CVE-2026-48557

Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...

PT-2026-44994

Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...

Spatie Laravel Media Library Pro 安全漏洞

Spatie Laravel Media Library Pro is a UI component for Laravel media libraries developed by the Belgian company Spatie. Versions of Spatie Laravel Media Library Pro prior to 11.23.0 contained security vulnerabilities. These vulnerabilities were caused by a bypass of file upload restrictions in...

📄 PluckCMS 4.7.10 Shell Upload

PluckCMS version 4.7.10 remote shell upload proof of concept exploit. ============================================================================================================================================= | Title : PluckCMS 4.7.10 Unrestricted File Upload RCE | | Author : indoushka | |...

EUVD-2025-201543

The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. Th...

EUVD-2020-16707

Malware in sbrugna...

EUVD-2017-18215

Malware in sbrugna...

EUVD-2024-54930

Malicious code in bioql PyPI...

CVE-2024-13342

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'addfilestoorder' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double...

CVE-2024-13342

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'addfilestoorder' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double...

CVE-2024-13342

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'addfilestoorder' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double...

CVE-2024-13342 Booster for WooCommerce <= 7.2.4 - Unauthenticated Double Extension Arbitrary File Upload

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'addfilestoorder' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double...

CVE-2024-13342

The Booster for WooCommerce plugin (WordPress) is vulnerable to arbitrary file uploads due to missing file type validation in the add_files_to_order function, affecting all versions up to and including 7.2.4. This allows unauthenticated attackers to upload arbitrary files with double extensions o...

PT-2025-35202

Name of the Vulnerable Software and Affected Versions: Booster for WooCommerce versions up to and including 7.2.4 Description: The Booster for WooCommerce plugin for WordPress is susceptible to arbitrary file uploads due to the absence of file type validation within the add files to order functio...

CVE-2021-26918

The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the "Send an image when a user joins the server" feature or possibly have unspecified other impact because the uploader web service allows double extensions such as .html.jpg with the...

CVE-2024-42180

HCL MyXalytics is affected by a malicious file upload vulnerability. The application accepts invalid file uploads, including incorrect content types, double extensions, null bytes, and special characters, allowing attackers to upload and execute malicious files...

CVE-2024-42180

CVE-2024-42180 affects HCL DRYiCE MyXalytics (HCL MyXalytics). The vulnerability is a malicious file upload issue where the application accepts invalid uploads (wrong content types, double extensions, null bytes, and special characters), enabling an attacker to upload and potentially execute mali...

Cyberattack Group 'Awaken Likho' Targets Russian Government with Advanced Tools

Russian government agencies and industrial entities are the target of an ongoing activity cluster dubbed Awaken Likho. "The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems,...

PT-2024-11926 · WordPress · Metform Elementor Contact Form Builder

Name of the Vulnerable Software and Affected Versions: The Metform Elementor Contact Form Builder for WordPress versions up to, and including, 3.2.4 Description: The issue is related to insufficient file type validation, allowing unauthenticated visitors to perform a "double extension" attack. Th...

SUSE CVE-2019-8943

WordPress through 5.0.3 allows Path Traversal in wpcropimage. An attacker who has privileges to crop an image can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring...