39 matches found
CVE-2026-48557
Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...
EUVD-2026-33439
Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...
PT-2026-44994
Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...
CVE-2026-42879
FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image using...
FacturaScripts 代码问题漏洞
FacturaScripts is an open-source ERP software developed by Carlos Garcia of Spain. Versions of FacturaScripts prior to 2025.81 contained code vulnerabilities. These vulnerabilities stemmed from the unlimited file upload feature in the product image upload function. Attackers could upload PHP file...
Astra Linux - уязвимость в firefox
An attacker who could have convinced a user to drag and drop an image into a file system could have manipulated the resulting filename to include an executable extension. By doing so, the attacker could potentially trick the user into executing malicious code. Although very similar, this is a...
EUVD-2020-31228
HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to...
OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution
The product custom option file upload in OpenMage LTS uses an incomplete blocklist "forbiddenextensions = php,exe" to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as ".phtml", ".phar", ".php3", ".php4", ".php5",...
PT-2026-26588
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In...
EUVD-2012-1486
Malware in sbrugna...
EUVD-2011-5061
Malware in sbrugna...
EUVD-2008-6891
Malware in sbrugna...
EUVD-2006-4605
Malware in sbrugna...
EUVD-2006-3067
Malware in sbrugna...
EUVD-2014-5189
Malware in sbrugna...
EUVD-2005-3286
Malware in sbrugna...
EUVD-2021-19487
Malware in sbrugna...
EUVD-2022-37437
Malicious code in bioql PyPI...
CVE-2005-3288
Mailsite Express allows remote attackers to upload and execute files with executable extensions such as ASP by attaching the file using the "compose page" feature, then accessing the file from the cache directory before saving or sending the message...
CVE-2005-3287
Incomplete blacklist vulnerability in Mailsite Express allows remote attackers to upload and possibly execute files via attachments with executable extensions such as ASPX, which are not converted to .TXT like other dangerous extensions, and which can be directly requested from the cache director...