CVE-2026-46489

SolidInvoice (open-source invoicing platform) contains CVE-2026-46489: before version 2.3.17, the logo upload feature accepts any file type without validation, allowing an authenticated administrator to upload an SVG containing embedded JavaScript. The script is base64-encoded and injected unesca...

EUVD-2026-30361

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restrictions plugin.upload.security.allowedTypes and deniedTypes. The same restrictions were correctly...

Strapi Upload Plugin MIME Validation Bypass via Content API

Summary of CVE-2026-22707 Vulnerability Details - CVE: CVE-2026-22707 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N 5.3 — Medium - Affected Versions: @strapi/upload =5.33.3 Description of CVE-2026-22707 In Strapi versions prior to 5.33.3, the Upload plugin's...

PT-2026-41162

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.0 Description The profile image url field on the user profile update form accepts arbitrary data: URI values without MIME-type validation, leading to Cross-Site Scripting XSS. This occurs because the applicatio...

CVE-2026-34429 Vvveb < 1.0.8.1 Stored XSS via Media Upload and Rename

Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF8...

CVE-2026-32931 Chamilo LMS has Arbitrary File Upload via MIME-Only Validation in Exercise Sound Upload Leads to RCE

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its...

CVE-2026-34735 Hytale Modding Vulnerable to Remote Code Execution via File Upload Bypass in `FileController`

The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. In version 1.2.0 and prior, the quickUpload endpoint validates uploaded files by checking their MIME type via PHP's finfo, which inspects file contents but constructs the stored filename using the...

HytaleModding Wiki 代码问题漏洞

HytaleModding Wiki is an open-source documentation platform for Hytale Modding. Versions of HytaleModding Wiki prior to 1.2.0 had code vulnerabilities. These vulnerabilities stemmed from the quickUpload endpoint’s validation of MIME types, but it used file extensions provided by the client, which...

CVE-2026-33173

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the...

PT-2026-27169

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description AVideo is an open source video platform. The ImageGallery::saveFile method validates uploaded file content using finfo MIME type detection but derives the saved filename extension from the...

📄 Voyager 1.8.0 Arbitrary File Upload

Voyager version 1.8.0 has an issue where an attacker with minimal privileges any role allowed to upload images in a Rich Text Box can upload a polyglot file masquerading as an image while embedding server-side executable code...

CVE-2026-1756

The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPFOFTLoaderMimes::fileandext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and abov...

EUVD-2026-5387

The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPFOFTLoaderMimes::fileandext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and abov...

CVE-2026-1756 WP FOFT Loader <= 2.1.39 - Authenticated (Author+) Arbitrary File Upload

The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPFOFTLoaderMimes::fileandext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and abov...

CVE-2025-14894

Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup proce...

Livewire Filemanager does not restrict uploaded file types

Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup proce...

Livewire Filemanager security vulnerabilities

Livewire Filemanager is an open-source file management software developed by Livewire. There is a security vulnerability in Livewire Filemanager, which stems from the lack of file type and MIME validation in the LivewireFilemanagerComponent.php file. This vulnerability may allow remote code...

CVE-2025-66256

The CVE concerns a vulnerability in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter series (versions 30–7000) where the /var/tdf/patch_contents.php endpoint allows unauthenticated, unrestricted file uploads. There is no file type validation, MIME checking, or size restriction beyond...

EUVD-2023-2924

Malicious code in bioql PyPI...

CVE-2025-57292

Todoist v8484 contains a stored cross-site scripting XSS vulnerability in the avatar upload functionality. The application fails to properly validate the MIME type and sanitize image metadata...