the way Netgear ReadyNAS handles upload requests. A successful attack could lead to a remote command execution...

DSA-3611-1 libcommons-fileupload-java - security update

Bulletin has no description...

Symfony: Information disclosure

Background Symfony is a professional, open-source PHP5 web development framework. Description Symfony does not properly sanitize input for upload requests. Impact A remote attacker could send a specially crafted file upload request, possibly resulting in disclosure of sensitive information...