CVE-2026-5192

The CVE concerns the WordPress plugin Forminator Forms – Contact Form, Payment Form & Custom Form Builder

CVE-2025-51511

Cadmium CMS v.0.4.9 has a background arbitrary file upload vulnerability in /admin/content/filemanager/uploads...

CVE-2025-13949 ProudMuBai GoFilm FileController.go SingleUpload unrestricted upload

A vulnerability was identified in ProudMuBai GoFilm 1.0.0/1.0.1. Impacted is the function SingleUpload of the file /server/controller/FileController.go. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and...

CVE-2025-59835

LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the...

EUVD-2025-7081

Malicious code in bioql PyPI...

EUVD-2024-54394

Malicious code in bioql PyPI...

CVE-2025-40991

CVE-2025-40991 is a Stored XSS in Creativeitem Ekushey CRM v5.0. Root cause: lack of input validation in the project file upload endpoint at /ekushey/index.php/client/project_file/upload/xxxx, specifically the description parameter via POST. Impact (per sources): an attacker could craft input to ...

CVE-2025-41396

A path traversal issue exists in file uploading feature of multiple versions of PowerCMS. Arbitrary files may be overwritten by a product user...

CVE-2025-4981

Mattermost versions 10.5.x = 10.5.5, 9.11.x = 9.11.15, 10.8.x = 10.8.0, 10.7.x = 10.7.2, 10.6.x = 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequence...

CVE-2025-6108

A vulnerability was found in hansonwang99 Spring-Boot-In-Action up to 807fd37643aa774b94fd004cc3adbd29ca17e9aa. It has been declared as critical. Affected by this vulnerability is the function watermarkTest of the file...

CVE-2025-30515

CVE-2025-30515 relates to CyberData 011209 Intercom (SIP Emergency Intercom). The connected documents confirm an authenticated attacker could upload arbitrary files to multiple locations in the system, with the CVE described as a path-traversal/file-upload issue. Impact is described in metrics as...

CVE-2025-5380 ashinigit 天青一白 XueShengZhuSu 学生住宿管理系统 Image File Upload upload path traversal

A vulnerability, which was classified as critical, has been found in ashinigit 天青一白 XueShengZhuSu 学生住宿管理系统 up to 4d3f0ada0e71482c1e51fd5f5615e5a3d8bcbfbb. This issue affects some unknown processing of the file /upload/ of the component Image File Upload. The manipulation of the argument File lead...

CVE-2025-2708 zhijiantianya ruoyi-vue-pro Backend File Upload Interface upload path traversal

A vulnerability, which was classified as critical, was found in zhijiantianya ruoyi-vue-pro 2.4.1. This affects an unknown part of the file /admin-api/infra/file/upload of the component Backend File Upload Interface. The manipulation of the argument path leads to path traversal. It is possible to...

CVE-2024-10902 Arbitrary File Upload with Path Traversal in eosphoros-ai/db-gpt

In eosphoros-ai/db-gpt version v0.6.0, the web API POST /v1/personal/agent/upload is vulnerable to Arbitrary File Upload with Path Traversal. This vulnerability allows unauthorized attackers to upload arbitrary files to the victim's file system at any location. The impact of this vulnerability...

CVE-2025-27142 LocalSend path traversal vulnerability in the file upload endpoint allows nearby devices to execute arbitrary commands

LocalSend is a free, open-source app that allows users to securely share files and messages with nearby devices over their local network without needing an internet connection. Prior to version 1.17.0, due to the missing sanitization of the path in the POST /api/localsend/v2/prepare-upload and th...

CVE-2024-39865

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.2 SP1. The affected application allows users to upload encrypted backup files. As part of this backup, files can be restored without correctly checking the path of the restored file. This could allow an attacker...

PsiTransfer: Violation of the integrity of file distribution

Summary The absence of restrictions on the endpoint, which allows you to create a path for uploading a file in a file distribution, allows an attacker to add arbitrary files to the distribution. Details Vulnerable endpoint: POST /files PoC 1. Create a file distribution. 2. Go to the link address ...

Grav File Upload Path Traversal

Summary Grav is vulnerable to a file upload path traversal vulnerability, that can allow an adversary to replace or create files with extensions such as .json, .zip, .css, .gif, etc. This vulnerabiltiy can allow attackers to inject arbitrary code on the server, undermine integrity of backup files...

Arbitrary File Upload

dilab/resumable.php is vulnerable to Arbitrary File Upload. The vulnerability arises due to a lack of file upload path validation within Resumable.php. An attacker can arbitrarily upload any non existing file on the filesystem...

CVE-2022-46178 Path Traversal In MeterSpere allows file upload to any path

MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.1 allow users to upload a file, but do not validate the file name, which may lead to upload file to any path. The vulnerability...