Lucene search
K

55 matches found

Cvelist
Cvelist
added 3 days ago26 views

CVE-2026-14776 SourceCodester Onlne Examination & Learning Management System Filename Extension upload_files.php pathinfo unrestricted upload

A security flaw has been discovered in SourceCodester Onlne Examination & Learning Management System 1.0. Affected by this vulnerability is the function pathinfo of the file /uploadfiles.php of the component Filename Extension. Performing a manipulation results in unrestricted upload. Remote...

6.5CVSS0.00214EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.20 views

PT-2026-48810

Name of the Vulnerable Software and Affected Versions CodeIgniter versions prior to 4.7.3 Description The ext in upload validation rule incorrectly checks the MIME-derived guessed extension instead of the extension provided in the client filename. This allows a file with an executable extension,...

9.8CVSS6.2AI score0.00078EPSS
Exploits0References9
Github Security Blog
Github Security Blog
added 2026/04/04 4:22 a.m.26 views

Parse Server: File upload Content-Type override via extension mismatch

Impact A file can be uploaded with a filename extension that passes the file extension allowlist e.g., .txt but with a Content-Type header that differs from the extension e.g., text/html. The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store...

5.4CVSS5.9AI score0.00162EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.12 views

PT-2026-30320

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.73 and 9.7.1-alpha.4 Description A file can be uploaded with a filename extension that passes the file extension allowlist e.g., .txt but with a Content-Type header that differs from the extension e.g.,...

5.4CVSS5.9AI score0.00162EPSS
Exploits0References8
OSV
OSV
added 2026/04/02 4:16 p.m.5 views

UBUNTU-CVE-2026-33691

The OWASP core rule set CRS is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions .php, .phar, .jsp, .jspx by inserting whitespace...

7.5CVSS5.7AI score0.02172EPSS
Exploits0References3
CVE
CVE
added 2026/04/02 3:3 p.m.44 views

CVE-2026-33691

The CVE-2026-33691 issue affects OWASP CRS prior to versions 3.3.9 and 4.25.0, where whitespace padding in filenames bypasses the file-extension checks for dangerous extensions (.php, .phar, .jsp, .jspx) because the extension regex is not applied after normalizing whitespace. The vulnerability is...

7.5CVSS5.7AI score0.02172EPSS
Exploits0References10Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/02 3:3 p.m.3 views

CVE-2026-33691 OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks

The OWASP core rule set CRS is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions .php, .phar, .jsp, .jspx by inserting whitespace...

6.8CVSS5.7AI score0.02172EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/03/26 3:0 p.m.3 views

CVE-2026-33647

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the ImageGallery::saveFile method validates uploaded file content using finfo MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An...

8.8CVSS5.8AI score0.00639EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/03/25 5:45 p.m.8 views

AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload

Summary The ImageGallery::saveFile method validates uploaded file content using finfo MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file valid JPEG magic bytes followed by PHP cod...

8.8CVSS6.1AI score0.00639EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/03/23 6:23 p.m.21 views

CVE-2026-33647 AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the ImageGallery::saveFile method validates uploaded file content using finfo MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An...

8.8CVSS0.00639EPSS
Exploits1References2
Packet Storm
Packet Storm
added 2026/02/23 12:0 a.m.140 views

📄 SuiteCRM 7.11.18 Log File Remote Code Execution

SuiteCRM version 7.11.18 allows modification of the logging configuration. The log filename extension is not validated properly .pHp accepted, causing the log to be interpreted as PHP. Then attacker injects PHP payload into the logs changing username lastname field resulting in the log file...

9CVSS5.6AI score0.63267EPSS
Exploits11
RedhatCVE
RedhatCVE
added 2026/01/09 11:23 a.m.7 views

CVE-2021-31865

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments...

5.3CVSS6.6AI score0.01134EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/12/22 2:32 a.m.4 views

CVE-2025-15009 liweiyi ChestnutCMS Filename upload FilenameUtils.getExtension unrestricted upload

A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launche...

6.5CVSS6.3AI score0.00293EPSS
Exploits1References5
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2006-0825

Malware in sbrugna...

7.8CVSS6.4AI score0.02218EPSS
Exploits0References10
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2021-2353

Malware in sbrugna...

7.5CVSS7.4AI score0.01314EPSS
Exploits1References6
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2003-0327

Malware in sbrugna...

7.6CVSS6.4AI score0.06985EPSS
Exploits1References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2021-18740

Malware in sbrugna...

5.3CVSS5.2AI score0.01134EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2019-7985

Malware in sbrugna...

7.5CVSS4.8AI score0.0192EPSS
Exploits0References7
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2009-0469

Malware in sbrugna...

9.3CVSS6.4AI score0.03644EPSS
Exploits1References7
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2021-30884

Malicious code in bioql PyPI...

6.1CVSS6.9AI score0.01047EPSS
Exploits0References11
Rows per page
Query Builder