CVE-2026-33507

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting...

CVE-2023-53922

TinyWebGallery v2.5 is affected by a remote code execution vulnerability in the admin upload function. Unauthenticated attackers can upload .phar files to the server and trigger arbitrary code execution by accessing the uploaded file URL. The issue stems from unrestricted file upload in the admin...

Veritas eDiscovery Platform Security Breach

Veritas eDiscovery Platform is a powerful engine from Veritas, Inc. for performing large-scale, dataset-driven searches to help organizations quickly identify critical parsed documents. A security vulnerability exists in Veritas eDiscovery Platform versions prior to 10.2.5, which stems from an...

CVE-2022-1409

The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code...

CVE-2021-41550

Leostream Connection Broker 9.0.40.17 allows administrator to upload and execute Perl code...

Design/Logic Flaw

In JetBrains TeamCity before 2020.2.2, audit logs were not sufficient when an administrator uploaded a file...

Quadbase EspressReports ES 跨站请求伪造漏洞

Quadbase EspressReports ES is a software application from Quadbase, Inc. It provides special reporting and querying capabilities that allow users to create various queries and reports through a zero-client browser interface. A cross-site request forgery vulnerability exists in Quadbase...

CVE-2017-15935

Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file...