Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the YAML metadata parsing process. An attacker can cause excessive memory consumption and potentially trigger an out-of-memory condition on the server by uploading a crafted image ...

📄 Bludit CMS 3.18.2 Shell Upload

This Metasploit module targets a vulnerability in Bludit CMS version 3.18.2 targeting the API file upload mechanism which allows authenticated users with a valid API token to upload arbitrary files without proper validation. This can result in a shell upload...

CVE-2026-6574

A vulnerability has been found in osuuu LightPicture up to 1.2.2. This issue affects some unknown processing of the file /public/install/lp.sql of the component API Upload Endpoint. Such manipulation of the argument key leads to hard-coded credentials. The attack may be performed from remote. The...

WSO2多款产品 安全漏洞

WSO2 API Manager, among others, are products of the American company WSO2. The WSO2 API Manager is a suite of API lifecycle management solutions. The WSO2 API Control Plane is a control panel. The WSO2 Traffic Manager is a component designed to regulate and manage API traffic. Several WSO2 produc...

Missing Authentication for Critical Function

Overview fuxa-server is a Web-based Process Visualization SCADA/HMI/Dashboard software Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the /api/upload endpoint, which lacks authentication controls. An attacker can gain administrative access or...

CVE-2025-69981

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files such as the SQLite user...

CVE-2025-69981

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files such as the SQLite user...

CVE-2025-69981

FUXA v1.2.7 has an Unrestricted File Upload issue at the /api/upload endpoint. The endpoint authenticates users poorly (lacks authentication), allowing unauthenticated remote attackers to upload arbitrary files. This can enable overwriting critical system files such as the SQLite user database an...

SmarterTools SmarterMail GUID File Upload Vulnerability

This module exploits a pre-auth remote code execution vulnerability in SmarterTools SmarterMail before version 100.0.9413. The endpoint /api/upload fails to sanitize the contextData POST parameter which can contain JSON data with a "guid" key that allows directory traversal. By leveraging this...

EUVD-2023-44657

Malicious code in bioql PyPI...

EUVD-2025-30893

Malicious code in bioql PyPI...

CVE-2023-1484

A vulnerability was found in xzjie cms up to 1.0.3 and classified as critical. This issue affects some unknown processing of the file /api/upload. The manipulation of the argument uploadFile leads to unrestricted upload. The attack may be initiated remotely. The associated identifier of this...

CVE-2022-34025

Vesta v1.0.0-5 was discovered to contain a cross-site scripting XSS vulnerability via the post function at /web/api/v1/upload/UploadHandler.php...

📄 GestioIP 3.5.7 Remote Command Execution

GestioIP version 3.5.7 suffers from a remote command execution vulnerability. Exploit Title: GestioIP 3.5.7 - Remote Command Execution RCE Exploit Author: m4xth0r Maximiliano Belino Author website: https://maxibelino.github.io/ Author email max.cybersecurity at belino.com GitHub disclosure link:...

CVE-2025-2855

A vulnerability, which was classified as problematic, has been found in elunez eladmin up to 2.7. Affected by this issue is the function checkFile of the file /api/deploy/upload. The manipulation of the argument servers leads to deserialization. The attack may be launched remotely...

CVE-2024-10099

CVE-2024-10099 is a stored XSS in comfyanonymous/comfyui triggered by uploading an HTML image via /api/upload/image and executing when viewed through /view. Affected versions cited include 0.2.2 and possibly earlier; some sources also reference up to 0.3.39, indicating broader impact across multi...

CVE-2023-48966

An arbitrary file upload vulnerability in the component /admin/api.upload/file of ThinkAdmin v6.1.53 allows attackers to execute arbitrary code via a crafted Zip file...

CVE-2023-46730 Server-Side Request Forgery in groupoffice

Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery SSRF vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to...

CVE-2023-1484

A vulnerability was found in xzjie cms up to 1.0.3 and classified as critical. This issue affects some unknown processing of the file /api/upload. The manipulation of the argument uploadFile leads to unrestricted upload. The attack may be initiated remotely. The associated identifier of this...

xzjie cms 代码问题漏洞

xzjie cms is xzjie individual developers of the cloud tower guest - cabin content publishing system. A code issue vulnerability exists in xzjie cms 1.0.3 and earlier versions, which stems from a problem with files/api/upload, where manipulation of the parameter uploadFile can lead to unrestricted...