55 matches found
CVE-2026-14776 SourceCodester Onlne Examination & Learning Management System Filename Extension upload_files.php pathinfo unrestricted upload
A security flaw has been discovered in SourceCodester Onlne Examination & Learning Management System 1.0. Affected by this vulnerability is the function pathinfo of the file /uploadfiles.php of the component Filename Extension. Performing a manipulation results in unrestricted upload. Remote...
PT-2026-48810
Name of the Vulnerable Software and Affected Versions CodeIgniter versions prior to 4.7.3 Description The ext in upload validation rule incorrectly checks the MIME-derived guessed extension instead of the extension provided in the client filename. This allows a file with an executable extension,...
Parse Server: File upload Content-Type override via extension mismatch
Impact A file can be uploaded with a filename extension that passes the file extension allowlist e.g., .txt but with a Content-Type header that differs from the extension e.g., text/html. The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store...
PT-2026-30320
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.73 and 9.7.1-alpha.4 Description A file can be uploaded with a filename extension that passes the file extension allowlist e.g., .txt but with a Content-Type header that differs from the extension e.g.,...
UBUNTU-CVE-2026-33691
The OWASP core rule set CRS is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions .php, .phar, .jsp, .jspx by inserting whitespace...
CVE-2026-33691
The CVE-2026-33691 issue affects OWASP CRS prior to versions 3.3.9 and 4.25.0, where whitespace padding in filenames bypasses the file-extension checks for dangerous extensions (.php, .phar, .jsp, .jspx) because the extension regex is not applied after normalizing whitespace. The vulnerability is...
CVE-2026-33691 OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks
The OWASP core rule set CRS is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions .php, .phar, .jsp, .jspx by inserting whitespace...
CVE-2026-33647
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the ImageGallery::saveFile method validates uploaded file content using finfo MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An...
AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload
Summary The ImageGallery::saveFile method validates uploaded file content using finfo MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file valid JPEG magic bytes followed by PHP cod...
CVE-2026-33647 AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the ImageGallery::saveFile method validates uploaded file content using finfo MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An...
📄 SuiteCRM 7.11.18 Log File Remote Code Execution
SuiteCRM version 7.11.18 allows modification of the logging configuration. The log filename extension is not validated properly .pHp accepted, causing the log to be interpreted as PHP. Then attacker injects PHP payload into the logs changing username lastname field resulting in the log file...
CVE-2021-31865
Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments...
CVE-2025-15009 liweiyi ChestnutCMS Filename upload FilenameUtils.getExtension unrestricted upload
A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launche...
EUVD-2006-0825
Malware in sbrugna...
EUVD-2021-2353
Malware in sbrugna...
EUVD-2003-0327
Malware in sbrugna...
EUVD-2021-18740
Malware in sbrugna...
EUVD-2019-7985
Malware in sbrugna...
EUVD-2009-0469
Malware in sbrugna...
EUVD-2021-30884
Malicious code in bioql PyPI...