PT-2025-23119 · M2Soft · M2Soft Crownix Report & Ers

Name of the Vulnerable Software and Affected Versions: M2Soft CROWNIX Report & ERS versions 5.x through 5.5.14.1070 M2Soft CROWNIX Report & ERS versions 7.x through 7.4.3.960 M2Soft CROWNIX Report & ERS versions 8.x through 8.2.0.345 Description: An arbitrary file upload issue allows attackers to...

CVE-2024-44849

Qualitor up to 8.24 is vulnerable to Remote Code Execution RCE via Arbitrary File Upload in checkAcesso.php...

CVE-2024-48760

An issue in GestioIP v3.5.7 allows a remote attacker to execute arbitrary code via the file upload function. The attacker can upload a malicious perlcmd.cgi file that overwrites the original upload.cgi file, enabling remote command execution...

CVE-2023-40265

An issue was discovered in Atos Unify OpenScape Xpressions WebAssistant V7 before V7R1 FR5 HF42 P911. It allows authenticated remote code execution via file upload...

CVE-2023-44008

File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the File Manager function...

CVE-2022-30860

FUDforum 3.1.2 is vulnerable to Remote Code Execution through Upload File feature of File Administration System in Admin Control Panel...

CVE-2021-30662

This issue was addressed with improved checks. This issue is fixed in iOS 14.5 and iPadOS 14.5. Processing a maliciously crafted file may lead to arbitrary code execution...

CVE-2021-29641

Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain...

CVE-2020-28871

Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload...

CVE-2020-19138

Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.java"...

CVE-2019-13028

An incorrect implementation of a local web server in eID client Windows version before 3.1.2, Linux version before 3.0.3 allows remote attackers to execute arbitrary code .cgi, .pl, or .php or delete arbitrary files via a crafted HTML page. This is a product from the Ministry of Interior of the...

CVE-2019-9617

An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider for example file.jsp::$DATA to the admin/ueditor/uploadFile URI...

CVE-2019-18288

A vulnerability has been identified in SPPA-T3000 Application Server All versions Service Pack R8.2 SP2. An attacker with valid authentication at the RMI interface could be able to gain remote code execution through an unsecured file upload. Please note that an attacker needs to have access to th...

CVE-2017-9069

In MODX Revolution before 2.5.7, a user with file upload permissions is able to execute arbitrary code by uploading a file with the name .htaccess...

PT-2025-26301

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.5 Mattermost versions 9.11.x through 9.11.15 Mattermost versions 10.8.x through 10.8.0 Mattermost versions 10.7.x through 10.7.2 Mattermost versions 10.6.x through 10.6.5 Description Mattermost fails to...

CVE-2025-46193

SourceCodester Client Database Management System 1.0 is vulnerable to Remote code execution via Arbitrary file upload in userproposalupdateorder.php...

CVE-2025-46193

Summary: CVE-2025-46193 affects SourceCodester Client Database Management System 1.0 and enables remote code execution via an arbitrary file upload in the vulnerable file path user_proposal_update_order.php. The CVSS v3.1 score is 9.8 (CRITICAL) with network attack vector, no privileges required,...

CVE-2025-46571

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, low privileged users can upload HTML files which contain JavaScript code via the /api/v1/files/ backend endpoint. This endpoint returns a file id, which can be used to open t...

CVE-2025-4279

CVE-2025-4279 concerns the WordPress plugin “External image replace” (affected versions ≤ 1.0.8). The issue is an arbitrary file upload vulnerability caused by missing file-type validation in external_image_replace_get_posts::replace_post, allowing authenticated attackers with contributor-level p...

CVE-2024-56156

CVE-2024-56156 affects Halo prior to 2.20.13. The vulnerability arises from a file type validation bypass in the upload mechanism, allowing malicious files (including executables and HTML) which can lead to stored XSS and, under certain circumstances, remote code execution. A fixed version, 2.20....