CVE-2026-10807

The CVE-2026-10807 entry concerns mjperpinosa stumasy, affecting the unknown function in application/PHP/objects/profiles/change_profile_image.php. The issue allows an attacker to manipulate the pr_profile_image argument to achieve unrestricted upload, with remote exploitation. Public exploit dis...

DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap

Over the last decade, DICOM parsing has become an active research topic. The reason is simple: DICOM is both critical and complicated. Hospitals rely on DICOM-based PACS systems, and those systems often automatically ingest files received over the network. That means malformed data could directly...

CVE-2026-42879

FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image using...

CVE-2026-42879 FacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images

FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image using...

CVE-2026-42879

CVE-2026-42879 affects FacturaScripts

EUVD-2026-32626

FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image using...

CVE-2026-9445

A flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible...

CVE-2026-44314

Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.PermissionUser.class, getUserId, Device.class and then immediately streams the uploaded body into mediaManager.createFileStream.... Unlike the generic...

CVE-2026-44314 Traccar: Missing edit authorization on device image upload allows read-only users to write files

Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.PermissionUser.class, getUserId, Device.class and then immediately streams the uploaded body into mediaManager.createFileStream.... Unlike the generic...

CVE-2026-44314 Traccar: Missing edit authorization on device image upload allows read-only users to write files

Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.PermissionUser.class, getUserId, Device.class and then immediately streams the uploaded body into mediaManager.createFileStream.... Unlike the generic...

CVE-2026-44314

CVE-2026-44314 (Traccar) affects the open-source GPS tracking system prior to version 6.13.0. In DeviceResource.uploadImage, authentication is insufficient: after authorizing a target device via Condition.Permission(User.class, getUserId(), Device.class), the route streams the upload into mediaMa...

Traccar 安全漏洞

Traccar is a Java-based website building system provided by the American company Traccar. This software supports over 170 GPS protocols and over 1,500 types of GPS tracking devices. Traccar can be used alongside any major SQL database systems. It also offers a user-friendly REST API. Prior to...

CVE-2026-9445

A flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible...

CVE-2026-9445

CVE-2026-9445 affects SourceCodester Simple POS and Inventory System 1.0. The vulnerability is in an unrestricted upload through the /admin/addproduct.php file (File Extension Handler); manipulating the image argument enables remote code upload. Impact and exploitation details indicate remote exp...

EUVD-2026-31656

A flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible...

CVE-2026-9445

A flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible...

PT-2026-43030

A flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible...

Exploit for Unrestricted Upload of File with Dangerous Type in Wordpress

WordPress Crop Image RCE — CVE-2019-8942 / CVE-2019-8943 Pyth...

CVE-2026-5755

CVE-2026-5755 affects Mattermost releases 11.6.x up to 11.6.0, 11.5.x up to 11.5.2/11.5.3, 11.4.x up to 11.4.4, and 10.11.x up to 10.11.14. The issue arises from failure to validate the TIFF IFD offset in the image header before memory allocation, allowing authenticated users with file upload or ...

MAL-2026-4597 Malicious code in kurumi-fca (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f90450e6ca1502bf6287d945c37c4c64f59e624a4269ab8e07600a9db5e755d0 kurumi-fca is a Facebook Chat API library whose advertised purpose is to listen to Messenger events for the caller. Two undisclosed behaviors make it...