PT-2026-34855

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the...

CVE-2026-33686

Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In...

CVE-2026-33686 Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil

Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In...

CVE-2026-33686

Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In...

CVE-2026-33686

CVE-2026-33686 affects the Sharp Laravel package. Versions before 9.20.0 are vulnerable to a path traversal via the FileUtil::explodeExtension() function, which incorrectly sanitizes file extensions and can allow path separators to reach storage. The issue is resolved in 9.20.0 by using pathinfo(...

GHSA-9FFQ-6457-8958 Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil

Summary A path traversal vulnerability exists in the FileUtil class of the code16/sharp package. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. Detail In src/Utils/FileUtil.php, the FileUtil::explodeExtension function...

CVE-2022-50912

ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the serv...

CVE-2022-50912

ImpressCMS 1.4.4 is affected by a file upload vulnerability caused by weak extension sanitization. The issue allows bypassing upload restrictions using alternative extensions such as .php2, .php6, .php7, .phps, and .pht to upload and potentially execute arbitrary PHP code on the server. The CVE e...

EUVD-2022-24546

Malicious code in bioql PyPI...

EUVD-2025-29361

Malicious code in bioql PyPI...

GHSA-22FP-MF44-F2MQ youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization

Description This advisory follows the security advisory GHSA-79w7-vh3h-8g4j published by the yt-dlp/yt-dlp project to aid remediation of the issue in the ytdl-org/youtube-dl project. Vulnerability youtube-dl does not limit the extensions of downloaded files, which could lead to arbitrary filename...

Incorrect Resource Transfer Between Spheres

Overview youtubedl is a YouTube video downloader Affected versions of this package are vulnerable to Incorrect Resource Transfer Between Spheres via improper file extension sanitization, which could create arbitrary filenames in the download folder and path traversal on Windows. An attacker can...

CVE-2022-1206

CVE-2022-1206 concerns the WordPress plugin AdRotate Banner Manager. The vulnerability is an arbitrary file upload caused by missing file extension sanitization in the adrotate_insert_media() function, affecting all versions up to and including 5.13.2. It requires authenticated access at administ...

CVE-2024-38519 yt-dlp and youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization

yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to the fixed versions, yt-dlp and youtube-dl do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder and path traversal on Windows. Since yt-dlp and youtube-...

CVE-2024-38519 yt-dlp and youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization

yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to the fixed versions, yt-dlp and youtube-dl do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder and path traversal on Windows. Since yt-dlp and youtube-...

PT-2021-15717 · WordPress · Woocommerce Upload Files

Name of the Vulnerable Software and Affected Versions: WooCommerce Upload Files WordPress plugin versions prior to 59.4 Description: The issue allows bypassing the sanitization pass that removes blocked extensions, such as .php, by embedding a blocked extension within another blocked extension in...

WordPress Theme Kiddo - Arbitrary File Upload

WordPress Theme Kiddo - Arbitrary File Upload source: https://www.securityfocus.com/bid/65460/info The Kiddo theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to sufficiently sanitize file extensions. An...