CVE-2021-27902

An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads...

CVE-2026-32097

PingPong is a platform for using large language models LLMs for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploade...

CVE-2026-27685 Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration

SAP NetWeaver Enterprise Portal Administration is vulnerable if a privileged user uploads untrusted or malicious content that, upon deserialization, could result in a high impact on the confidentiality, integrity, and availability of the host system...

GitLab 安全漏洞

GitLab is an end-to-end software development platform provided by the American company GitLab. It includes built-in features such as version control, issue tracking, code review, and CI/CD continuous integration and delivery. Vulnerabilities exist in versions of GitLab CE/EE before 18.6.6, 18.7.4...

CVE-2020-37114 GUnet OpenEclass 1.7.3 E-learning platform - Information Disclosure

GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system information, application version, and other students' uploaded assessments, due to improper access controls and information disclosure flaws in various modules. Attackers can...

CVE-2025-12648

CVE-2025-12648 (WP-Members Membership Plugin) is a disclosed vulnerability where unauthenticated actors can access user-uploaded documents via direct URLs due to files being stored in predictable directories (wp-content/uploads/wpmembers/user_files//) with only basic directory protections (e.g., ...

PT-2026-1552

Name of the Vulnerable Software and Affected Versions WP-Members Membership Plugin for WordPress versions up to and including 3.5.4.4 Description The WP-Members Membership Plugin for WordPress stores user-uploaded files in predictable directories wp-content/uploads/wpmembers/user files// without...

CVE-2025-34437

Summary: AVideo versions prior to 20.1 allow any authenticated user to upload comment images to videos owned by other users due to missing ownership checks in the /comment_images endpoint. What’s affected: AVideo before 20.1 (video comment image upload path). Root cause: Authentication is validat...

CVE-2025-13488

Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting XSS vulnerability with user conte...

Static Web Server vulnerable to a symbolic link path traversal

Summary Symbolic links symlinks could be used to access files or directories outside the intended web root folder. Details SWS generally does not prevent symlinks from escaping the web server’s root directory. Therefore, if a malicious actor gains access to the web server’s root directory, they...

GHSA-459F-X8VQ-XJJM Static Web Server vulnerable to a symbolic link path traversal

Summary Symbolic links symlinks could be used to access files or directories outside the intended web root folder. Details SWS generally does not prevent symlinks from escaping the web server’s root directory. Therefore, if a malicious actor gains access to the web server’s root directory, they...

EUVD-2025-201259

Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting XSS vulnerability with user conte...

CVE-2025-13488

Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting XSS vulnerability with user conte...

EUVD-2021-1437

Malware in sbrugna...

EUVD-2018-21591

Malware in sbrugna...

EUVD-2020-8110

Malware in sbrugna...

EUVD-2010-0743

Malware in sbrugna...

PT-2025-40617

Name of the Vulnerable Software and Affected Versions WP Photo Album Plus plugin for WordPress versions prior to 9.0.11.006 Description The WP Photo Album Plus plugin for WordPress is susceptible to Cross-Site Scripting due to inadequate input sanitization and output escaping within the wppa user...

EUVD-2024-22944

Malicious code in bioql PyPI...

EUVD-2022-3803

Malicious code in bioql PyPI...