GHSA-2GR4-PPC7-7MHX CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule

Impact The extin upload validation rule checked the MIME-derived guessed extension instead of the client-provided filename extension. As a result, an uploaded file named shell.php containing GIF-like content could pass validation such as:...

Content-Type Override

Parse Server is vulnerable to Content-Type Override. The vulnerability is due to missing consistency validation between the file extension and the provided Content-Type header, where the Content-Type is passed unchanged to storage adapters that serve files based on this header, allowing an attack...

CVE-2026-35200 Parse Server has a file upload Content-Type override via extension mismatch

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist e.g., .txt but with a Content-Type header that differs from the...

GHSA-VR5F-2R24-W5HC Parse Server: File upload Content-Type override via extension mismatch

Impact A file can be uploaded with a filename extension that passes the file extension allowlist e.g., .txt but with a Content-Type header that differs from the extension e.g., text/html. The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store...

Parse Server: File upload Content-Type override via extension mismatch

Impact A file can be uploaded with a filename extension that passes the file extension allowlist e.g., .txt but with a Content-Type header that differs from the extension e.g., text/html. The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store...

Malicious code in uxproject11 (npm)

Collects and exfiltrates sensitive system information to suspicious domains. Multiple YARA rules are triggered. High entropy file. Extension mismatch. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b478ab519bbd87949cad8be7d77296e0eddd01aa0be1b4b168ed2f6a0f7413...

MAL-2026-1234 Malicious code in uxproject11 (npm)

Collects and exfiltrates sensitive system information to suspicious domains. Multiple YARA rules are triggered. High entropy file. Extension mismatch. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b478ab519bbd87949cad8be7d77296e0eddd01aa0be1b4b168ed2f6a0f7413...

GHSA-JGW4-CR84-MQXG Picklescan Bypass is Possible via File Extension Mismatch

Summary Picklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension e.g., .bin. This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle...

Facebook WhatsApp 安全漏洞

Facebook WhatsApp is a suite of mobile applications from Facebook Inc. in the United States that are based on the Android platform and utilize the network to deliver text messages. The application uses contact information in a smartphone to find contacts using the software to send texts, pictures...

Akuvox E11 数据伪造问题漏洞

Akuvox E11 is a SIP visual doorbell from Akuvox designed for villas, houses and apartments. A security vulnerability exists in Akuvox E11 that stems from not ensuring that file extensions are associated with the files provided. This could allow an attacker to upload files to the device by changin...