Lucene search
+L

5 matches found

Github Security Blog
Github Security Blog
added yesterday5 views

Flask-Reuploaded: Extension-denylist bypass via case-folding asymmetry in name-override path (incomplete-fix variant of CVE-2026-27641)

Header | Field | Value | |---|---| | Title | Extension-denylist bypass via case-folding asymmetry in name-override path incomplete-fix variant of CVE-2026-27641 | | Project | Flask-Reuploaded flaskuploads | | Affected | extension"shell.php" = "php" - extensionallowed"php" - DENY correct...

9.8CVSS5.8AI score0.01046EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2026/07/07 5:16 p.m.9 views

CVE-2026-23697

Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents module, bypassing the extension denylist in config.inc.php which omits the...

8.8CVSS0.00758EPSS
Exploits2References3
EUVD
EUVD
added 2026/07/07 4:17 p.m.5 views

EUVD-2026-42055

Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents module, bypassing the extension denylist in config.inc.php which omits the...

8.8CVSS6.8AI score0.00758EPSS
Exploits2References3
EUVD
EUVD
added 2026/04/17 6:31 p.m.24 views

EUVD-2026-23459

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default...

8.1CVSS6.2AI score0.04175EPSS
Exploits3References7
Github Security Blog
Github Security Blog
added 2026/03/11 12:17 a.m.8 views

Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload

Impact A stored cross-site scripting XSS vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Content-Type: image/svg+xml and without protective headers, causing the browser to execute embedded scripts in the Parse Server origin...

8.3CVSS5.8AI score0.00216EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder