CVE-2026-6262 Betheme <= 28.4 - Authenticated (Contributor+) Arbitrary File Deletion via 'mfn-icon-upload'

The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the uploadicons function workflow using a user-controlled upload path mfn-icon-upload in a filesystem move operation without constraining it to the uploads directory. Th...

CVE-2026-6262

The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the uploadicons function workflow using a user-controlled upload path mfn-icon-upload in a filesystem move operation without constraining it to the uploads directory. Th...

CVE-2026-6262

CVE-2026-6262 affects the Betheme theme for WordPress. The vulnerability arises in the upload_icons() workflow which uses a user-controlled path (mfn-icon-upload) in a filesystem move, not restricting to the uploads directory, enabling arbitrary file deletion via path traversal. Affected: Betheme...

BIT-AUTHENTIK-2024-11623 Stored XSS in authentik

Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release...

CVE-2026-27479 Wallos: SSRF via Redirect Bypass in Logo/Icon URL Fetch

Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery SSRF vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the...

EUVD-2019-5466

Malware in sbrugna...

EUVD-2024-16812

Malicious code in bioql PyPI...

CVE-2025-46335 Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload

Mobile Security Framework MobSF is a security research platform for mobile applications in Android, iOS and Windows Mobile. A Stored Cross-Site Scripting XSS vulnerability has been identified in MobSF versions up to and including 4.3.2. The vulnerability arises from improper sanitization of...

Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload

Vulnerable MobSF Versions: .svg This file becomes publicly accessible via the web interface at: http://127.0.0.1:8081/download/filename.svg If the SVG contains embedded JavaScript e.g., an XSS payload, accessing this URL via a browser leads to the execution of the script in the context of the Mob...

Nextcloud 代码问题漏洞

Nextcloud is an open source, self-hosted file synchronization and sharing communication application platform from Nextcloud, a German company. A code issue vulnerability exists in Nextcloud server that stems from the ability to control file names when uploading a website icon as an administrator ...

CVE-2019-9605

PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Reflected Cross-site Scripting XSS via the err value in a .ico picture upload...

File Upload Vulnerability at Kirin Fortress Application Publishing Feature

Kirin Fortress is the open source operations and maintenance fortress. A file upload vulnerability exists at the application icon upload in the application publishing feature of KyLin Fortress. This allows attackers to upload a webshell and gain server privileges...