EUVD-2026-33703

Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can request approval. This issue has been patched in version 2.7.2...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: - In blkdeviomapbegin, the EOF check has been refined. - In blkdeviomapbegin, the offset is rounded down to the logical block size before being stored in iomap-offset. It is also checked that the value remains within the inode...

Cisco IoT Field Network Director 代码问题漏洞

Cisco IoT Field Network Director is an end-to-end IoT management system developed by Cisco, Inc. This system offers features such as device management, asset tracking, and intelligent metering. There is a code vulnerability in Cisco IoT Field Network Director, which stems from insufficient file...

CVE-2026-34981

The whisperX API is a tool for enhancing and analyzing audio content. From 0.3.1 to 0.5.0, FileService.downloadfromurl in app/services/fileservice.py calls requests.geturl with zero URL validation. The file extension check occurs AFTER the HTTP request is already made, and can be bypassed by...

CVE-2018-19421

In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but Internet Explorer render HTML elements in a .eml file, because of admin/upload-uploadify.php, and validatesafefile in admin/inc/securityfunctions.php...

BullWall Ransomware Containment 安全漏洞

BullWall Ransomware Containment is a ransomware protection software from BullWall Denmark. A security vulnerability exists in BullWall Ransomware Containment versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4, which stems from an incomplete file check and could lead to bypassing detection...

CVE-2025-41735

CVE-2025-41735 affects METZ CONNECT EWIO2-M, EWIO2-M-BM, and EWIO2-BM devices. A low-privilege, unauthenticated remote attacker can upload arbitrary files to arbitrary locations due to missing file checks, potentially enabling remote code execution. The incident is corroborated by multiple source...

CVE-2025-41735 Possible arbitrary file upload

A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution...

CVE-2025-60268

CVE-2025-60268 describes an arbitrary file upload vulnerability in JeeWMS 20250820 caused by lack of file validation in the saveFiles function at /jeewms/cgUploadController.do. An attacker with normal privileges could upload a malicious file, potentially enabling remote code execution. Several co...

CVE-2025-44593

Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specifically, .html files can trigger stored XSS vulnerabilities. This vulnerability is fixed in 2.20.13...

CVE-2022-22531

The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified...

CVE-2021-24248

The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 did not properly check for imported files, forbidding certain extension via a blacklist approach, allowing administrator to import an archive with a .php4 inside for example, leading to RCE...

CVE-2021-24284

The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fontsicon directory with no checks for malicious files such as PHP...

CVE-2019-15862

An issue was discovered in CKFinder through 2.6.2.1. Improper checks of file names allows remote attackers to upload files without any extension even if the application was configured to accept files only with a defined set of extensions. This affects CKFinder for ASP, CKFinder for ASP.NET,...

PT-2024-31723 · Ibm · Ibm Cognos Controller

Name of the Vulnerable Software and Affected Versions: IBM Cognos Controller versions 11.0.0 through 11.0.1 Description: The issue allows an authenticated user to upload insecure files due to insufficient file type distinction. Recommendations: For versions 11.0.0 through 11.0.1, consider...

CVE-2024-44218

This issue was addressed with improved checks. This issue is fixed in iOS 17.7.1 and iPadOS 17.7.1, iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, macOS Sonoma 14.7.1. Processing a maliciously crafted file may lead to heap corruption...

CVE-2024-42598

SeaCMS 13.0 has a remote code execution vulnerability. The reason for this vulnerability is that although admineditplayer.php imposes restrictions on edited files, attackers can still bypass these restrictions and write code, allowing authenticated attackers to exploit the vulnerability to execut...

ALPINE-CVE-2024-28054

Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use of MIME-tools, has an Interpretation Conflict relative to some mail user agents when there are multiple boundary parameters in a MIME email message. Consequently, there can be an incorrect check for banned files or malware...

OESA-2024-1290 iSulad security update

This is a umbrella project for gRPC-services based Lightweight Container Runtime Daemon, written by C. Security Fixes: 在isulad服务初始化阶段，会进行临时文件的正确性检查，如果检查不通过则重新创建文件，在检查与创建之间，存在一个条件竞争问题，攻击者可以通过利用该漏洞进行提权。CVE-2021-33632...

CVE-2023-6551 Stored XSS in class.upload.php

As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used. Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide...